I’m trying to build on the server, and some package sources lies in private repositories so I need to set impure-env in commandline to let fetchFromGitHub pick the token, this works fine locally but it seems remote builders cannot see those values. Is this intended?
I’ve never used Nix with private repositories, but surely impurity can be avoided, I would imagine. Found some pages:
opened 09:48AM - 03 Jul 23 UTC
feature
security
fetching
settings
**Is your feature request related to a problem? Please describe.**
We despera… tely need some sort of credentials provider support for `builtins.fetch*` functions. The best you can currently do is to use `pkgs.fetchurl`, expose your credentials in plain text at some globally accessible path like `/etc/nix/my-creds` and add it to `extra-sandbox-paths`. You can restrict access to only `nixbld` though it's not like it matters because anyone who has access to the nix builder can echo the credentials and fetch them from the build log.
**Describe the solution you'd like**
- Similar to [fetchGit](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-fetchGit) which is able to use your local ssh agent, you should have some form of way to securely fetch packages on the client side by authenticating locally using a custom credential provider.
- Packages behind authentication would be fetched on the client side and then passed to the builder.
- Credential provider could simply read from a local file or execute a custom command (e.g. fetch credentials from `pass` or the system keychain).
- Credential provider would be able to set any http header for fetchurl.
- Credentials should not be saved to the nix store as that is not secure. Credentials can be expiring and user-specific so they're not reproducible anyway.
**Describe alternatives you've considered**
- [[RFC 0143] Nix Store ACLs](https://github.com/tweag/rfcs/blob/acls/rfcs/0143-nix-store-acls.md) is not a solution to this because credentials can be user-specific and expiring which makes them non-reproducible.
- `access-tokens` currently [doesn't work](https://github.com/NixOS/nix/issues/8439), is limited to credentials being exposed in plain text, assumes the credentials don't need to be refreshed and is limited to oauth/pat for specific platforms like gitlab/github.
**Somewhat related**
- [Expected AWS S3 Credential Locations are Inconsistent Across nix Commands for Daemon Users ](https://github.com/NixOS/nix/issues/5723)
**Priorities**
Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).
This is solved using Enterprise - NixOS Wiki .
# /etc/nix/netrc
machine DOMAINNAME
login USERNAME
password SECRET
for something like private github repos, you would do:
machine github.com
password TOKEN
fetchgitPrivate supports reading ssh-auth-sock and git-ssh from the nix path as a way to use SSH keys to access git repositories. You can use this to keep your credentials in the ssh-agent instead of in the environment. I believe private repositories on GitHub support ssh.