Add convenience option nix.sshServe.keys

This is equivalent to setting
users.extraUsers.nix-cache.openssh.authorizedKeys.keys.

1 files changed, 17 insertions, 2 deletions

diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix
index 51fe79270a6..89c64d22a63 100644
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@@ -4,16 +4,28 @@ with lib;
 
 {
   options = {
+
     nix.sshServe = {
+
       enable = mkOption {
-        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
-        default = false;
         type = types.bool;
+        default = false;
+        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
       };
+
+      keys = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
+        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
+      };
+
     };
+
   };
 
   config = mkIf config.nix.sshServe.enable {
+
     users.extraUsers.nix-ssh = {
       description = "Nix SSH substituter user";
       uid = config.ids.uids.nix-ssh;
@@ -32,5 +44,8 @@ with lib;
         ForceCommand ${config.nix.package}/bin/nix-store --serve
       Match All
     '';
+
+    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys;
+
   };
 }