Handle private inputs

[mrVanDalo]

Just switching to nixinate and run into some minor problem. I use inputs which are private and prefer buildOn = remote. This results (of course) in an exeption "Permission Denied". A fix at the moment for me is to run :

nix flake archive --json \
  | jq -r '.inputs.private_assets.path' \
  | xargs nix-copy-closure root@myMachine

But it would be to have a more convenient way right in the flake.nix to do this. (of course coping every input makes no sense).

Alternatively I'll create a pull request describing this problem an a proper solution in the README.md or something (if wanted of course).

[CRTified]

Is it really harmful to copy every input? Assuming they're used, they will get pulled by the remote either way. Copying them first just shifts the point in time where the remote receives that input in its store?

[mrVanDalo]

No it's not harmful. I'm with copying every flake input.

[MatthewCroughan]

Another option is to use ssh-agent, which does not require modifying nixinate

[CRTified]

That has two disadvantages as opposed to pre-fetching and pushing the inputs:

• It exposes the keys available. Problematic if the deployment target is less trusted than your machine.
• It requires that the target has a route to grab the input itself. Might be a problem for isolated machines.

[happysalada]

I was really glad to find this, here is my nushell adapted version (for those that it might help)

nix flake archive --json | from json | get inputs.private_input.path | xargs nix copy --t
o ssh://not_root@my_machine

or the script for all the inputs

    def nix_copy_inputs [to: string] {
      nix flake archive --json | from json | get inputs | transpose | each { |input| $input.column1.path | xargs nix copy --to $"ssh://($to)" }
    }

I do agree that it would be nice to have this taken care of automatically, but it might be hard to do it for every shells.