SSH works, but remote building says it can't connect

l0b0 · July 21, 2025, 6:11pm

Everything seems to line up to be able to build remotely:

config.nix.buildMachines:

[
  {
    hostName = "hostname";
    mandatoryFeatures = [ ];
    maxJobs = 1;
    protocol = "ssh-ng";
    publicHostKey = null;
    speedFactor = 1;
    sshKey = "/home/username/.ssh/id_ed25519";
    sshUser = "username";
    supportedFeatures = [
      "benchmark"
      "big-parallel"
      "flakes"
      "kvm"
      "nix-command"
      "nixos-test"
    ];
    system = "x86_64-linux";
    systems = [ ];
  }
]

ssh username@hostname succeeds
nix store info --store ssh-ng://username@hostname succeeds
/etc/nix/nix.conf on the builder contains allowed-users = * and trusted-users = root @wheel
username is part of the wheel group

But when running deploy, it prints

cannot build on ‘ssh-ng://username@hostname’: error: failed to start SSH connection to ‘username@hostname’

What else do I need to do?

l0b0 · November 15, 2025, 11:35am

I don’t remember the exact details anymore, but after fixing it I made a quick write-up of the findings: Remote Nix build footguns.

waffle8946 · November 15, 2025, 12:29pm

Adding users to trusted-users is a bad idea, as they can modify things like substituters.

https://nix.dev/manual/nix/2.32/command-ref/conf-file.html#conf-trusted-users

Warning

Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can access or replace store path contents that are critical for system security.

Use allowed-users instead.

l0b0 · November 20, 2025, 8:21am

Thank you for the tip! In this case I already have root on both machines, so trust isn’t an issue, but I’ll amend the article.