Handle private inputs #46

New issue

Closed

opened 2023-06-30 08:44:17 +00:00 by mrVanDalo · 6 comments

mrVanDalo commented

2023-06-30 08:44:17 +00:00

(Migrated from github.com)

Just switching to nixinate and run into some minor problem. I use inputs which are private and prefer buildOn = remote.
This results (of course) in an exeption "Permission Denied".
A fix at the moment for me is to run :

nix flake archive --json \
  | jq -r '.inputs.private_assets.path' \
  | xargs nix-copy-closure root@myMachine

But it would be to have a more convenient way right in the flake.nix to do this.
(of course coping every input makes no sense).

Alternatively I'll create a pull request describing this problem an a proper solution in the README.md or something (if wanted of course).

Just switching to nixinate and run into some minor problem. I use inputs which are private and prefer `buildOn = remote`. This results (of course) in an exeption "Permission Denied". A fix at the moment for me is to run : ``` nix flake archive --json \ | jq -r '.inputs.private_assets.path' \ | xargs nix-copy-closure root@myMachine ``` But it would be to have a more convenient way right in the `flake.nix` to do this. (of course coping every input makes no sense). Alternatively I'll create a pull request describing this problem an a proper solution in the README.md or something (if wanted of course).

👍 1

CRTified commented

2023-06-30 12:00:12 +00:00

(Migrated from github.com)

Is it really harmful to copy every input? Assuming they're used, they will get pulled by the remote either way. Copying them first just shifts the point in time where the remote receives that input in its store?

Is it really harmful to copy *every* input? Assuming they're used, they will get pulled by the remote either way. Copying them first just shifts the point in time where the remote receives that input in its store?

mrVanDalo commented

2023-06-30 14:40:32 +00:00

(Migrated from github.com)

No it's not harmful. I'm with copying every flake input.

MatthewCroughan commented

2023-06-30 16:17:06 +00:00

(Migrated from github.com)

Another option is to use ssh-agent, which does not require modifying nixinate

CRTified commented

2023-06-30 17:08:33 +00:00

(Migrated from github.com)

That has two disadvantages as opposed to pre-fetching and pushing the inputs:

It exposes the keys available. Problematic if the deployment target is less trusted than your machine.
It requires that the target has a route to grab the input itself. Might be a problem for isolated machines.

That has two disadvantages as opposed to pre-fetching and pushing the inputs: - It exposes the keys available. Problematic if the deployment target is less trusted than your machine. - It requires that the target has a route to grab the input itself. Might be a problem for isolated machines.

👍 1

happysalada commented

2023-11-04 19:16:14 +00:00

(Migrated from github.com)

I was really glad to find this, here is my nushell adapted version (for those that it might help)

nix flake archive --json | from json | get inputs.private_input.path | xargs nix copy --t
o ssh://not_root@my_machine

or the script for all the inputs

    def nix_copy_inputs [to: string] {
      nix flake archive --json | from json | get inputs | transpose | each { |input| $input.column1.path | xargs nix copy --to $"ssh://($to)" }
    }

I do agree that it would be nice to have this taken care of automatically, but it might be hard to do it for every shells.

I was really glad to find this, here is my nushell adapted version (for those that it might help) ``` nix flake archive --json | from json | get inputs.private_input.path | xargs nix copy --t o ssh://not_root@my_machine ``` or the script for all the inputs ``` def nix_copy_inputs [to: string] { nix flake archive --json | from json | get inputs | transpose | each { |input| $input.column1.path | xargs nix copy --to $"ssh://($to)" } } ``` I do agree that it would be nice to have this taken care of automatically, but it might be hard to do it for every shells.