I have a custom package defined in my nixOS config. I can’t get builtins.fetchGit to access a private GitHub repo running nixOS 23.05. This previously worked with nixOS 22.11.
src = builtins.fetchGit {
url = "ssh://git@github.com/privateorg/privaterepo.git";
ref = "main";
rev = "commithash";
allRefs = true;
};
nixos-rebuild fails with this message:
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
ssh -T git@github.com works…
so does git clone ssh://git@github.com/privateorg/privaterepo.git
I can also run nix profile install .#mypackage and it works.
So why can’t I install/build via nixos-rebuild?
Running nixOS 23.05, and my SSH config ~/.ssh is proper, and I’m also using an SSH_AUTH_SOCK that has SSH access to GitHub.
1 Like
Just now realizing that I run:
sudo nixos-rebuild switch --flake ~/.nix-config/#
Running as sudo isn’t going to use the ~/.ssh/ config, but instead /root/.ssh. I put my key in /root/.ssh and this is fixed, but I guess I should ask: what’s the recommended approach for downloading private repos during a nixos-rebuild? Should nixos-rebuild run as sudo?
NixOS manual doesn’t mention running sudo when using nixos-install or nixes-rebuild… Hmm.
3 Likes
In case anyone is still running into this problem I think building with nh would solve the problem.
$ nh os switch
nh builds under your normal user account, and doesn’t escalate with sudo until the build is finished.
Or I think you could get the same effect using nixos-rebuild if you build and switch in two steps so that the sudo command reads a cached build from your store:
$ nixos-rebuild build --flake ~/.nix-config/#
$ sudo nixos-rebuild switch --flake ~/.nix-config/#
That’s the same behaviour as $ nixos-rebuild --use-remote-sudo ...