cafkafk/lix
cafkafk/lix
1
0
Fork 0
Code Issues Pull requests1 Projects Releases Packages Wiki Activity Actions
lix/doc/manual/src/package-management/ssh-substituter.md
Jade Lovelace 748d8310fa Fix the pages in the manual for Lix 
This doesn't comprehensively fix everything outdated in the manual, or
make the manual greatly better, but it does note down where at least
jade noticed it was wrong, and it does fix all the instances of
referencing Nix to conform to the style guide to the best of our
ability.

A lot of things have been commented out for being wrong, and there are
three types of FIXME introduced:

- FIXME(Lix): generically Lix needs to fix it
- FIXME(Qyriad): re https://git.lix.systems/lix-project/lix/issues/215
- FIXME(meson): docs got outdated by meson changes and need rewriting

I did fix a bunch of it that I could, but there could certainly be
mistakes and this is definitely just an incremental improvement.

Fixes: https://git.lix.systems/lix-project/lix/issues/266
Change-Id: I5993c4603d7f026a887089fce77db08394362135
2024-05-05 16:11:01 -07:00

1.9 KiB
Raw Blame History

Serving a Nix store via SSH

You can tell Lix to automatically fetch needed binaries from a remote Nix store via SSH. For example, the following installs Firefox, automatically fetching any store paths in Firefoxs closure if they are available on the server avalon:

$ nix-env --install --attr nixpkgs.firefox --substituters ssh://alice@avalon

This works similar to the binary cache substituter that Lix usually uses, only using SSH instead of HTTP: if a store path P is needed, Lix will first check if its available in the Nix store on avalon. If not, it will fall back to using the binary cache substituter, and then to building from source.

Note

The SSH substituter currently does not allow you to enter an SSH passphrase interactively. Therefore, you should use ssh-add to load the decrypted private key into ssh-agent.

You can also copy the closure of some store path, without installing it into your profile, e.g.

$ nix-store --realise /nix/store/m85bxg…-firefox-34.0.5 --substituters
ssh://alice@avalon

This is essentially equivalent to doing

$ nix-copy-closure --from alice@avalon
/nix/store/m85bxg…-firefox-34.0.5

You can use SSHs forced command feature to set up a restricted user account for SSH substituter access, allowing read-only access to the local Nix store, but nothing more. For example, add the following lines to sshd_config to restrict the user nix-ssh:

Match User nix-ssh
  AllowAgentForwarding no
  AllowTcpForwarding no
  PermitTTY no
  PermitTunnel no
  X11Forwarding no
  ForceCommand nix-store --serve
Match All

On NixOS, you can accomplish the same by adding the following to your configuration.nix:

nix.sshServe.enable = true;
nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];

where the latter line lists the public keys of users that are allowed to connect.