Home Explore Blog Models CI



nix
doc/manual/source/package-management/ssh-substituter.md
5ceb26f811dbcf480674380a7f0cf51212f6d34651a37c0d00000003000007a2
# Serving a Nix store via SSH

You can tell Nix to automatically fetch needed binaries from a remote
Nix store via SSH. For example, the following installs Firefox,
automatically fetching any store paths in Firefox’s closure if they are
available on the server `avalon`:

```console
$ nix-env --install --attr nixpkgs.firefox --substituters ssh://alice@avalon
```

This works similar to the binary cache substituter that Nix usually
uses, only using SSH instead of HTTP: if a store path `P` is needed, Nix
will first check if it’s available in the Nix store on `avalon`. If not,
it will fall back to using the binary cache substituter, and then to
building from source.

> **Note**
> 
> The SSH substituter currently does not allow you to enter an SSH
> passphrase interactively. Therefore, you should use `ssh-add` to load
> the decrypted private key into `ssh-agent`.

You can also copy the closure of some store path, without installing it
into your profile, e.g.

```console
$ nix-store --realise /nix/store/m85bxg…-firefox-34.0.5 --substituters
ssh://alice@avalon
```

This is essentially equivalent to doing

```console
$ nix-copy-closure --from alice@avalon
/nix/store/m85bxg…-firefox-34.0.5
```

You can use SSH’s *forced command* feature to set up a restricted user
account for SSH substituter access, allowing read-only access to the
local Nix store, but nothing more. For example, add the following lines
to `sshd_config` to restrict the user `nix-ssh`:

    Match User nix-ssh
      AllowAgentForwarding no
      AllowTcpForwarding no
      PermitTTY no
      PermitTunnel no
      X11Forwarding no
      ForceCommand nix-store --serve
    Match All

On NixOS, you can accomplish the same by adding the following to your
`configuration.nix`:

```nix
nix.sshServe.enable = true;
nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
```

where the latter line lists the public keys of users that are allowed to
connect.
Chunks
7953a40f (1st chunk of `doc/manual/source/package-management/ssh-substituter.md`)
Title: Serving a Nix Store via SSH
Summary
This document explains how to configure Nix to fetch binaries from a remote Nix store using SSH as a substituter. It demonstrates how to install packages or copy store paths by specifying an SSH URL (e.g., `ssh://user@host`). This method prioritizes the remote SSH store, then falls back to binary caches, and finally to building from source. A key note mentions that interactive SSH passphrases are not supported, recommending `ssh-add`. For security, SSH's forced command feature can be used with `nix-store --serve` to create restricted, read-only user accounts for SSH access. On NixOS, this functionality can be enabled and configured via `nix.sshServe.enable` and `nix.sshServe.keys` in `configuration.nix`.