domenkozar
commented
7 years ago Would you consider HTTP with basic auth instead? it's easier to setup.
Open k0001 opened 7 years ago
domenkozar
commented
7 years ago Would you consider HTTP with basic auth instead? it's easier to setup.
expipiplus1
commented
7 years ago This is probably something which is best handled outside of Hercules, in a nixops configuration perhaps.
k0001
commented
7 years ago I'm currently handling this through NixOps, but it is a pain point. I think that if Hercules is going to make it easier for companies to adopt Nix, then alternative solutions to issues like this one need to be discussed.
HTTP basic auth (over HTTPS, of course) could work. Nix can handle an URL like https://foo:bar@example.com/blah, but the problem is that such URL including the password is then displayed to the console, thus appearing in logs, etc. That's no good. Maybe Nix needs to learn about HTTP basic auth and treat those credentials more carefully?
domenkozar
commented
7 years ago Yes, I'd rather have Nix adhere HTTP rules and not reveal username/password
expipiplus1
commented
7 years ago I agree :)
I'd be happy to add this to the post-1.0 milestone to discuss further then when Hercules's place in the ecosystem is a little more fleshed out.
I suspect that this issue would be better served with some more nixops documentation and examples.
If it turns out that Hercules can easily manage this aspect of a nix-server then I wouldn't be opposed to adding it.
k0001
commented
7 years ago I'll open an issue for that.
expipiplus1
commented
7 years ago Thanks for your suggestions, @k0001. Please feel free to join the #nixos-hercules channel on Freenode too!
k0001
commented
7 years ago k0001
commented
7 years ago k0001
commented
7 years ago Here's my proposed solution to the HTTP credentials issue: https://github.com/NixOS/nix/pull/1215
If/when this is accepted, then we can figure out a way to have Hercules generate user and passwords for accessing the HTTP binary cache. The user and password here should probably be different from the ones used to access the web UI, they could be automatically generated by Hercules per each user (think of them more like "access tokens").
domenkozar
commented
7 years ago This is now upstream in Nix, together with https://github.com/NixOS/nix/commit/302386f775eea309679654e5ea7c972fb6e7b9af
As a side effect of running Hydra one gets a binary cache that can be served through SSH using the SSH substituter mechanism from Nix. This way of accessing the cache through SSH access is very useful for those only willing to share the build outputs with those who have explicitely been granted access (see #22). It would be nice if allowed SSH keys for these users could be managed from the Hercules UI.