You don't need to know the user itself I think, you could share it with nixbld group (probably). Also, I think this way recommends to use ssh-agent as far as I remember looking at that (but could changed).
What I did for one project was: 337 fetchgitPrivate = (args: derivation ((nixpkgs.fetchgit > args).drvAttrs // { > 338 # This function is wrapper around nix fetch git function > to use SSH key. > 339 # It can be useful when fetching from private > repositories. > 340 # > > 341 # Original function is in > https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/default.nix > 342 # > > 343 GIT_SSH = rr.lib.writeShellScript "git-ssh" ''#! > ${nixpkgs.bash}/bin/bash -eu > 344 if ! [[ -r '${repositories-ssh-private-key-path}' > ]];then > 345 echo "ERROR:" >&2 > > 346 echo "ERROR:" >&2 > > 347 echo "ERROR: ssh key > '${repositories-ssh-private-key-path}' is not readable by build user > ($(id))" >&2 > 348 echo "ERROR:" >&2 > > 349 echo "ERROR:" >&2 > > 350 exit 5 > > 351 fi > > 352 exec ${nixpkgs.openssh}/bin/ssh -o > StrictHostKeyChecking=no -i '${repositories-ssh-private-key-path}' "$@" > 353 ''; But probably is way better to go with agent. 2017-07-03 14:19 GMT+01:00 Harmen <har...@lijzij.de>: > Hi all, > > I'm struggling to get fetchgitPrivate to work on nix-daemon installation > (no > NixOS, these are Ubuntu machines with nix). > I can make it work on my dev machine, with is a non-daemon install, by > setting > > NIX_PATH=ssh-config-file=/my/ssh/config:$NIX_PATH > > But that doesn't work in sandboxed daemon mode, because the nixbld* users > can't > read that file (both because of access rights, and because of the sandbox). > > Nix has this warning in fetchgitPrivate: > > Note that the config file and any keys it points to must be readable > > by the build user, which depending on your nix configuration means > making it > > readable by the build-users-group, the user of the running nix-daemon, > or the > > user calling the nix command which started the build. Similarly, if > using an > > ssh agent ssh-auth-sock must point to a socket the build user can access. > > You may need StrictHostKeyChecking=no in the config file. Since ssh > > will refuse to use a group-readable private key, if using build-users > you will > > likely want to use something like IdentityFile /some/directory/%u/key > and have > > a directory for each build user accessible to that user. > from > https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/ > private.nix > > which sounds reasonable, but it I don't see how to do that since I don't > know > exactly which user will run the build. Also because of the sandbox the > build > can't read the ssh config file at all. > > > So next option is to generate the configfile in my expression, a-la > https://www.mpscholten.de/nixos/2016/07/07/private- > github-repositories-and-nixos.html > but I don't know how to set nix.path from inside an expression. It would > also > require bundling the key with the expression, but if that works... > > > I can't be the first to want to use fetchgitPrivate with a sandboxed > nix-daemon. Any experiences or tips? > Thanks! > Harmen > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > https://mailman.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-dev