Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH binary cache keys management thorugh Hercules #23

Open
k0001 opened this issue Jan 31, 2017 · 11 comments
Open

SSH binary cache keys management thorugh Hercules #23

k0001 opened this issue Jan 31, 2017 · 11 comments
Milestone
post 1.0

Comments

@k0001
Copy link

k0001 commented Jan 31, 2017

As a side effect of running Hydra one gets a binary cache that can be served through SSH using the SSH substituter mechanism from Nix. This way of accessing the cache through SSH access is very useful for those only willing to share the build outputs with those who have explicitely been granted access (see #22). It would be nice if allowed SSH keys for these users could be managed from the Hercules UI.
@domenkozar
Copy link
Contributor

Would you consider HTTP with basic auth instead? it's easier to setup.

@expipiplus1
Copy link
Contributor

This is probably something which is best handled outside of Hercules, in a nixops configuration perhaps.

@k0001
Copy link
Author

k0001 commented Feb 1, 2017

I'm currently handling this through NixOps, but it is a pain point. I think that if Hercules is going to make it easier for companies to adopt Nix, then alternative solutions to issues like this one need to be discussed.

HTTP basic auth (over HTTPS, of course) could work. Nix can handle an URL like https://foo:[email protected]/blah, but the problem is that such URL including the password is then displayed to the console, thus appearing in logs, etc. That's no good. Maybe Nix needs to learn about HTTP basic auth and treat those credentials more carefully?

@domenkozar
Copy link
Contributor

Yes, I'd rather have Nix adhere HTTP rules and not reveal username/password

@expipiplus1
Copy link
Contributor

I agree :)

I'd be happy to add this to the post-1.0 milestone to discuss further then when Hercules's place in the ecosystem is a little more fleshed out.

I suspect that this issue would be better served with some more nixops documentation and examples.

If it turns out that Hercules can easily manage this aspect of a nix-server then I wouldn't be opposed to adding it.

@k0001
Copy link
Author

k0001 commented Feb 1, 2017

I'll open an issue for that.

@expipiplus1
Copy link
Contributor

expipiplus1 commented Feb 1, 2017
edited
Loading

Thanks for your suggestions, @k0001. Please feel free to join the #nixos-hercules channel on Freenode too!

@k0001
Copy link
Author

k0001 commented Feb 1, 2017

#hercules-ci you mean? I'm there :)

@k0001
Copy link
Author

k0001 commented Feb 1, 2017

See NixOS/nix#950

@domenkozar domenkozar added this to the post 1.0 milestone Feb 2, 2017
@k0001
Copy link
Author

k0001 commented Feb 2, 2017

Here's my proposed solution to the HTTP credentials issue: NixOS/nix#1215

If/when this is accepted, then we can figure out a way to have Hercules generate user and passwords for accessing the HTTP binary cache. The user and password here should probably be different from the ones used to access the web UI, they could be automatically generated by Hercules per each user (think of them more like "access tokens").

@domenkozar
Copy link
Contributor

This is now upstream in Nix, together with NixOS/nix@302386f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
post 1.0
Development

No branches or pull requests
3 participants
@k0001 @domenkozar @expipiplus1