On Mon, Jul 03, 2017 at 03:19:31PM +0200, Harmen wrote: I have `fetchgitCustom` expression, which can use pre-seeded "deploy" keys (but with some security implications -- because key is world-readable). It works with sandbox builds, and should work with hydra as well.
If anyone interesting in this solution, I'll prepare PR soon. > I'm struggling to get fetchgitPrivate to work on nix-daemon installation (no > NixOS, these are Ubuntu machines with nix). > I can make it work on my dev machine, with is a non-daemon install, by setting > > NIX_PATH=ssh-config-file=/my/ssh/config:$NIX_PATH > > But that doesn't work in sandboxed daemon mode, because the nixbld* users > can't > read that file (both because of access rights, and because of the sandbox). > > Nix has this warning in fetchgitPrivate: > > Note that the config file and any keys it points to must be readable > > by the build user, which depending on your nix configuration means making it > > readable by the build-users-group, the user of the running nix-daemon, or > > the > > user calling the nix command which started the build. Similarly, if using an > > ssh agent ssh-auth-sock must point to a socket the build user can access. > > You may need StrictHostKeyChecking=no in the config file. Since ssh > > will refuse to use a group-readable private key, if using build-users you > > will > > likely want to use something like IdentityFile /some/directory/%u/key and > > have > > a directory for each build user accessible to that user. > from > https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgit/private.nix > > which sounds reasonable, but it I don't see how to do that since I don't know > exactly which user will run the build. Also because of the sandbox the build > can't read the ssh config file at all. > > > So next option is to generate the configfile in my expression, a-la > https://www.mpscholten.de/nixos/2016/07/07/private-github-repositories-and-nixos.html > but I don't know how to set nix.path from inside an expression. It would also > require bundling the key with the expression, but if that works... > > > I can't be the first to want to use fetchgitPrivate with a sandboxed > nix-daemon. Any experiences or tips? > Thanks! > Harmen > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > https://mailman.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-dev