I have a Nix package I need to deploy for one of my company’s servers, however our package (in Go, using buildGoModule) depends on some private Git packages. We can’t fetch them, as git would try and use https://gitlab.com, while it should’ve used SSH. If it’s worth mentioning, we’re using morph to deploy.
Question: Can I override git in buildGoModule to replace HTTPS to SSH, similar to this command: git config --global url.ssh://git@github.com/.insteadOf https://github.com/?
go: gitlab.com/company/dependency@v0.0.0-20191204154344-27281d3459d0: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /build/go/pkg/mod/cache/vcs/bc548c19f0ecc33e875e3bb0d03833e7e80259b75ceb8b561992597e496ac6f: exit status 128:
fatal: could not read Username for 'https://gitlab.com': terminal prompts disabled
builder for '/nix/store/5mgl69byqq4544wy1anwr7byy1adwddf-gopackage-0.4.0-go-modules.drv' failed with exit code 1
There probably isn’t an easy way to do this. Looking at the source for buildGoModule, it seems to be using a fixed-output derivation that actually invokes the go mod tool under-the-hood. You could probably override it (there’s a buildGoModule.overrideModAttrs) to create a local git configuration that uses a different host, but then you wouldn’t have your credentials from outside of the build available inside of the derivation. Putting the credentials (e.g. an SSH key) into the derivation would be possible but then they’re world-readable in your /nix/store.
Personally I use my own Nix build system for Go (buildGo.nix) where this would be possible because external libraries are just a normal derivation with a srcs attribute, see examples in my //third_party/gopkgs/ tree. This is a very different style of building Go packages though so it might not be what you’re looking for.
For anyone else trying to solve private repos with modules:
go mod vendor to set up a private repo followed by a GOFLAGS="-mod=vendor" in the derivation works well. This only works if you have control over the repo in question.
Asummetric’s soltuion seems to assume using a flake (nix build ...). The ssh-agent socket file isn’t present in the build sandbox so it isn’t clear how tomberek got things going.