Search code examples
gitgitlabdevopsnix

Problem with Nix package manager and GitLab

I am using the Nix package manager on OSX Mojave.

My colleagues are using earlier versions of OSX. Not sure if that is the reason they are not encountering this problem.

I can't connect to a specific private gitlab repo that I explicitly have access to. I can clone it directly, but I can't build it when I am building the project that it is a part of.

This is the relevant excerpt from my default.nix file. I am told that fetchgitPrivate is deprecated. I have tried replacing it with fetchGit in this file, but it does not work.

      my-private-gitlab-repo = self.callCabal2nix "my-private-gitlab-repo" (pkgs.fetchgitPrivate {
        url = "git@gitlab.com/namehere/my-private-gitlab-repo.git";
        rev = "...";
        sha256 = "...";
      }) {};

This is the error I'm getting:

reallymemorables-MacBook-Pro:localclone reallymemorable$ ./scripts/ghci-backend
building '/nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo.drv'...
exporting ssh://git@gitlab.com/namehere/my-private-gitlab-repo.git (rev kjsdjfksdjklfsjkldjfksjdfskldf) into /nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo-asddfs
Initialized empty Git repository in /nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo-asddfs/.git/
git@gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
git@gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Unable to checkout khjsdfkhdsjhklsdjhfksdhfjksdh from ssh://git@gitlab.com/namehere/my-private-gitlab-repo.git.
builder for '/nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo-asdffdsgfd.drv' failed with exit code 1
cannot build derivation '/nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo.drv': 1 dependencies couldn't be built
error: build of '/nix/store/kljskajsdljkdgfhj-cabal2nix-my-private-gitlab-repo.drv' failed
(use '--show-trace' to show detailed location information)

I'm completely lost on how to proceed. I have tried putting my ssh keys in Shared and in my normal OSX user. I have tried a million permissions permutations.

Solution

  • The right thing to use with Nix 2.x is builtins.fetchGit -- but it's not a straight-across replacement: You need to remove the sha256 argument. Because builtins.fetchGit runs under your own user account, rather than as the Nix builder, it completely moots permissions issues: Anything you can access as yourself (a keyring, a YubiKey or smartcard, or just your ~/.ssh directory) can be accessed by the copy of git invoked by builtins.fetchGit.

    Thus:

    my-private-gitlab-repo = self.callCabal2nix "my-private-gitlab-repo" (builtins.fetchGit {
  url = "git@gitlab.com/namehere/my-private-gitlab-repo.git";
  rev = "...";
}) {};