[Nix-dev] nix-daemon and private git repos
Harmen
harmen at lijzij.de
Mon Jul 3 15:19:31 CEST 2017
Hi all,
I'm struggling to get fetchgitPrivate to work on nix-daemon installation (no
NixOS, these are Ubuntu machines with nix).
I can make it work on my dev machine, with is a non-daemon install, by setting
NIX_PATH=ssh-config-file=/my/ssh/config:$NIX_PATH
But that doesn't work in sandboxed daemon mode, because the nixbld* users can't
read that file (both because of access rights, and because of the sandbox).
Nix has this warning in fetchgitPrivate:
> Note that the config file and any keys it points to must be readable
> by the build user, which depending on your nix configuration means making it
> readable by the build-users-group, the user of the running nix-daemon, or the
> user calling the nix command which started the build. Similarly, if using an
> ssh agent ssh-auth-sock must point to a socket the build user can access.
> You may need StrictHostKeyChecking=no in the config file. Since ssh
> will refuse to use a group-readable private key, if using build-users you will
> likely want to use something like IdentityFile /some/directory/%u/key and have
> a directory for each build user accessible to that user.
from
https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/private.nix
which sounds reasonable, but it I don't see how to do that since I don't know
exactly which user will run the build. Also because of the sandbox the build
can't read the ssh config file at all.
So next option is to generate the configfile in my expression, a-la
https://www.mpscholten.de/nixos/2016/07/07/private-github-repositories-and-nixos.html
but I don't know how to set nix.path from inside an expression. It would also
require bundling the key with the expression, but if that works...
I can't be the first to want to use fetchgitPrivate with a sandboxed
nix-daemon. Any experiences or tips?
Thanks!
Harmen
More information about the nix-dev
mailing list