Gitlab + hydra + fetchgit authentication

Hello!

in my company, we are currently in the process of doing more and more things with nix/nixos and it’s great.

There is however one problem… it’s gitlab authentication of private repositories when cloning them. We need to be able to install credentials on the build server that runs hydra so it can checkout private repositories.

Currently, we have installed SSH keys in a way that hydra can access gitlab repos via SSH, which works if private repositories are direct jobset inputs.

What does not work is providing the credentials from within nix builders - if they encounter some fetchgit HTTPS/SSH expression, they won’t be able to authenticate themselves against the gitlab server.
fetchgitPrivate can authenticate via SSH (but not HTTPS), but this forces us to either disable sandboxing or map the private keys into the sandbox environment. In both cases they would be potentially readable for the builder process, which doesn’t seem like a reasonable design.

One could patch nix so that it does one of 2 things in builtins.fetchgit:

  1. if the URL starts with https://my.private.gitlab.com/... then transform the url to https://oauth2:TOKEN@my.private.gitlab.com/.... I made this work in experiments.
  2. if the URL starts with https://my.private.gitlab.com/... then transform the url to https://oauth2@my.private.gitlab.com/... and provide the password via GIT_ASKPASS.

(The second method is a bit more work, but then the token would not be visible in logs in case there is a git error in git’s stderr output)

Then one could make this configurable in the sense that nix gets an option git-https-auth-file which can point to a file that lists https prefixes and user:token combinations.

My vision would be to be able to provide the nix build users on a hydra builder machine with such tokens via the nix configuration so they can authenticate without knowing the password themselves.

Is that how someone would build that or is this approach rather naive and one would better do it completely differently?

What does not work is providing the credentials from within nix
builders - if they encounter some fetchgit HTTPS/SSH expression,
they won’t be able to authenticate themselves against the gitlab
server.

dont use fetchgit for private repositories

configure hydra to fetch the sources and put them into NIX_PATH and
refer to the NIX_PATH in nix similar to , e.g.

fetchgitPrivate can authenticate via SSH (but not HTTPS), but this
forces us to either disable sandboxing or map the private keys into
the sandbox environment. In both cases they would be potentially
readable for the builder process, which doesn’t seem like a reasonable
design.

fetchgitPrivate is a bad idea

use NIX_PATH entries, e.g. , see above

This is what we are currently doing. But how does this scale e.g. when we start having repositories similar to nixpkgs that reference a lot of different repositories themselves (like 100 different ones) and each could reference some commit that has not been fetched by hydra, yet?