diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 6d8335516049..7e4c9b9b948a 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -112,6 +112,7 @@ cgminer = 101; munin = 102; logcheck = 103; + nix-ssh = 104; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c66cccb3975a..391cc2503bd2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -125,6 +125,7 @@ ./services/misc/gpsd.nix ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix + ./services/misc/nix-ssh-serve.nix ./services/misc/nixos-manual.nix ./services/misc/rogue.nix ./services/misc/svnserve.nix diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix new file mode 100644 index 000000000000..80e7961b1f82 --- /dev/null +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +let + serveOnly = pkgs.writeScript "nix-store-serve" '' + #!${pkgs.stdenv.shell} + if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then + echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2 + exit 1 + fi + exec /run/current-system/sw/bin/nix-store --serve + ''; + + inherit (lib) mkIf mkOption types; +in { + options = { + nix.sshServe = { + enable = mkOption { + description = "Whether to enable serving the nix store over ssh."; + default = false; + type = types.bool; + }; + }; + }; + + config = mkIf config.nix.sshServe.enable { + users.extraUsers.nix-ssh = { + description = "User for running nix-store --serve."; + uid = config.ids.uids.nix-ssh; + shell = pkgs.stdenv.shell; + }; + + services.openssh.enable = true; + + services.openssh.extraConfig = '' + Match User nix-ssh + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${serveOnly} + Match All + ''; + }; +}