diff options
author | Vincent Ambo <mail@tazj.in> | 2022-05-18T15·39+0200 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2022-05-19T14·08+0000 |
commit | d127f9bd0e7b9b2e0df2de8a2227f77c0907468d (patch) | |
tree | 68455040d88b8e0c2817601db88ede450873ff8e /third_party/nix/doc/manual/packages/ssh-substituter.xml | |
parent | c85291c602ac666421627d6934ebc6d5be1b93e1 (diff) |
chore(3p/nix): unvendor tvix 0.1 r/4098
Nothing is using this now, and we'll likely never pick this up again, but we learned a lot in the process. Every now and then this breaks in some bizarre way on channel bumps and it's just a waste of time to maintain that. Change-Id: Idcf2f5acd4ca7070ce18d7149cbfc0d967dc0a44 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5632 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/nix/doc/manual/packages/ssh-substituter.xml')
-rw-r--r-- | third_party/nix/doc/manual/packages/ssh-substituter.xml | 73 |
1 files changed, 0 insertions, 73 deletions
diff --git a/third_party/nix/doc/manual/packages/ssh-substituter.xml b/third_party/nix/doc/manual/packages/ssh-substituter.xml deleted file mode 100644 index 8db3f96625d3..000000000000 --- a/third_party/nix/doc/manual/packages/ssh-substituter.xml +++ /dev/null @@ -1,73 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ssec-ssh-substituter"> - -<title>Serving a Nix store via SSH</title> - -<para>You can tell Nix to automatically fetch needed binaries from a -remote Nix store via SSH. For example, the following installs Firefox, -automatically fetching any store paths in Firefox’s closure if they -are available on the server <literal>avalon</literal>: - -<screen> -$ nix-env -i firefox --substituters ssh://alice@avalon -</screen> - -This works similar to the binary cache substituter that Nix usually -uses, only using SSH instead of HTTP: if a store path -<literal>P</literal> is needed, Nix will first check if it’s available -in the Nix store on <literal>avalon</literal>. If not, it will fall -back to using the binary cache substituter, and then to building from -source.</para> - -<note><para>The SSH substituter currently does not allow you to enter -an SSH passphrase interactively. Therefore, you should use -<command>ssh-add</command> to load the decrypted private key into -<command>ssh-agent</command>.</para></note> - -<para>You can also copy the closure of some store path, without -installing it into your profile, e.g. - -<screen> -$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters ssh://alice@avalon -</screen> - -This is essentially equivalent to doing - -<screen> -$ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5 -</screen> - -</para> - -<para>You can use SSH’s <emphasis>forced command</emphasis> feature to -set up a restricted user account for SSH substituter access, allowing -read-only access to the local Nix store, but nothing more. For -example, add the following lines to <filename>sshd_config</filename> -to restrict the user <literal>nix-ssh</literal>: - -<programlisting> -Match User nix-ssh - AllowAgentForwarding no - AllowTcpForwarding no - PermitTTY no - PermitTunnel no - X11Forwarding no - ForceCommand nix-store --serve -Match All -</programlisting> - -On NixOS, you can accomplish the same by adding the following to your -<filename>configuration.nix</filename>: - -<programlisting> -nix.sshServe.enable = true; -nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ]; -</programlisting> - -where the latter line lists the public keys of users that are allowed -to connect.</para> - -</section> |