Use nix copy from a systemd service?

prasmussen · November 25, 2019, 7:52pm

My current workflow consist of building my remote server on a local nixos server and deploying it with:
nix copy --to ssh://root@somehost $(readlink result)

I’m now trying to auto-deploy everytime new code is pushed to a github repo.
I’ve set up a systemd service on the local server which triggers a bash script everytime a webhook request is received. The script stops on the nix-copy command with this error:

error: executing 'nix-store --serve --write' on 'root@somehost': No such file or directory
error: cannot connect to 'root@somehost'

My guess is that it fails because of missing ssh credentials. When running the script manually it uses the private key from the ssh-agent, which I guess the systemd service is not able to use.

Is what I’m doing possible or are there any better alternatives?

NobbZ · November 26, 2019, 12:28pm

What user is used to run the service? Can this user read the SSH agents socket associated to the user that has the key?

Usually if assume that there is a parameter that allows to pass options to the SSH client and I’d use that to specify the identity option with a path to the private key.

NobbZ · November 26, 2019, 12:35pm

nix-copy-closure used an environment variable, perhaps it works for the new copy tool as well?

NIX_SSHOPTS

Additional options to be passed to ssh on the command line.

prasmussen · November 26, 2019, 5:57pm

NIX_SSHOPTS worked perfectly, thanks!

NIX_SSHOPTS="-i /home/someuser/.ssh/id_rsa";