I am using Gitea for my personal projects, and Actions inside.
I want these Actions to run
nix build ./#my-package when pushing to git.
I also want to benefit from nix store. Since running on host is not really stable (at least I could not run it), I chose to run an overloaded version of docker
So to benfeit from the store system, on the Gitea Runner, I use:
nix.sshServe.enable = true; nix.sshServe.keys = [ "ssh-ed25519 [...]" ];
On the Dockerfile of the image running the actions I use:
FROM nixos/nix COPY known_hosts /root/.ssh/known_hosts COPY id_ed25519 /root/.ssh/id_ed25519 COPY id_ed25519.pub /root/.ssh/id_ed25519.pub RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf RUN echo 'access-tokens = "github.com=<TOKEN>' >> /etc/nix/nix.conf RUN echo 'extra-substituters = ssh://nix-ssh@<MY-DOMAIN>' >> /etc/nix/nix.conf RUN echo 'extra-trusted-public-keys = <???>' >> /etc/nix/nix.conf RUN nix-env -iA nixpkgs.nodejs_20 nixpkgs.coreutils RUN ln -s /root/.nix-profile/bin/sleep /bin/sleep #required because gitea act_runner needs it for some reason
Now this almost works.
It seems that content is not signed, because when I run
nix copy --to ssh://root@<MY-STORE> './#my-package' nix store verify --store ssh://nix-serve@<MY DOMAIN> './#my-package'
error: … while fetching the input 'git+file:/ [...]' error: operation 'addToStore' is not supported by store <MY-STORE>
Not everything is very clear to me here.
What should be the public key added in the Dockerfile to
sshServe, it does not require to add a secret right? I guess the ssh private key should be enough to sign the store content?
Also, during my build, I would expect to be able to send the new derivation to the store, what should I do to sign it then ?
And could the user be
nix-ssh, or be specified as allowed only to publish to the store, without being root?
Thank you !
Interesting links I found, (but not sure will help):