Shea Levy wrote: > On Thu, Apr 17, 2014 at 06:13:35PM +0200, Ben Franksen wrote: >> Eelco Dolstra wrote: >> > On 17/04/14 17:04, Ben Franksen wrote: >> > >> >> sorry to bother you again regarding impureEnvVars. I still can't get >> >> my fetchdarcs over ssh to work, even though I am now using >> >> constant-output derivations and have >> >> >> >> impureEnvVars = [ "SSH_AGENT_PID" "SSH_AUTH_SOCK" ]; >> >> >> >> in my fetchdarcs/default.nix. >> >> >> >> The environment variables are now defined in the builder. However, >> >> they are empty :( >> >> >> >> Could this be because I am using the Nix multi-user setup where >> >> building is delegated to a number of nixbld users? >> > >> > Right, environment variables from the client are not passed to the >> > builder. Even if they were, the builder probably would not have file >> > system access to the socket identifier by $SSH_AUTH_SOCK. >> >> The latter could, I guess, be worked-around (using build-chroot-dirs) > > Actually, fixed-output derivations are done outside of the chroot, so > you just need to ensure the socket is accessible to the build users > group. In fact, *not* having it in the chroot is better so that > non-fixed-output builds don't have access. > >> but >> the former seems... hopeless :( > > Why? Just start the daemon with the right environment settings.
Well, those would have to be static, as the daemon is not started separately by each user. But the environment variables are created dynamically when the ssh agent is started. But: what you said here gave me an idea for a much simpler solution: I don't have to rely on the developer's credentials at all. Instead I'll give the Nix build users their own ssh identity (key pair) w/o passphrase. Then add their public key to the <repouser>@<reposerver>'s .ssh/authorized_keys. No impureEnvVars needed, since the build users don't need to connect to an ssh agent. I hope that Nix build users not having a home directory is only a recommendation, not a requirement for the multi-user setup to work. Cheers Ben -- "Make it so they have to reboot after every typo." -- Scott Adams _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev