[Nix-dev] gitFetchPrivate on NixOS

Adrien Devresse Adev at adev.name
Thu Jun 16 15:57:57 CEST 2016

Hi Ash,

I join to this mail the script I use to use gitFetchPrivate in a
multi-user configuration.

Have a look, you should be able to adapt it to your usage quite easily.

The trick is to give to the nix-daemon access to three things :
- rw access to your ssh-agent socket
- read access to your ssh config file
- the option that will request ssh to ignore the user read-only
permission on the config file.


Le 16/06/2016 00:46, zimbatm a écrit :
> I believe you could run nix-prefetch-git to pre-populate the store but
> I don't know if it's still possible, the derivation might not match
> exactly anymore. Also it's only really useful for developer machines,
> on a CI you still want it to have access to the repo isn't it?
> On Wed, 15 Jun 2016 at 13:42 Ashley Gillman <gillmanash at gmail.com
> <mailto:gillmanash at gmail.com>> wrote:
>     Thanks Zimbatm,
>     Actually I don't think the issue is the socket (yet). For example,
>     I get exactly the same error when just calling `nix-shell -I
>     ssh-config-file=$HOME/.ssh/config`. The current "wall" I think is
>     either that config file or the referenced id_rsa file, but the
>     error indicates its the config file itself. I have tried `chmod
>     o+rw` on the file, and with group (`chmod g+rw` and `chgrp`ing to
>     nixbld), but to no avail.
>     I should mention also, I do not have my heart set on
>     gitFetchPrivate. If there is another way to access a remote
>     (BitBucket) server requiring credentials, that would be great.
>     Although pulling each manually and using a local file path is not
>     preferred.
>     Cheers,
>     Ash
>     On Wed, Jun 15, 2016 at 10:07 PM, zimbatm <zimbatm at zimbatm.com
>     <mailto:zimbatm at zimbatm.com>> wrote:
>         Hi,
>         Yes the difference is that the build user is nixbld[1-9]. Also
>         the SSH agent doesn't allow other users to access to the socket.
>         Sorry I don't know the solution. You could maybe build a
>         bridge on the socket using `socat` to hide the caller's user.
>         On Wed, 15 Jun 2016, 11:57 Ashely Gillman,
>         <gillmanash at gmail.com <mailto:gillmanash at gmail.com>> wrote:
>             Hi all,
>             I have been attempting to use gitFetchPrivate to fetch
>             from a private bitbucket repo over SSH, on both Ubuntu
>             running Nix and on NixOS. I am able to get the setup
>             working on Ubuntu.
>             - Set up SSH-Agent the usual way.
>             - Ensure that `git clone ssh://git@bitbucket.domain.com
>             <mailto:git at bitbucket.domain.com>:<port>/<user>/<repo>.git` works,
>             it does
>             - Use `nix-shell -I ssh-config-file=$HOME/.ssh/config -I
>             ssh-auth-sock=$SSH_AUTH_SOCK`, with a local shell.nix
>             specifying requirements
>             However, I am unable to repeat the process on a NixOS machine.
>                 gil at gil-nixos:~/proj/pylx $ git clone
>             ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git
>                 <This works>
>                 gil at gil-nixos:~/proj/pylx $ nix-shell -I
>             ssh-config-file=$HOME/.ssh/config -I
>             ssh-auth-sock=$SSH_AUTH_SOCK
>                 these derivations will be built:
>             /nix/store/48cz61di3gf6fpkydgri74h5i2s8qh3h-vtk-qvtk-5.10.1.drv
>             /nix/store/pcj22pnchg10bq63a32jcc53l75cy8z1-boost-1.59.0.drv
>             /nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv
>             /nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv
>                 building path(s)
>             ‘/nix/store/603gs7mcgpf7cnyv3k2bkxk1kbj4smbq-boost-1.59.0’, ‘/nix/store/q26zzdzy5zngyxyah8fhqmnqwbmz4gl4-boost-1.59.0-lib’,
>             ‘/nix/store/zggqsmrh9l70yrcdagmgqjmv8i6a9rls-boost-1.59.0-dev’
>                 building path(s)
>             ‘/nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819’
>                 building path(s)
>             ‘/nix/store/j70pal3svpcip7xv21bxf5xy2c4chl84-vtk-qvtk-5.10.1’
>                 exporting
>             ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git
>             (rev 585a8195804) into
>             /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819
>                 Initialized empty Git repository in
>             /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819/.git/
>                 Can't open user config file /home/gil/.ssh/config:
>             Permission denied
>                 fatal: Could not read from remote repository.
>                 Please make sure you have the correct access rights
>                 and the repository exists.
>                 unpacking sources
>                 unpacking source archive
>             /nix/store/cdz3wd9r8vlnp193kv091pal401mg9kc-boost_1_59_0.tar.bz2
>                 Can't open user config file /home/gil/.ssh/config:
>             Permission denied
>                 fatal: Could not read from remote repository.
>                 Please make sure you have the correct access rights
>                 and the repository exists.
>                 Unable to checkout 585a8195804 from
>             ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git.
>                 builder for
>             ‘/nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv’
>             failed with exit code 1
>                 cannot build derivation
>             ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’:
>             1 dependencies couldn't be built
>                 error: build of
>             ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’ failed
>                 /run/current-system/sw/bin/nix-shell: failed to build
>             all dependencies
>             With the relevant line being:
>                 Can't open user config file /home/gil/.ssh/config:
>             Permission denied
>             Probably a nixbld user is trying to access this? I am not
>             actually sure if my nixpkgs are built by my user or by
>             nixbld. How can I tell? `cat /etc/passwd` indicates that
>             the nixbld users exist.
>             I have attempted to follow instructions for setting up
>             gitFetchPrivate for multi-user installations (but again,
>             not even sure this is what I have - I just installed the
>             simplest way), but to no avail (although the instructions
>             are somewhat unclear).
>             Thanks for any help,
>             Ashley Gillman (Ash)
>             _______________________________________________
>             nix-dev mailing list
>             nix-dev at lists.science.uu.nl
>             <mailto:nix-dev at lists.science.uu.nl>
>             http://lists.science.uu.nl/mailman/listinfo/nix-dev
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160616/2f1a5107/attachment-0001.html>
-------------- next part --------------

# globals
TMP_SSH_CONFIG_DIR="$(mktemp -d /tmp/nix-ssh-config-XXXXXXXXX)"

## configure ssh agent location
if [[ -e ${SSH_AUTH_SOCK} ]]; then


setfacl -m "u:${NIX_DAEMON_USER}:rwx" ${SSH_AUTH_SOCK}
setfacl -m "u:${NIX_DAEMON_USER}:rwx" "$(dirname ${SSH_AUTH_SOCK})"

	echo "Error: ssh-agent environment variable  SSH_AUTH_SOCK is not existing" >&2

## configure ssh config path 
mkdir -p ${TMP_SSH_CONFIG_DIR}/.ssh


## use ssh_config user file as initial template
## if it exists
## to forward user alias and parameters
if [[ -e ${HOME}/.ssh/config ]]; then
	cp ${HOME}/.ssh/config ${TMP_SSH_CONFIG_FILE}

## Disable strict host key checking
## Needed to have the nix-daemon able to read
## a file not owned by him without throwing
## a SSH error

Host *
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

setfacl -m "u:${NIX_DAEMON_USER}:rwx" -R ${TMP_SSH_CONFIG_DIR}

## print the suggested NIX_PATH including SSH config file and agent
echo "export NIX_PATH=\"${NIX_PATH_CONTENT}\""

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160616/2f1a5107/attachment-0001.sig>

More information about the nix-dev mailing list