Using a private GitLab instance with fetchGit

Help
1

At work, we have a GitLab instance that users can pull from using SSH. I am currently setting up a Gitlab Runner to build “Project A” with Nix. This project depends on another “Project B” in the same private Gitlab.

So somewhere in the Project A default.nix, I have

	project-b = import (fetchGit {
		url = "git@gitlab.example.com/group/project-b.git";
		rev = "326ce97a6c46bef4d44cf2a18573cb083e7440d4";
	});

Now, when I run nix-build locally, I am prompted for the password for my SSH key and everything works as expected.

I would prefer not to place SSH keys on the Gitlab Runner. But what I can do before nix-build is, so I thought:

nix-prefetch-git https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/group/project-b.git 326ce97a6c46bef4d44cf2a18573cb083e7440d4

This will fetch the repository just fine, but the fetchGit does not use it. What is the reason for that, and how do I solve it?

What I will try next is to replace fetchGit with fetchgit. This allows me to specify a hash and maybe then the source will be reused, but it will also force me to import nixpkgs everywhere and I will lose the comfort of being able to provide my personal SSH key password when building locally.

Alex

2

Please see fetchFromGitLab which should support this

3

This is actually a good use case for deployment- or read-only keys which you strictly limit in what they can access.

4

Yes, thank you - I opted for a Deploy Key.

fetchFromGitLab internally uses fetchzip by default. Currently, I think that one would have to specify username and password in the URL.
The pull request “fetchFromGitLab: support for private repositories” will simplify this. If one then uses fetchFromGitLab in the code, they will be able to provide the Gitlab access token and username through environment variables.
Then again, however, developers will have to add a token to their account and supply this to the build process on their local machine.

With a Deploy Key, developers can use their own SSH key which they have configured anyway and the Runner will use its Deploy Key, both with the same repository URL.