Nix build w/ remote builders & gpg-agent protected key

My understanding is that the nix-daemon does the actual work of SSHing to the remote builder.

How do I manage this when using a gpg-agent-protected SSH key?

$ nix build -f default.nix  --builders 'ssh:// aarch64-linux'
warning: dumping very large path (> 256 MiB); this may run out of memory
cannot build on 'ssh://': cannot connect to '': Permission denied (publickey).

It’s not pretty, but nix-daemon respects root’s ssh_config(5). So you could put…

  IdentityAgent /run/user/1000/gnupg/S.gpg-agent.ssh

in your /root/.ssh/config (or your programs.ssh.extraConfig, but then it will affect other users who won’t have the appropriate permissions) to have it talk to your user’s gpg agent.