On Mon, Jul 03, 2017 at 03:19:31PM +0200, Harmen wrote:

I have `fetchgitCustom` expression, which can use pre-seeded "deploy"
keys (but with some security implications -- because key is
world-readable). It works with sandbox builds, and should work with
hydra as well.

If anyone interesting in this solution, I'll prepare PR soon.

> I'm struggling to get fetchgitPrivate to work on nix-daemon installation (no
> NixOS, these are Ubuntu machines with nix).
> I can make it work on my dev machine, with is a non-daemon install, by setting
>     NIX_PATH=ssh-config-file=/my/ssh/config:$NIX_PATH
> But that doesn't work in sandboxed daemon mode, because the nixbld* users 
> can't
> read that file (both because of access rights, and because of the sandbox).
> Nix has this warning in fetchgitPrivate:
> > Note that the config file and any keys it points to must be readable
> > by the build user, which depending on your nix configuration means making it
> > readable by the build-users-group, the user of the running nix-daemon, or 
> > the
> > user calling the nix command which started the build. Similarly, if using an
> > ssh agent ssh-auth-sock must point to a socket the build user can access.
> > You may need StrictHostKeyChecking=no in the config file. Since ssh
> > will refuse to use a group-readable private key, if using build-users you 
> > will
> > likely want to use something like IdentityFile /some/directory/%u/key and 
> > have
> > a directory for each build user accessible to that user.
> from
> https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/private.nix
> which sounds reasonable, but it I don't see how to do that since I don't know
> exactly which user will run the build. Also because of the sandbox the build
> can't read the ssh config file at all.
> So next option is to generate the configfile in my expression, a-la
> https://www.mpscholten.de/nixos/2016/07/07/private-github-repositories-and-nixos.html
> but I don't know how to set nix.path from inside an expression. It would also
> require bundling the key with the expression, but if that works...
> I can't be the first to want to use fetchgitPrivate with a sandboxed
> nix-daemon. Any experiences or tips?
> Thanks!
> Harmen
> _______________________________________________
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> https://mailman.science.uu.nl/mailman/listinfo/nix-dev
nix-dev mailing list

Reply via email to