For a toy dev-ops project I want to generate an SSH key file that I want to use with a flake.
When cloning the repository the key file does not exist, so it is not checked into git and I also do not want to commit it anyways since it is a secret that should only exist locally when working with that repository.
The flake then contains a nixosConfigurations.foobar system configuration which should use that ssh key file in users.users."setup".openssh.authorizedKeys.keyFiles = [ ./tmp/ssh_key.pub ].
However when I reference that file and try to build that configuration it fails with:
error: opening file '/nix/store/<hash>-source/modules/tmp/ssh_key.pub': No such file or directory
The reason for that error is that flakes can only reference files added to git, however I do not want to add the ssh key to git since the entire thing is only supposed to exist for testing out some vms locally.
How can I work around this? I need the file to exist so that I can use it with terraform.
The project is just supposed to spawn a bunch of vms locally in libvirt using terraform, sets up some services on them with nixos and then runs some tests.
I was using plaintext passwords, but some terraform providers require me to use ssh keys instead.
I could of course commit the public key, but I don’t really like committing private keys, although it is unlikely that I will ever use it for something else, you never know.
So I thought I’d just generate them on demand, which is easy using terraform, but I dont wanna create a git commit each time I run the project. That would also mess up the git state and I’d have to manually revert the commit each time I’d actually want to commit something.
Public and private keys are different beasts. Why can’t you commit the public key (as needed for flakes) & keep the private key outside the repository (as it should be private)? The downside is that you have to keep the key somewhere instead of generating a throwaway one each time, but you probably already maintain your own SSH key (assuming you’re using any git hosting provider, public or private). You might even (depending on what you want) use exactly the same key. Note that your public keys are quite possibly already really public, e.g. github allows downloading anyone’s keys.
My first workaround does not require that. add -N only adds the path to the git index, without adding its contents. It’s arguably a bug that this workaround works, but unless nix decides to not rely on git to identify which files to copy, this workaround should continue to work. (And anyway, if that happened, then a lot of things about flakes would change; this usecase would be the least of one’s problems.)