legacy-old-hercules icon indicating copy to clipboard operation
legacy-old-hercules copied to clipboard

Published 20 hours ago verified publisher icon hercules-ci

SSH binary cache keys management thorugh Hercules

Open k0001 opened this issue 8 years ago • 11 comments

As a side effect of running Hydra one gets a binary cache that can be served through SSH using the SSH substituter mechanism from Nix. This way of accessing the cache through SSH access is very useful for those only willing to share the build outputs with those who have explicitely been granted access (see #22). It would be nice if allowed SSH keys for these users could be managed from the Hercules UI.

k0001 avatar Jan 31 '17 20:01 k0001

Would you consider HTTP with basic auth instead? it's easier to setup.

domenkozar avatar Feb 01 '17 11:02 domenkozar

This is probably something which is best handled outside of Hercules, in a nixops configuration perhaps.

expipiplus1 avatar Feb 01 '17 11:02 expipiplus1

I'm currently handling this through NixOps, but it is a pain point. I think that if Hercules is going to make it easier for companies to adopt Nix, then alternative solutions to issues like this one need to be discussed.

HTTP basic auth (over HTTPS, of course) could work. Nix can handle an URL like https://foo:[email protected]/blah, but the problem is that such URL including the password is then displayed to the console, thus appearing in logs, etc. That's no good. Maybe Nix needs to learn about HTTP basic auth and treat those credentials more carefully?

k0001 avatar Feb 01 '17 11:02 k0001

Yes, I'd rather have Nix adhere HTTP rules and not reveal username/password

domenkozar avatar Feb 01 '17 11:02 domenkozar

I agree :)

I'd be happy to add this to the post-1.0 milestone to discuss further then when Hercules's place in the ecosystem is a little more fleshed out.

I suspect that this issue would be better served with some more nixops documentation and examples.

If it turns out that Hercules can easily manage this aspect of a nix-server then I wouldn't be opposed to adding it.

expipiplus1 avatar Feb 01 '17 11:02 expipiplus1

I'll open an issue for that.

k0001 avatar Feb 01 '17 11:02 k0001

Thanks for your suggestions, @k0001. Please feel free to join the #nixos-hercules channel on Freenode too!

expipiplus1 avatar Feb 01 '17 11:02 expipiplus1

#hercules-ci you mean? I'm there :)

k0001 avatar Feb 01 '17 11:02 k0001

See https://github.com/NixOS/nix/issues/950

k0001 avatar Feb 01 '17 11:02 k0001

Here's my proposed solution to the HTTP credentials issue: https://github.com/NixOS/nix/pull/1215

If/when this is accepted, then we can figure out a way to have Hercules generate user and passwords for accessing the HTTP binary cache. The user and password here should probably be different from the ones used to access the web UI, they could be automatically generated by Hercules per each user (think of them more like "access tokens").

k0001 avatar Feb 02 '17 15:02 k0001

This is now upstream in Nix, together with https://github.com/NixOS/nix/commit/302386f775eea309679654e5ea7c972fb6e7b9af

domenkozar avatar Feb 28 '17 15:02 domenkozar