Nix build w/ remote builders & gpg-agent protected key

colemickens · March 22, 2020, 8:55am

My understanding is that the nix-daemon does the actual work of SSHing to the remote builder.

How do I manage this when using a gpg-agent-protected SSH key?

$ nix build -f default.nix  --builders 'ssh://colemickens@aarch64.nixos.community aarch64-linux'
warning: dumping very large path (> 256 MiB); this may run out of memory
cannot build on 'ssh://colemickens@aarch64.nixos.community': cannot connect to 'colemickens@aarch64.nixos.community': colemickens@aarch64.nixos.community: Permission denied (publickey).

lheckemann · April 3, 2020, 11:34am

It’s not pretty, but nix-daemon respects root’s ssh_config(5). So you could put…

Host aarch64.nixos.community
  IdentityAgent /run/user/1000/gnupg/S.gpg-agent.ssh

in your /root/.ssh/config (or your programs.ssh.extraConfig, but then it will affect other users who won’t have the appropriate permissions) to have it talk to your user’s gpg agent.