Private Flakes

[endgame]

Is your feature request related to a problem? Please describe.
I would like to be able to separate my system configuration (which I broadly am willing to show people) with the secrets that have to go into it (which I am not: hashed passwords; lat/long for redshift in home-manager, timezone, etc all broadly reveal my location).

Describe the solution you'd like
Some method of providing credentials (e.g., ssh keys) so that I can fetch the private flakes.

Describe alternatives you've considered
Importing via relative paths is not currently possible (#3978). If it was, I would probably use a git submodule.

[kloenk]

You could probably use ssh+git://... There is also --override-input

[cole-h]

Unfortunately:

error: --- Error ------------------------------------------------------------------------------------------------- nix
input 'ssh+git://git@github.com/cole-h/nix-secrets.git' is unsupported

and

error: --- Error ------------------------------------------------------------------------------------------------- nix
input 'ssh://git@github.com/cole-h/nix-secrets.git' is unsupported

[kloenk]

Sorry, wrong way around. use this:
git+ssh://git@github.com/cole-h/nix-secrets.git

[endgame]

{
  inputs = {
    secrets.url = "git+ssh://git@host:path";
  };
}

warning: ignoring the user-specified setting 'experimental-features', because it is a restricted setting and you are not a trusted user
warning: Git tree '/home/endgame/test' is dirty
error: --- BadURL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
'git+ssh://git@host:path' is not a valid URL

[kloenk]

{
  inputs = {
    secrets.url = "git+ssh://git@host:path";
  };
}

warning: ignoring the user-specified setting 'experimental-features', because it is a restricted setting and you are not a trusted user
warning: Git tree '/home/endgame/test' is dirty
error: --- BadURL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- nix
'git+ssh://git@host:path' is not a valid URL

It's host/path
Like in the ssh uri Standart

[endgame]

Cool, that works. Is this documented anywhere?

[cole-h]

Indeed, that does work! A great workaround, at least until submodules can be kept in the flake without needing to add an input. Thanks @kloenk!

[edolstra]

In addition to the standard Git/Mercurial authentication mechanisms, you can also access GitHub repositories using the github:<repo>/<owner> syntax if you set github-access-token in your nix.conf file.

[dhess]

What about with branches/refs? With the github: syntax you can just add the ref/branch as an extra path; e.g., github:NixOS/nixpkgs/nixpkgs-unstable. However, this doesn't work with git+ssh://git@github.com/<owner>/<repo>/<ref> syntax as GitHub complains that it's not a valid repository name.

[jack-michaud]

However, this doesn't work with git+ssh://git@github.com/// syntax as GitHub complains that it's not a valid repository name

@dhess You can use ?ref=<branch/tag> or ?ref=<branch/tag>&rev=<commit> at the end of a URL to get the same behavior. This is documented in the Input schema section of the Flakes documentation

[SuperSandro2000]

I got from google here and just wanted to leave a not that the setting got renamed. The new option is access-tokens = github.com=ghp_abcdef123456....

[dhess]

Yes, we've been using access-tokens and it works well, especially with Vault Agent to rotate the token frequently.

It is probably worth pointing out in the documentation that, in most cases, you want to set this in the user's personal nix.conf (or Hydra's, as the case may be) and not the system's nix.conf, because these sources get fetched by the user's process, not the system nix-daemon.

[yangm97]

What about a system with auto upgrade set to a private flake?

Also, I found it confusing that access-tokens under a flake's nixConfig is accepted but not used.

[nyngwang]

Could anyone help me with this? I got error when trying to run nix eval .:

ssh: Could not resolve hostname github.com:nyngwang: nodename nor servname provided
, or not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at 'ssh://git@github.com:nyngwang/dotfil
es.git', using 'master'
ssh: Could not resolve hostname github.com:nyngwang: nodename nor servname provided
, or not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
error: program 'git' failed with exit code 128
(use '--show-trace' to show detailed location information)

and this is my flake.nix: the URL is pointing to one of my private repos. Just started learning Nix and flake.

{
  # put some repo URLs.
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";

    nyngwang-dotfiles = {
      url = "git+ssh://git@github.com:nyngwang/dotfiles.git";
    };
  };

  outputs = { self }: {
    foo = "bar";
  };
}

[cole-h]

See #3991 (comment). Specifically, the colon after GitHub is the problem.

[nyngwang]

@cole-h Thank you! Now I got this error. How could I make it evaluate only the foo attribute?

✘:1 ~/.config/nvim % nix eval .                                           11:02:5
error: flake 'path:/Users/ningwang/.config/nvim' does not provide attribute 'pack
es.aarch64-darwin.default' or 'defaultPackage.aarch64-darwin'

[cole-h]

By using .#foo instead of ..

[nyngwang]

@cole-h Lol, I did try (without the double quotes) it but got an error:

zsh: no matches found: .#foo

Now with double quotes it works! nix eval ".#foo" (is this some quirk of zsh?)

✘:1 ~/.config/nvim % nix eval ".#foo"                                     11:06:36
"bar"