nixos/modules/services/misc/nix-ssh-serve.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / misc / nix-ssh-serve.nix

at 17.09-beta 1.2 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5{
 6  options = {
 7
 8    nix.sshServe = {
 9
10      enable = mkOption {
11        type = types.bool;
12        default = false;
13        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
14      };
15
16      keys = mkOption {
17        type = types.listOf types.str;
18        default = [];
19        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
20        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
21      };
22
23    };
24
25  };
26
27  config = mkIf config.nix.sshServe.enable {
28
29    users.extraUsers.nix-ssh = {
30      description = "Nix SSH substituter user";
31      uid = config.ids.uids.nix-ssh;
32      useDefaultShell = true;
33    };
34
35    services.openssh.enable = true;
36
37    services.openssh.extraConfig = ''
38      Match User nix-ssh
39        AllowAgentForwarding no
40        AllowTcpForwarding no
41        PermitTTY no
42        PermitTunnel no
43        X11Forwarding no
44        ForceCommand ${config.nix.package.out}/bin/nix-store --serve
45      Match All
46    '';
47
48    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys;
49
50  };
51}