<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ssec-ssh-substituter"> <title>Serving a Nix store via SSH</title> <para>You can tell Nix to automatically fetch needed binaries from a remote Nix store via SSH. For example, the following installs Firefox, automatically fetching any store paths in Firefox’s closure if they are available on the server <literal>avalon</literal>: <screen> $ nix-env -i firefox --option ssh-substituter-hosts alice@avalon </screen> This works similar to the binary cache substituter that Nix usually uses, only using SSH instead of HTTP: if a store path <literal>P</literal> is needed, Nix will first check if it’s available in the Nix store on <literal>avalon</literal>. If not, it will fall back to using the binary cache substituter, and then to building from source.</para> <note><para>The SSH substituter currently does not allow you to enter an SSH passphrase interactively. Therefore, you should use <command>ssh-add</command> to load the decrypted private key into <command>ssh-agent</command>.</para></note> <para>You can also copy the closure of some store path, without installing it into your profile, e.g. <screen> $ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --option ssh-substituter-hosts alice@avalon </screen> This is essentially equivalent to doing <screen> $ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5 </screen> </para> <para>You can use SSH’s <emphasis>forced command</emphasis> feature to set up a restricted user account for SSH substituter access, allowing read-only access to the local Nix store, but nothing more. For example, add the following lines to <filename>sshd_config</filename> to restrict the user <literal>nix-ssh</literal>: <programlisting> Match User nix-ssh AllowAgentForwarding no AllowTcpForwarding no PermitTTY no PermitTunnel no X11Forwarding no ForceCommand nix-store --serve Match All </programlisting> On NixOS, you can accomplish the same by adding the following to your <filename>configuration.nix</filename>: <programlisting> nix.sshServe.enable = true; nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ]; </programlisting> where the latter line lists the public keys of users that are allowed to connect.</para> </section>