[Nix-dev] gitFetchPrivate on NixOS

zimbatm zimbatm at zimbatm.com
Thu Jun 16 00:46:57 CEST 2016 

I believe you could run nix-prefetch-git to pre-populate the store but I
don't know if it's still possible, the derivation might not match exactly
anymore. Also it's only really useful for developer machines, on a CI you
still want it to have access to the repo isn't it?

On Wed, 15 Jun 2016 at 13:42 Ashley Gillman <gillmanash at gmail.com> wrote:

> Thanks Zimbatm,
>
> Actually I don't think the issue is the socket (yet). For example, I get
> exactly the same error when just calling `nix-shell -I
> ssh-config-file=$HOME/.ssh/config`. The current "wall" I think is either
> that config file or the referenced id_rsa file, but the error indicates its
> the config file itself. I have tried `chmod o+rw` on the file, and with
> group (`chmod g+rw` and `chgrp`ing to nixbld), but to no avail.
>
> I should mention also, I do not have my heart set on gitFetchPrivate. If
> there is another way to access a remote (BitBucket) server requiring
> credentials, that would be great. Although pulling each manually and using
> a local file path is not preferred.
>
> Cheers,
> Ash
>
> On Wed, Jun 15, 2016 at 10:07 PM, zimbatm <zimbatm at zimbatm.com> wrote:
>
>> Hi,
>>
>> Yes the difference is that the build user is nixbld[1-9]. Also the SSH
>> agent doesn't allow other users to access to the socket.
>>
>> Sorry I don't know the solution. You could maybe build a bridge on the
>> socket using `socat` to hide the caller's user.
>>
>> On Wed, 15 Jun 2016, 11:57 Ashely Gillman, <gillmanash at gmail.com> wrote:
>>
>>> Hi all,
>>> I have been attempting to use gitFetchPrivate to fetch from a private
>>> bitbucket repo over SSH, on both Ubuntu running Nix and on NixOS. I am able
>>> to get the setup working on Ubuntu.
>>>
>>> - Set up SSH-Agent the usual way.
>>> - Ensure that `git clone ssh://git@bitbucket.domain.com:<port>/<user>/<repo>.git`
>>> works, it does
>>> - Use `nix-shell -I ssh-config-file=$HOME/.ssh/config -I
>>> ssh-auth-sock=$SSH_AUTH_SOCK`, with a local shell.nix specifying
>>> requirements
>>>
>>> However, I am unable to repeat the process on a NixOS machine.
>>>
>>>     gil at gil-nixos:~/proj/pylx $ git clone ssh://git@bitbucket.
>>> <DOMAIN>:7999/~<USER>/milx-view.git
>>>     <This works>
>>>
>>>     gil at gil-nixos:~/proj/pylx $ nix-shell -I
>>> ssh-config-file=$HOME/.ssh/config -I ssh-auth-sock=$SSH_AUTH_SOCK
>>>     these derivations will be built:
>>>       /nix/store/48cz61di3gf6fpkydgri74h5i2s8qh3h-vtk-qvtk-5.10.1.drv
>>>       /nix/store/pcj22pnchg10bq63a32jcc53l75cy8z1-boost-1.59.0.drv
>>>       /nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv
>>>       /nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv
>>>     building path(s)
>>> ‘/nix/store/603gs7mcgpf7cnyv3k2bkxk1kbj4smbq-boost-1.59.0’,
>>> ‘/nix/store/q26zzdzy5zngyxyah8fhqmnqwbmz4gl4-boost-1.59.0-lib’,
>>> ‘/nix/store/zggqsmrh9l70yrcdagmgqjmv8i6a9rls-boost-1.59.0-dev’
>>>     building path(s)
>>> ‘/nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819’
>>>     building path(s)
>>> ‘/nix/store/j70pal3svpcip7xv21bxf5xy2c4chl84-vtk-qvtk-5.10.1’
>>>     exporting ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git
>>> (rev 585a8195804) into
>>> /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819
>>>     Initialized empty Git repository in
>>> /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819/.git/
>>>     Can't open user config file /home/gil/.ssh/config: Permission denied
>>>     fatal: Could not read from remote repository.
>>>
>>>     Please make sure you have the correct access rights
>>>     and the repository exists.
>>>     unpacking sources
>>>     unpacking source archive
>>> /nix/store/cdz3wd9r8vlnp193kv091pal401mg9kc-boost_1_59_0.tar.bz2
>>>     Can't open user config file /home/gil/.ssh/config: Permission denied
>>>     fatal: Could not read from remote repository.
>>>
>>>     Please make sure you have the correct access rights
>>>     and the repository exists.
>>>     Unable to checkout 585a8195804 from ssh://git@bitbucket.
>>> <DOMAIN>:7999/~<USER>/milx-view.git.
>>>     builder for
>>> ‘/nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv’ failed
>>> with exit code 1
>>>     cannot build derivation
>>> ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’: 1 dependencies
>>> couldn't be built
>>>     error: build of
>>> ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’ failed
>>>     /run/current-system/sw/bin/nix-shell: failed to build all
>>> dependencies
>>>
>>> With the relevant line being:
>>>     Can't open user config file /home/gil/.ssh/config: Permission denied
>>>
>>> Probably a nixbld user is trying to access this? I am not actually sure
>>> if my nixpkgs are built by my user or by nixbld. How can I tell? `cat
>>> /etc/passwd` indicates that the nixbld users exist.
>>>
>>> I have attempted to follow instructions for setting up gitFetchPrivate
>>> for multi-user installations (but again, not even sure this is what I have
>>> - I just installed the simplest way), but to no avail (although the
>>> instructions are somewhat unclear).
>>>
>>> Thanks for any help,
>>> Ashley Gillman (Ash)
>>> _______________________________________________
>>> nix-dev mailing list
>>> nix-dev at lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160615/df36308b/attachment-0001.html>

More information about the nix-dev mailing list