Nix: Private Flakes

Created on 6 Sep 2020 · 8Comments · Source: NixOS/nix

Is your feature request related to a problem? Please describe.
I would like to be able to separate my system configuration (which I broadly am willing to show people) with the secrets that have to go into it (which I am not: hashed passwords; lat/long for redshift in home-manager, timezone, etc all broadly reveal my location).

Describe the solution you'd like
Some method of providing credentials (e.g., ssh keys) so that I can fetch the private flakes.

Describe alternatives you've considered
Importing via relative paths is not currently possible (#3978). If it was, I would probably use a git submodule.

flakes improvement

Source

endgame

👍1

Most helpful comment

```$ cat flake.nix
{
inputs = {
secrets.url = "git+ssh://git@host:path";
};
}

```$ nix build --option experimental-features 'nix-command flakes'
warning: ignoring the user-specified setting 'experimental-features', because it is a restricted setting and you are not a trusted user
warning: Git tree '/home/endgame/test' is dirty
error: --- BadURL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
'git+ssh://git@host:path' is not a valid URL

It's host/path
Like in the ssh uri Standart

Kloenk on 7 Sep 2020

👍3

All 8 comments

You could probably use ssh+git://... There is also --override-input

Kloenk on 6 Sep 2020

Unfortunately:

error: --- Error ------------------------------------------------------------------------------------------------- nix
input 'ssh+git://[email protected]/cole-h/nix-secrets.git' is unsupported

and

error: --- Error ------------------------------------------------------------------------------------------------- nix
input 'ssh://[email protected]/cole-h/nix-secrets.git' is unsupported

cole-h on 6 Sep 2020

Sorry, wrong way around. use this:
git+ssh://[email protected]/cole-h/nix-secrets.git

Kloenk on 6 Sep 2020

👀1 👍1

```$ cat flake.nix
{
inputs = {
secrets.url = "git+ssh://git@host:path";
};
}

```$ nix build --option experimental-features 'nix-command flakes'
warning: ignoring the user-specified setting 'experimental-features', because it is a restricted setting and you are not a trusted user
warning: Git tree '/home/endgame/test' is dirty
error: --- BadURL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
'git+ssh://git@host:path' is not a valid URL

endgame on 6 Sep 2020

```$ cat flake.nix
{
inputs = {
secrets.url = "git+ssh://git@host:path";
};
}

```$ nix build --option experimental-features 'nix-command flakes'
warning: ignoring the user-specified setting 'experimental-features', because it is a restricted setting and you are not a trusted user
warning: Git tree '/home/endgame/test' is dirty
error: --- BadURL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
'git+ssh://git@host:path' is not a valid URL

It's host/path
Like in the ssh uri Standart

Kloenk on 7 Sep 2020

👍3

Cool, that works. Is this documented anywhere?

endgame on 7 Sep 2020

👍2

Indeed, that does work! A great workaround, at least until submodules can be kept in the flake without needing to add an input. Thanks @Kloenk!

cole-h on 7 Sep 2020

👍1

In addition to the standard Git/Mercurial authentication mechanisms, you can also access GitHub repositories using the github:<repo>/<owner> syntax if you set github-access-token in your nix.conf file.