nixos/modules/services/misc/nix-ssh-serve.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / misc / nix-ssh-serve.nix

at 18.03-beta 1.4 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4let cfg = config.nix.sshServe;
 5    command =
 6      if cfg.protocol == "ssh"
 7        then "nix-store --serve"
 8      else "nix-daemon --stdio";
 9in {
10  options = {
11
12    nix.sshServe = {
13
14      enable = mkOption {
15        type = types.bool;
16        default = false;
17        description = "Whether to enable serving the Nix store as a remote store via SSH.";
18      };
19
20      keys = mkOption {
21        type = types.listOf types.str;
22        default = [];
23        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
24        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
25      };
26
27      protocol = mkOption {
28        type = types.enum [ "ssh" "ssh-ng" ];
29        default = "ssh";
30        description = "The specific Nix-over-SSH protocol to use.";
31      };
32
33    };
34
35  };
36
37  config = mkIf cfg.enable {
38
39    users.extraUsers.nix-ssh = {
40      description = "Nix SSH store user";
41      uid = config.ids.uids.nix-ssh;
42      useDefaultShell = true;
43    };
44
45    services.openssh.enable = true;
46
47    services.openssh.extraConfig = ''
48      Match User nix-ssh
49        AllowAgentForwarding no
50        AllowTcpForwarding no
51        PermitTTY no
52        PermitTunnel no
53        X11Forwarding no
54        ForceCommand ${config.nix.package.out}/bin/${command}
55      Match All
56    '';
57
58    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = cfg.keys;
59
60  };
61}