I put an access token in my nix.conf:
access-tokens = gitlab.myconmpany.com=PAT:MyTokenXxX123
nix show-config also outputs it correctly.
Now I am trying to build an example derivation:
# default.nix
{ pkgs ? import <nixpkgs> {} }:
let
Define the source for the company's GitLab repository with a fakesha
companyRepo = pkgs.fetchgit {
url = "https://gitlab.mycompany.com/UserName/example.git";
rev = "foo";
sha256 = "faa8f83dc92671033e284ff66a9883681abdaf85b5e239ab9799d76451c71c79";
};
Import the company's package set
companyPkgs = import companyRepo { inherit pkgs; };
in
Use a package from the company's package set
companyPkgs.example-package
I get the error:
fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address
fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address
fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address
fatal: could not read Username for 'https://gitlab.mycompany.com': No such device or address
Unable to checkout refs/tags/foo from https://gitlab.mycompany.com/UserName/example.git.
It seems that nix-build can't resolve the token. If I put the auth string directly into the URI:
https://PAT:MyTokenXxX123@gitlab.mycompany.com/UserName/example.git
it works. But obviously, I don't want to do that.
Maybe it has to do because the nix build users used for building the derivation are different from my logged-in users, and indeed, sudo nix show-config doesn't list my token either.
However, since the system-wide config is in the store, that would possibly mean I would have to store the token somewehere in configuration.nix or go all-in with sops-nix or something like that... for an extremely simple task of just supplying credentials to build something...
Is there anything I am missing here or do I really have to go the sops-nix etc. route?
