Hi Ash, I join to this mail the script I use to use gitFetchPrivate in a multi-user configuration.
Have a look, you should be able to adapt it to your usage quite easily. The trick is to give to the nix-daemon access to three things : - rw access to your ssh-agent socket - read access to your ssh config file - the option that will request ssh to ignore the user read-only permission on the config file. Cheers, Adrien Le 16/06/2016 00:46, zimbatm a écrit : > I believe you could run nix-prefetch-git to pre-populate the store but > I don't know if it's still possible, the derivation might not match > exactly anymore. Also it's only really useful for developer machines, > on a CI you still want it to have access to the repo isn't it? > > On Wed, 15 Jun 2016 at 13:42 Ashley Gillman <gillman...@gmail.com > <mailto:gillman...@gmail.com>> wrote: > > Thanks Zimbatm, > > Actually I don't think the issue is the socket (yet). For example, > I get exactly the same error when just calling `nix-shell -I > ssh-config-file=$HOME/.ssh/config`. The current "wall" I think is > either that config file or the referenced id_rsa file, but the > error indicates its the config file itself. I have tried `chmod > o+rw` on the file, and with group (`chmod g+rw` and `chgrp`ing to > nixbld), but to no avail. > > I should mention also, I do not have my heart set on > gitFetchPrivate. If there is another way to access a remote > (BitBucket) server requiring credentials, that would be great. > Although pulling each manually and using a local file path is not > preferred. > > Cheers, > Ash > > On Wed, Jun 15, 2016 at 10:07 PM, zimbatm <zimb...@zimbatm.com > <mailto:zimb...@zimbatm.com>> wrote: > > Hi, > > Yes the difference is that the build user is nixbld[1-9]. Also > the SSH agent doesn't allow other users to access to the socket. > > Sorry I don't know the solution. You could maybe build a > bridge on the socket using `socat` to hide the caller's user. > > > On Wed, 15 Jun 2016, 11:57 Ashely Gillman, > <gillman...@gmail.com <mailto:gillman...@gmail.com>> wrote: > > Hi all, > I have been attempting to use gitFetchPrivate to fetch > from a private bitbucket repo over SSH, on both Ubuntu > running Nix and on NixOS. I am able to get the setup > working on Ubuntu. > > - Set up SSH-Agent the usual way. > - Ensure that `git clone ssh://g...@bitbucket.domain.com > <mailto:g...@bitbucket.domain.com>:<port>/<user>/<repo>.git` > works, > it does > - Use `nix-shell -I ssh-config-file=$HOME/.ssh/config -I > ssh-auth-sock=$SSH_AUTH_SOCK`, with a local shell.nix > specifying requirements > > However, I am unable to repeat the process on a NixOS machine. > > gil@gil-nixos:~/proj/pylx $ git clone > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git > <This works> > > gil@gil-nixos:~/proj/pylx $ nix-shell -I > ssh-config-file=$HOME/.ssh/config -I > ssh-auth-sock=$SSH_AUTH_SOCK > these derivations will be built: > > /nix/store/48cz61di3gf6fpkydgri74h5i2s8qh3h-vtk-qvtk-5.10.1.drv > > /nix/store/pcj22pnchg10bq63a32jcc53l75cy8z1-boost-1.59.0.drv > > /nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv > > /nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv > building path(s) > ‘/nix/store/603gs7mcgpf7cnyv3k2bkxk1kbj4smbq-boost-1.59.0’, > ‘/nix/store/q26zzdzy5zngyxyah8fhqmnqwbmz4gl4-boost-1.59.0-lib’, > ‘/nix/store/zggqsmrh9l70yrcdagmgqjmv8i6a9rls-boost-1.59.0-dev’ > building path(s) > ‘/nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819’ > building path(s) > ‘/nix/store/j70pal3svpcip7xv21bxf5xy2c4chl84-vtk-qvtk-5.10.1’ > exporting > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git > (rev 585a8195804) into > /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819 > Initialized empty Git repository in > > /nix/store/ra27851hlszq1k0n9zfa14xwhxqvn8zs-milx-view-585a819/.git/ > Can't open user config file /home/gil/.ssh/config: > Permission denied > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > unpacking sources > unpacking source archive > /nix/store/cdz3wd9r8vlnp193kv091pal401mg9kc-boost_1_59_0.tar.bz2 > Can't open user config file /home/gil/.ssh/config: > Permission denied > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > Unable to checkout 585a8195804 from > ssh://git@bitbucket.<DOMAIN>:7999/~<USER>/milx-view.git. > builder for > > ‘/nix/store/sb7xc3pan2h7n1qdh94ynblb9cv12a3p-milx-view-585a819.drv’ > failed with exit code 1 > cannot build derivation > ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’: > 1 dependencies couldn't be built > error: build of > ‘/nix/store/dzh8jzl90ghsl0l71p9v2zqzh9wn2ngb-milx-view.drv’ failed > /run/current-system/sw/bin/nix-shell: failed to build > all dependencies > > With the relevant line being: > Can't open user config file /home/gil/.ssh/config: > Permission denied > > Probably a nixbld user is trying to access this? I am not > actually sure if my nixpkgs are built by my user or by > nixbld. How can I tell? `cat /etc/passwd` indicates that > the nixbld users exist. > > I have attempted to follow instructions for setting up > gitFetchPrivate for multi-user installations (but again, > not even sure this is what I have - I just installed the > simplest way), but to no avail (although the instructions > are somewhat unclear). > > Thanks for any help, > Ashley Gillman (Ash) > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > <mailto:nix-dev@lists.science.uu.nl> > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev
#!/bin/bash # globals NIX_DAEMON_USER="nix-daemon" NIX_PATH_CONTENT="$NIX_PATH" TMP_SSH_CONFIG_DIR="$(mktemp -d /tmp/nix-ssh-config-XXXXXXXXX)" ## configure ssh agent location ## if [[ -e ${SSH_AUTH_SOCK} ]]; then NIX_PATH_CONTENT="ssh-auth-sock=${SSH_AUTH_SOCK}:${NIX_PATH_CONTENT}" setfacl -m "u:${NIX_DAEMON_USER}:rwx" ${SSH_AUTH_SOCK} setfacl -m "u:${NIX_DAEMON_USER}:rwx" "$(dirname ${SSH_AUTH_SOCK})" else echo "Error: ssh-agent environment variable SSH_AUTH_SOCK is not existing" >&2 fi ## configure ssh config path mkdir -p ${TMP_SSH_CONFIG_DIR}/.ssh TMP_SSH_CONFIG_FILE="${TMP_SSH_CONFIG_DIR}/.ssh/config" ## use ssh_config user file as initial template ## if it exists ## to forward user alias and parameters ## if [[ -e ${HOME}/.ssh/config ]]; then cp ${HOME}/.ssh/config ${TMP_SSH_CONFIG_FILE} else touch ${TMP_SSH_CONFIG_FILE} fi ## Disable strict host key checking ## Needed to have the nix-daemon able to read ## a file not owned by him without throwing ## a SSH error ## cat >> ${TMP_SSH_CONFIG_FILE} << EOF Host * StrictHostKeyChecking no UserKnownHostsFile /dev/null EOF setfacl -m "u:${NIX_DAEMON_USER}:rwx" -R ${TMP_SSH_CONFIG_DIR} NIX_PATH_CONTENT="ssh-config-file=${TMP_SSH_CONFIG_FILE}:${NIX_PATH_CONTENT}" ## ## print the suggested NIX_PATH including SSH config file and agent ## echo "export NIX_PATH=\"${NIX_PATH_CONTENT}\""
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev