aboutsummaryrefslogtreecommitdiff
path: root/doc/manual/packages/ssh-substituter.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/manual/packages/ssh-substituter.xml')
-rw-r--r--doc/manual/packages/ssh-substituter.xml73
1 files changed, 0 insertions, 73 deletions
diff --git a/doc/manual/packages/ssh-substituter.xml b/doc/manual/packages/ssh-substituter.xml
deleted file mode 100644
index 8db3f9662..000000000
--- a/doc/manual/packages/ssh-substituter.xml
+++ /dev/null
@@ -1,73 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
- xmlns:xlink="http://www.w3.org/1999/xlink"
- xmlns:xi="http://www.w3.org/2001/XInclude"
- version="5.0"
- xml:id="ssec-ssh-substituter">
-
-<title>Serving a Nix store via SSH</title>
-
-<para>You can tell Nix to automatically fetch needed binaries from a
-remote Nix store via SSH. For example, the following installs Firefox,
-automatically fetching any store paths in Firefox’s closure if they
-are available on the server <literal>avalon</literal>:
-
-<screen>
-$ nix-env -i firefox --substituters ssh://alice@avalon
-</screen>
-
-This works similar to the binary cache substituter that Nix usually
-uses, only using SSH instead of HTTP: if a store path
-<literal>P</literal> is needed, Nix will first check if it’s available
-in the Nix store on <literal>avalon</literal>. If not, it will fall
-back to using the binary cache substituter, and then to building from
-source.</para>
-
-<note><para>The SSH substituter currently does not allow you to enter
-an SSH passphrase interactively. Therefore, you should use
-<command>ssh-add</command> to load the decrypted private key into
-<command>ssh-agent</command>.</para></note>
-
-<para>You can also copy the closure of some store path, without
-installing it into your profile, e.g.
-
-<screen>
-$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters ssh://alice@avalon
-</screen>
-
-This is essentially equivalent to doing
-
-<screen>
-$ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5
-</screen>
-
-</para>
-
-<para>You can use SSH’s <emphasis>forced command</emphasis> feature to
-set up a restricted user account for SSH substituter access, allowing
-read-only access to the local Nix store, but nothing more. For
-example, add the following lines to <filename>sshd_config</filename>
-to restrict the user <literal>nix-ssh</literal>:
-
-<programlisting>
-Match User nix-ssh
- AllowAgentForwarding no
- AllowTcpForwarding no
- PermitTTY no
- PermitTunnel no
- X11Forwarding no
- ForceCommand nix-store --serve
-Match All
-</programlisting>
-
-On NixOS, you can accomplish the same by adding the following to your
-<filename>configuration.nix</filename>:
-
-<programlisting>
-nix.sshServe.enable = true;
-nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
-</programlisting>
-
-where the latter line lists the public keys of users that are allowed
-to connect.</para>
-
-</section>