nixos/modules/services/misc/nix-ssh-serve.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / nix-ssh-serve.nix
at 25.11-pre 2.3 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  cfg = config.nix.sshServe;
 9  command =
10    if cfg.protocol == "ssh" then
11      "nix-store --serve ${lib.optionalString cfg.write "--write"}"
12    else
13      "nix-daemon --stdio";
14in
15{
16  options = {
17
18    nix.sshServe = {
19
20      enable = lib.mkOption {
21        type = lib.types.bool;
22        default = false;
23        description = "Whether to enable serving the Nix store as a remote store via SSH.";
24      };
25
26      write = lib.mkOption {
27        type = lib.types.bool;
28        default = false;
29        description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: by default, the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the {option}`nix.sshServe.trusted` option in most use cases, such as allowing remote building of derivations to anonymous people based on ssh key";
30      };
31
32      trusted = lib.mkOption {
33        type = lib.types.bool;
34        default = false;
35        description = "Whether to add nix-ssh to the nix.settings.trusted-users";
36      };
37
38      keys = lib.mkOption {
39        type = lib.types.listOf lib.types.str;
40        default = [ ];
41        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
42        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
43      };
44
45      protocol = lib.mkOption {
46        type = lib.types.enum [
47          "ssh"
48          "ssh-ng"
49        ];
50        default = "ssh";
51        description = "The specific Nix-over-SSH protocol to use.";
52      };
53
54    };
55
56  };
57
58  config = lib.mkIf cfg.enable {
59
60    users.users.nix-ssh = {
61      description = "Nix SSH store user";
62      isSystemUser = true;
63      group = "nix-ssh";
64      shell = pkgs.bashInteractive;
65    };
66    users.groups.nix-ssh = { };
67
68    nix.settings.trusted-users = lib.mkIf cfg.trusted [ "nix-ssh" ];
69
70    services.openssh.enable = true;
71
72    services.openssh.extraConfig = ''
73      Match User nix-ssh
74        AllowAgentForwarding no
75        AllowTcpForwarding no
76        PermitTTY no
77        PermitTunnel no
78        X11Forwarding no
79        ForceCommand ${config.nix.package.out}/bin/${command}
80      Match All
81    '';
82
83    users.users.nix-ssh.openssh.authorizedKeys.keys = cfg.keys;
84
85  };
86}