Ben Franksen wrote: > Shea Levy wrote: >> On Thu, Apr 17, 2014 at 06:13:35PM +0200, Ben Franksen wrote: >>> Eelco Dolstra wrote: >>> > On 17/04/14 17:04, Ben Franksen wrote: >>> > >>> >> sorry to bother you again regarding impureEnvVars. I still can't get >>> >> my fetchdarcs over ssh to work, even though I am now using >>> >> constant-output derivations and have >>> >> >>> >> impureEnvVars = [ "SSH_AGENT_PID" "SSH_AUTH_SOCK" ]; >>> >> >>> >> in my fetchdarcs/default.nix. >>> >> >>> >> The environment variables are now defined in the builder. However, >>> >> they are empty :( >>> >> >>> >> Could this be because I am using the Nix multi-user setup where >>> >> building is delegated to a number of nixbld users? >>> > >>> > Right, environment variables from the client are not passed to the >>> > builder. Even if they were, the builder probably would not have file >>> > system access to the socket identifier by $SSH_AUTH_SOCK. >>> >>> The latter could, I guess, be worked-around (using build-chroot-dirs) >> >> Actually, fixed-output derivations are done outside of the chroot, so >> you just need to ensure the socket is accessible to the build users >> group. In fact, *not* having it in the chroot is better so that >> non-fixed-output builds don't have access. >> >>> but >>> the former seems... hopeless :( >> >> Why? Just start the daemon with the right environment settings. > > Well, those would have to be static, as the daemon is not started > separately by each user. But the environment variables are created > dynamically when the ssh agent is started. > > But: what you said here gave me an idea for a much simpler solution: I > don't have to rely on the developer's credentials at all. Instead I'll > give the Nix build users their own ssh identity (key pair) w/o passphrase. > Then add their public key to the <repouser>@<reposerver>'s > .ssh/authorized_keys. No impureEnvVars needed, since the build users don't > need to connect to an ssh agent. > > I hope that Nix build users not having a home directory is only a > recommendation, not a requirement for the multi-user setup to work.
Just wanted to report that this approach finally worked! Yay! (BTW, this is possible only because fixed-output derivations are built outside the chroot, else ssh could not access the identity file in the build user's home.) Cheers & thanks again Ben -- "Make it so they have to reboot after every typo." -- Scott Adams _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev