[Nix-dev] use fetchgitPrivate with NixOps (permission denied)
Andreas Herrmann
andreash87 at gmx.ch
Mon Apr 3 07:54:49 CEST 2017
Hi Micheal,
On Sunday 02 April 2017 20:33:59 mb at thought2.de wrote:
> nixops deploy -d network
>
> [..]
> Initialized empty Git repository in /nix/store/hn...d4c3/.git/
> Can't open user config file /home/me/.ssh/config: Permission denied
> fatal: Could not read from remote repository.
>
>
> Anybody ideas how this could be fixed?
Do you have `NIX_REMOTE=daemon` in your environment?
That would be the case if you're on NixOS or a multi-user Nix installation.
> For using fetchgitPrivate one should put a ssh config file and an auth
> socket on the NIX_PATH:
>
> NIX_PATH=$NIX_PATH:ssh-config-file=/home/me/.ssh/config:ssh-auth-sock=$SSH_AUTH_SOCK
>
> ls -la /home/me/.ssh/config
>
> -rw-r--r-- 1 me users 108 2. Apr 19:37 /home/m/.ssh/config
>
> echo $SSH_AUTH_SOCK
>
> /run/user/1000/ssh-agent
>
> So the file should have the right permissions.
If you're using the Nix daemon, then the build job will be executed by a different user.
That user will need read permissions on the ssh config.
What does `ls -ld /home/me/.ssh` say?
If it has permissions `drwx------` then the Nix build user will not be able to open that directory and read the ssh config.
I personally don't like the idea of giving broad permissions on my ssh config.
To enable `fetchgitPrivate` I have a separate ssh config in `~/.nixpkgs/ssh` which is world readable.
In that directory I have a dedicated key without pass phrase for Nix build users which is enabled on GitHub and the like as a deployment key.
That way the worst somebody who steals the private key from there can do is to read the repository,
which at least on the machine I'm working on, they could do anyway because the code ends up in /nix/store which is world readable.
Since the key has no pass phrase I also don't need an auth socket.
Hope that helps.
Best, Andreas
More information about the nix-dev
mailing list