I’m trying to access code in a private repository when building on NixOS.
To do this, I created a directory /etc/nix/ssh
with a config
file therein, and am using -I ssh-config-file=/etc/nix/ssh/config
on the nix-build
command line. Similarly, /etc/nixos/configuration.nix
has had nix.sandboxPaths = [ "/etc/nix/ssh" ];
added, to ensure that the paths are accessible.
Contents of /etc/nix/ssh/config
are as follows:
StrictHostKeyChecking no # MITM not much use here: We don't trust the code we check out; it has to match our hashes
IdentityFile /etc/nix/ssh/keys/%u.key
…whereas /etc/nix/ssh/keys
contains a nixbld1.key
, nixbld2.key
, etc; all with the same contents (a private key granted read-only access to the relevant repositories), but chown’d to the named user. There’s also a chaduffy.key
, mapping to my own username and owned by my own user.
The way I understand this to work is that when nix-build
is run, whichever builder gets the job will run this as its own user, and thus access its own key. However, that’s not actually what happens:
Failed to add the host to the list of known hosts (/home/chaduffy/.ssh/known_hosts).
Load key "/etc/nix/ssh/keys/chaduffy.key": Permission denied
git@github.threatbuild.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Notably, the SSH client is referring to my home directory, rather than an empty/dummy nixbld home directory – and yet it’s unable to access a file which I do have access to (less /etc/nix/ssh/keys/chaduffy.key
works fine), and fails with a “permission denied”, not a “file not found”, indicating that (1) the config file was correctly read (to direct to the key), and (2) we aren’t being disrupted by chroot/sandbox behavior.
Any guidance as to how one might hunt this down?