Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fetchgitPrivate: put our custom ssh on PATH
Currently we wrap ssh so it can find the config file passed in by <ssh-config-file>. If one however uses ProxyCommand ssh, then ssh that is on PATH is taken (which is also unavailable when using nix-shell --pure), which is the plain ${openssh}/bin/ssh. This commit makes sure our wrapped ssh is available on PATH. (cherry picked from commit f8eed5f)
- Loading branch information
Showing
1 changed file
with
20 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,26 @@ | ||
{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // { | ||
{ fetchgit, runCommand, makeWrapper, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // { | ||
SSH_AUTH_SOCK = if (builtins.tryEval <ssh-auth-sock>).success | ||
then builtins.toString <ssh-auth-sock> | ||
else null; | ||
GIT_SSH = writeScript "fetchgit-ssh" '' | ||
#! ${stdenv.shell} | ||
exec -a ssh ${openssh}/bin/ssh -F ${let | ||
sshConfigFile = if (builtins.tryEval <ssh-config-file>).success | ||
then <ssh-config-file> | ||
else builtins.trace '' | ||
Please set your nix-path such that ssh-config-file points to a file that will allow ssh to access private repositories. The builder will not be able to see any running ssh agent sessions unless ssh-auth-sock is also set in the nix-path. | ||
|
||
Note that the config file and any keys it points to must be readable by the build user, which depending on your nix configuration means making it readable by the build-users-group, the user of the running nix-daemon, or the user calling the nix command which started the build. Similarly, if using an ssh agent ssh-auth-sock must point to a socket the build user can access. | ||
GIT_SSH = let | ||
config = ''${let | ||
sshConfigFile = if (builtins.tryEval <ssh-config-file>).success | ||
then <ssh-config-file> | ||
else builtins.trace '' | ||
Please set your nix-path such that ssh-config-file points to a file that will allow ssh to access private repositories. The builder will not be able to see any running ssh agent sessions unless ssh-auth-sock is also set in the nix-path. | ||
You may need StrictHostKeyChecking=no in the config file. Since ssh will refuse to use a group-readable private key, if using build-users you will likely want to use something like IdentityFile /some/directory/%u/key and have a directory for each build user accessible to that user. | ||
'' "/var/lib/empty/config"; | ||
in builtins.toString sshConfigFile} "$@" | ||
''; | ||
Note that the config file and any keys it points to must be readable by the build user, which depending on your nix configuration means making it readable by the build-users-group, the user of the running nix-daemon, or the user calling the nix command which started the build. Similarly, if using an ssh agent ssh-auth-sock must point to a socket the build user can access. | ||
You may need StrictHostKeyChecking=no in the config file. Since ssh will refuse to use a group-readable private key, if using build-users you will likely want to use something like IdentityFile /some/directory/%u/key and have a directory for each build user accessible to that user. | ||
'' "/var/lib/empty/config"; | ||
in builtins.toString sshConfigFile}''; | ||
|
||
ssh-wrapped = runCommand "fetchgit-ssh" { | ||
buildInputs = [ makeWrapper ]; | ||
} '' | ||
mkdir -p $out/bin | ||
makeWrapper ${openssh}/bin/ssh $out/bin/ssh --prefix PATH : "$out/bin" --add-flags "-F ${config}" "$@" | ||
''; | ||
in "${ssh-wrapped}/bin/ssh"; | ||
}) |