diff options
Diffstat (limited to 'doc/manual/src/package-management/ssh-substituter.md')
-rw-r--r-- | doc/manual/src/package-management/ssh-substituter.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/doc/manual/src/package-management/ssh-substituter.md b/doc/manual/src/package-management/ssh-substituter.md new file mode 100644 index 000000000..482844c7c --- /dev/null +++ b/doc/manual/src/package-management/ssh-substituter.md @@ -0,0 +1,52 @@ +# Serving a Nix store via SSH + +You can tell Nix to automatically fetch needed binaries from a remote +Nix store via SSH. For example, the following installs Firefox, +automatically fetching any store paths in Firefox’s closure if they are +available on the server `avalon`: + + $ nix-env -i firefox --substituters ssh://alice@avalon + +This works similar to the binary cache substituter that Nix usually +uses, only using SSH instead of HTTP: if a store path `P` is needed, Nix +will first check if it’s available in the Nix store on `avalon`. If not, +it will fall back to using the binary cache substituter, and then to +building from source. + +> **Note** +> +> The SSH substituter currently does not allow you to enter an SSH +> passphrase interactively. Therefore, you should use `ssh-add` to load +> the decrypted private key into `ssh-agent`. + +You can also copy the closure of some store path, without installing it +into your profile, e.g. + + $ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters ssh://alice@avalon + +This is essentially equivalent to doing + + $ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5 + +You can use SSH’s *forced command* feature to set up a restricted user +account for SSH substituter access, allowing read-only access to the +local Nix store, but nothing more. For example, add the following lines +to `sshd_config` to restrict the user `nix-ssh`: + + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand nix-store --serve + Match All + +On NixOS, you can accomplish the same by adding the following to your +`configuration.nix`: + + nix.sshServe.enable = true; + nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ]; + +where the latter line lists the public keys of users that are allowed to +connect. |