tvl-depot/doc/manual/packages/ssh-substituter.xml
2014-12-14 03:19:15 +01:00

73 lines
2.4 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="ssec-ssh-substituter">
<title>Serving a Nix store via SSH</title>
<para>You can tell Nix to automatically fetch needed binaries from a
remote Nix store via SSH. For example, the following installs Firefox,
automatically fetching any store paths in Firefoxs closure if they
are available on the server <literal>avalon</literal>:
<screen>
$ nix-env -i firefox --option ssh-substituter-hosts alice@avalon
</screen>
This works similar to the binary cache substituter that Nix usually
uses, only using SSH instead of HTTP: if a store path
<literal>P</literal> is needed, Nix will first check if its available
in the Nix store on <literal>avalon</literal>. If not, it will fall
back to using the binary cache substituter, and then to building from
source.</para>
<note><para>The SSH substituter currently does not allow you to enter
an SSH passphrase interactively. Therefore, you should use
<command>ssh-add</command> to load the decrypted private key into
<command>ssh-agent</command>.</para></note>
<para>You can also copy the closure of some store path, without
installing it into your profile, e.g.
<screen>
$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --option ssh-substituter-hosts alice@avalon
</screen>
This is essentially equivalent to doing
<screen>
$ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5
</screen>
</para>
<para>You can use SSHs <emphasis>forced command</emphasis> feature to
set up a restricted user account for SSH substituter access, allowing
read-only access to the local Nix store, but nothing more. For
example, add the following lines to <filename>sshd_config</filename>
to restrict the user <literal>nix-ssh</literal>:
<programlisting>
Match User nix-ssh
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
PermitTunnel no
X11Forwarding no
ForceCommand nix-store --serve
Match All
</programlisting>
On NixOS, you can accomplish the same by adding the following to your
<filename>configuration.nix</filename>:
<programlisting>
nix.sshServe.enable = true;
nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
</programlisting>
where the latter line lists the public keys of users that are allowed
to connect.</para>
</section>