pyrox.dev / nixpkgs
lol
fork atom

nixos: nix.sshServe: add trusted option

matthewcroughan 7b593827 7c9ee40e

options
unified split
Changed files
+9 -1
nixos
modules
services
misc
nix-ssh-serve.nix
+9 -1
nixos/modules/services/misc/nix-ssh-serve.nix 
···

       
26

       
26

       
 

       
      write = lib.mkOption {


     

       
27

       
27

       
 

       
        type = lib.types.bool;


     

       
28

       
28

       
 

       
        default = false;


     

       
29

       

       
-

       
        description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the {option}`nix.settings.trusted-users` option in most use cases, such as allowing remote building of derivations.";


     

       

       
29

       
+

       
        description = "Whether to enable writing to the Nix store as a remote store via SSH. Note: by default, the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the {option}`nix.sshServe.trusted` option in most use cases, such as allowing remote building of derivations to anonymous people based on ssh key";


     

       

       
30

       
+

       
      };


     

       

       
31

       
+

       



     

       

       
32

       
+

       
      trusted = lib.mkOption {


     

       

       
33

       
+

       
        type = lib.types.bool;


     

       

       
34

       
+

       
        default = false;


     

       

       
35

       
+

       
        description = "Whether to add nix-ssh to the nix.settings.trusted-users";


     

       
30

       
36

       
 

       
      };


     

       
31

       
37

       
 

       



     

       
32

       
38

       
 

       
      keys = lib.mkOption {


     
···

       
58

       
64

       
 

       
      shell = pkgs.bashInteractive;


     

       
59

       
65

       
 

       
    };


     

       
60

       
66

       
 

       
    users.groups.nix-ssh = { };


     

       

       
67

       
+

       



     

       

       
68

       
+

       
    nix.settings.trusted-users = lib.mkIf cfg.trusted [ "nix-ssh" ];


     

       
61

       
69

       
 

       



     

       
62

       
70

       
 

       
    services.openssh.enable = true;


     

       
63

       
71