Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(roagen): use git from pkgs #10

Merged
merged 1 commit into from
Jul 11, 2024
Merged

Conversation

Moraxyc
Copy link
Contributor

@Moraxyc Moraxyc commented Jul 7, 2024

git should be taken from pkgs

@Moraxyc
Copy link
Contributor Author

Moraxyc commented Jul 7, 2024

by the way, https://git.dn42.dev/dn42/registry.git is not publicly accessible, how to deal with it with this module?

@SuperSandro2000
Copy link
Member

You need to create an account and then you can clone the repo. I don't think accounts get approved, so we can just use ssh cloning.

modules/roagen.nix Outdated Show resolved Hide resolved
@Moraxyc
Copy link
Contributor Author

Moraxyc commented Jul 7, 2024

@SuperSandro2000 yeah I know. I mean when use this module and deploy remotely, we may need to provide an option to clone the repo with an access token. Not all hosts have ssh keys with access rights.

@SuperSandro2000
Copy link
Member

Ah, now I get what you mean. I initially thought how do we manage it via a flake input.
Which might not be fitting for this repo but could be a recommended strategy to deploy?

Otherwise maybe we need to move the systemd service to a separate user and then people can configure gitconfig/ssh_config for that user to allow cloning the repo?

@Moraxyc
Copy link
Contributor Author

Moraxyc commented Jul 7, 2024

I initially thought how do we manage it via a flake input.

I'm not sure if I understand what you mean. I do use this roagen module through a flake input.

We can choose ssh or https protocols, corresponding to ssh key authentication and token authentication respectively to clone a repo.

From a simple perspective, I suggest that we can add a tokenFike option to the roagen module, so that we can import this access token through agenix or sops-nix.

git clone --depth=1 https://''$(cat ${cfg.tokenFile})@git.dn42.dev/dn42/registry.git

If we choose ssh to verify the identity, we may need to provide an option like sshKeyFile, and then configure the private key of user bird2.

@SuperSandro2000
Copy link
Member

From a simple perspective, I suggest that we can add a tokenFike option to the roagen module, so that we can import this access token through agenix or sops-nix.

git clone --depth=1 https://''$(cat ${cfg.tokenFile})@git.dn42.dev/dn42/registry.git

That would expose the token in the cmd arguments which usually should be avoided. I think writing a short sshconfig and writing the path to the key in there is the way to go.

@SuperSandro2000 SuperSandro2000 merged commit 0c13a93 into NuschtOS:main Jul 11, 2024
1 of 2 checks passed
@Moraxyc Moraxyc deleted the fix-git branch July 11, 2024 10:15
@Moraxyc
Copy link
Contributor Author

Moraxyc commented Jul 11, 2024

In my impression, this seems to be a common practice in nixpkgs. After the string is written into the shell script, it should be as follows.

git clone --depth=1 https://$(cat /run/agenix/dn42-git)@git.dn42.dev/dn42/registry.git

This would not expose the token.

However, I also agree that it could also be an option to provide such a gitconfig for the user bird2 to use to clone the registry.

@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Jul 12, 2024

see #12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants