2014-12-14 02:19:15 +00:00
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
|
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
|
|
|
|
version="5.0"
|
|
|
|
|
|
xml:id="ssec-ssh-substituter">
|
|
|
|
|
|
|
|
|
|
|
|
<title>Serving a Nix store via SSH</title>
|
|
|
|
|
|
|
|
|
|
|
|
<para>You can tell Nix to automatically fetch needed binaries from a
|
|
|
|
|
|
remote Nix store via SSH. For example, the following installs Firefox,
|
|
|
|
|
|
automatically fetching any store paths in Firefox’s closure if they
|
|
|
|
|
|
are available on the server <literal>avalon</literal>:
|
|
|
|
|
|
|
|
|
|
|
|
<screen>
|
2018-03-22 23:17:45 +00:00
|
|
|
|
$ nix-env -i firefox --substituters ssh://alice@avalon
|
2014-12-14 02:19:15 +00:00
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
|
|
This works similar to the binary cache substituter that Nix usually
|
|
|
|
|
|
uses, only using SSH instead of HTTP: if a store path
|
|
|
|
|
|
<literal>P</literal> is needed, Nix will first check if it’s available
|
|
|
|
|
|
in the Nix store on <literal>avalon</literal>. If not, it will fall
|
|
|
|
|
|
back to using the binary cache substituter, and then to building from
|
|
|
|
|
|
source.</para>
|
|
|
|
|
|
|
|
|
|
|
|
<note><para>The SSH substituter currently does not allow you to enter
|
|
|
|
|
|
an SSH passphrase interactively. Therefore, you should use
|
|
|
|
|
|
<command>ssh-add</command> to load the decrypted private key into
|
|
|
|
|
|
<command>ssh-agent</command>.</para></note>
|
|
|
|
|
|
|
|
|
|
|
|
<para>You can also copy the closure of some store path, without
|
|
|
|
|
|
installing it into your profile, e.g.
|
|
|
|
|
|
|
|
|
|
|
|
<screen>
|
2018-03-22 23:17:45 +00:00
|
|
|
|
$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters ssh://alice@avalon
|
2014-12-14 02:19:15 +00:00
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
|
|
This is essentially equivalent to doing
|
|
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
|
$ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5
|
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
|
|
<para>You can use SSH’s <emphasis>forced command</emphasis> feature to
|
|
|
|
|
|
set up a restricted user account for SSH substituter access, allowing
|
|
|
|
|
|
read-only access to the local Nix store, but nothing more. For
|
|
|
|
|
|
example, add the following lines to <filename>sshd_config</filename>
|
|
|
|
|
|
to restrict the user <literal>nix-ssh</literal>:
|
|
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
|
Match User nix-ssh
|
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
|
|
AllowTcpForwarding no
|
|
|
|
|
|
PermitTTY no
|
|
|
|
|
|
PermitTunnel no
|
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
|
ForceCommand nix-store --serve
|
|
|
|
|
|
Match All
|
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
|
|
On NixOS, you can accomplish the same by adding the following to your
|
|
|
|
|
|
<filename>configuration.nix</filename>:
|
|
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
|
nix.sshServe.enable = true;
|
|
|
|
|
|
nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
|
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
|
|
where the latter line lists the public keys of users that are allowed
|
|
|
|
|
|
to connect.</para>
|
|
|
|
|
|
|
|
|
|
|
|
</section>
|
