[Nix-dev] nix-daemon and private git repos

Tomasz Czyż tomasz.czyz at gmail.com
Mon Jul 3 15:35:18 CEST 2017


You don't need to know the user itself I think, you could share it with
nixbld group (probably).
Also, I think this way recommends to use ssh-agent as far as I remember
looking at that (but could changed).

What I did for one project was:

 337           fetchgitPrivate = (args: derivation ((nixpkgs.fetchgit
> args).drvAttrs // {
>  338             # This function is wrapper around nix fetch git function
> to use SSH key.
>  339             # It can be useful when fetching from private
> repositories.
>  340             #
>
>  341             # Original function is in
> https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/default.nix
>  342             #
>
>  343             GIT_SSH = rr.lib.writeShellScript "git-ssh" ''#!
> ${nixpkgs.bash}/bin/bash -eu
>  344               if ! [[ -r '${repositories-ssh-private-key-path}'
> ]];then
>  345                 echo "ERROR:" >&2
>
>  346                 echo "ERROR:" >&2
>
>  347                 echo "ERROR: ssh key
> '${repositories-ssh-private-key-path}' is not readable by build user
> ($(id))" >&2
>  348                 echo "ERROR:" >&2
>
>  349                 echo "ERROR:" >&2
>
>  350                 exit 5
>
>  351               fi
>
>  352               exec ${nixpkgs.openssh}/bin/ssh -o
> StrictHostKeyChecking=no -i '${repositories-ssh-private-key-path}' "$@"
>  353             '';

But probably is way better to go with agent.

2017-07-03 14:19 GMT+01:00 Harmen <harmen at lijzij.de>:

> Hi all,
>
> I'm struggling to get fetchgitPrivate to work on nix-daemon installation
> (no
> NixOS, these are Ubuntu machines with nix).
> I can make it work on my dev machine, with is a non-daemon install, by
> setting
>
>     NIX_PATH=ssh-config-file=/my/ssh/config:$NIX_PATH
>
> But that doesn't work in sandboxed daemon mode, because the nixbld* users
> can't
> read that file (both because of access rights, and because of the sandbox).
>
> Nix has this warning in fetchgitPrivate:
> > Note that the config file and any keys it points to must be readable
> > by the build user, which depending on your nix configuration means
> making it
> > readable by the build-users-group, the user of the running nix-daemon,
> or the
> > user calling the nix command which started the build. Similarly, if
> using an
> > ssh agent ssh-auth-sock must point to a socket the build user can access.
> > You may need StrictHostKeyChecking=no in the config file. Since ssh
> > will refuse to use a group-readable private key, if using build-users
> you will
> > likely want to use something like IdentityFile /some/directory/%u/key
> and have
> > a directory for each build user accessible to that user.
> from
> https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/
> private.nix
>
> which sounds reasonable, but it I don't see how to do that since I don't
> know
> exactly which user will run the build. Also because of the sandbox the
> build
> can't read the ssh config file at all.
>
>
> So next option is to generate the configfile in my expression, a-la
> https://www.mpscholten.de/nixos/2016/07/07/private-
> github-repositories-and-nixos.html
> but I don't know how to set nix.path from inside an expression. It would
> also
> require bundling the key with the expression, but if that works...
>
>
> I can't be the first to want to use fetchgitPrivate with a sandboxed
> nix-daemon. Any experiences or tips?
> Thanks!
> Harmen
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> https://mailman.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.science.uu.nl/pipermail/nix-dev/attachments/20170703/8960591c/attachment.html>


More information about the nix-dev mailing list