I’m trying to access code in a private repository when building on NixOS.
To do this, I created a directory
/etc/nix/ssh with a
config file therein, and am using
-I ssh-config-file=/etc/nix/ssh/config on the
nix-build command line. Similarly,
/etc/nixos/configuration.nix has had
nix.sandboxPaths = [ "/etc/nix/ssh" ]; added, to ensure that the paths are accessible.
/etc/nix/ssh/config are as follows:
StrictHostKeyChecking no # MITM not much use here: We don't trust the code we check out; it has to match our hashes IdentityFile /etc/nix/ssh/keys/%u.key
/etc/nix/ssh/keys contains a
nixbld2.key, etc; all with the same contents (a private key granted read-only access to the relevant repositories), but chown’d to the named user. There’s also a
chaduffy.key, mapping to my own username and owned by my own user.
The way I understand this to work is that when
nix-build is run, whichever builder gets the job will run this as its own user, and thus access its own key. However, that’s not actually what happens:
Failed to add the host to the list of known hosts (/home/chaduffy/.ssh/known_hosts). Load key "/etc/nix/ssh/keys/chaduffy.key": Permission denied email@example.com: Permission denied (publickey). fatal: Could not read from remote repository.
Notably, the SSH client is referring to my home directory, rather than an empty/dummy nixbld home directory – and yet it’s unable to access a file which I do have access to (
less /etc/nix/ssh/keys/chaduffy.key works fine), and fails with a “permission denied”, not a “file not found”, indicating that (1) the config file was correctly read (to direct to the key), and (2) we aren’t being disrupted by chroot/sandbox behavior.
Any guidance as to how one might hunt this down?