diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2020-09-15 14:08:35 +0000 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2020-09-15 14:08:35 +0000 |
| commit | c08c9f08c75bf379439348cccb5b8871a27bf498 (patch) | |
| tree | c4a7276366b31047b9f437865bebe21a919382af /doc/manual/src/package-management/ssh-substituter.md | |
| parent | 3df78858f2ad91a80e30ba910119a0c16c05c66a (diff) | |
| parent | 733d2e9402807e54d503c3113e854bfddb3d44e0 (diff) | |
Merge remote-tracking branch 'upstream/master' into remove-storetype-delegate-regStore
Diffstat (limited to 'doc/manual/src/package-management/ssh-substituter.md')
| -rw-r--r-- | doc/manual/src/package-management/ssh-substituter.md | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/doc/manual/src/package-management/ssh-substituter.md b/doc/manual/src/package-management/ssh-substituter.md new file mode 100644 index 000000000..6e5e258bc --- /dev/null +++ b/doc/manual/src/package-management/ssh-substituter.md @@ -0,0 +1,62 @@ +# Serving a Nix store via SSH + +You can tell Nix to automatically fetch needed binaries from a remote +Nix store via SSH. For example, the following installs Firefox, +automatically fetching any store paths in Firefox’s closure if they are +available on the server `avalon`: + +```console +$ nix-env -i firefox --substituters ssh://alice@avalon +``` + +This works similar to the binary cache substituter that Nix usually +uses, only using SSH instead of HTTP: if a store path `P` is needed, Nix +will first check if it’s available in the Nix store on `avalon`. If not, +it will fall back to using the binary cache substituter, and then to +building from source. + +> **Note** +> +> The SSH substituter currently does not allow you to enter an SSH +> passphrase interactively. Therefore, you should use `ssh-add` to load +> the decrypted private key into `ssh-agent`. + +You can also copy the closure of some store path, without installing it +into your profile, e.g. + +```console +$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters +ssh://alice@avalon +``` + +This is essentially equivalent to doing + +```console +$ nix-copy-closure --from alice@avalon +/nix/store/m85bxg…-firefox-34.0.5 +``` + +You can use SSH’s *forced command* feature to set up a restricted user +account for SSH substituter access, allowing read-only access to the +local Nix store, but nothing more. For example, add the following lines +to `sshd_config` to restrict the user `nix-ssh`: + + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand nix-store --serve + Match All + +On NixOS, you can accomplish the same by adding the following to your +`configuration.nix`: + +```nix +nix.sshServe.enable = true; +nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ]; +``` + +where the latter line lists the public keys of users that are allowed to +connect. |