aboutsummaryrefslogtreecommitdiff
path: root/doc/manual/packages/ssh-substituter.xml
blob: f24f354c4c3914cec812d7a39267f379671eff53 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="ssec-ssh-substituter">

<title>Serving a Nix store via SSH</title>

<para>You can tell Nix to automatically fetch needed binaries from a
remote Nix store via SSH. For example, the following installs Firefox,
automatically fetching any store paths in Firefox’s closure if they
are available on the server <literal>avalon</literal>:

<screen>
$ nix-env -i firefox --option ssh-substituter-hosts alice@avalon
</screen>

This works similar to the binary cache substituter that Nix usually
uses, only using SSH instead of HTTP: if a store path
<literal>P</literal> is needed, Nix will first check if it’s available
in the Nix store on <literal>avalon</literal>. If not, it will fall
back to using the binary cache substituter, and then to building from
source.</para>

<note><para>The SSH substituter currently does not allow you to enter
an SSH passphrase interactively. Therefore, you should use
<command>ssh-add</command> to load the decrypted private key into
<command>ssh-agent</command>.</para></note>

<para>You can also copy the closure of some store path, without
installing it into your profile, e.g.

<screen>
$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --option ssh-substituter-hosts alice@avalon
</screen>

This is essentially equivalent to doing

<screen>
$ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5
</screen>

</para>

<para>You can use SSH’s <emphasis>forced command</emphasis> feature to
set up a restricted user account for SSH substituter access, allowing
read-only access to the local Nix store, but nothing more. For
example, add the following lines to <filename>sshd_config</filename>
to restrict the user <literal>nix-ssh</literal>:

<programlisting>
Match User nix-ssh
  AllowAgentForwarding no
  AllowTcpForwarding no
  PermitTTY no
  PermitTunnel no
  X11Forwarding no
  ForceCommand nix-store --serve
Match All
</programlisting>

On NixOS, you can accomplish the same by adding the following to your
<filename>configuration.nix</filename>:

<programlisting>
nix.sshServe.enable = true;
nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
</programlisting>

where the latter line lists the public keys of users that are allowed
to connect.</para>

</section>