Failing to use nix with flakes enabled with GitHub Actions #146
Comments
staticdev
changed the title
staticdev
changed the title
|
Hi @staticdev, can you please provide a logfile of running the playbook (preferably with |
|
@nre-ableton after running with -v I noticed that my Vagrantfile does not quite reproduce the problem. I will update my error description ASAP. |
|
@staticdev Ok. I'm not terribly familiar with Vagrant and haven't tested this role there, so I'm not sure I can easily reproduce. But if you can provide another error log, that would be much appreciated. |
|
@nre-ableton it is a bit complex but basically the tests for my playbook were relying on root user, the approach you use in this role is much better. Actually I will try to use as an inspiration for improving the playbook. So the error fundamentally comes from my side. Sorry for the inconvenience. |
|
@staticdev No problem! Glad that you managed to sort it out. 👍 |
staticdev
changed the title
|
Sorry to bother again @nre-ableton but actually I did not sort it out. I have made a repository with minimal reproduction: Also the output -v is in there: https://github.com/staticdev/nix-playbook/blob/main/output.txt The most relevant is: |
staticdev
changed the title
|
Hi @staticdev, However, the role itself executes fine. It's the package installation task that fails. I would recommend forcing this task to run as the - name: "Install nix package kubectl"
become: true
become_user: "{{ workspace_user }}"
ansible.builtin.command: "nix-env -iA nixpkgs.kubectl"
environment:
PATH: "{{ workspace_user_details.home + '/.nix-profile/bin:$PATH' }}"
changed_when: trueAlso it's worth noting that
There are some other search results as well, but I only linked the most interesting (IMHO) ones that I found. Most of these threads mention stuff about running the nix install script as root (which |
|
Thanks for your answer @nre-ableton! Actually I've been trying without success for find an straightforward way to run ansible playbooks on molecule without being root. It is the default and hard to change. I know it is possible to change molecule.yml to have: Then, gather facts does not work. You disable it, many roles stop work.. it is really not trivial, but would be the best to enforce good level of security starting from the tests. I will continue trying... about this group error I will also investigate later once I have the running user part smooth. |
|
@nre-ableton I found a better way to execute the playbook unprivileged staticdev/nix-playbook@ae326ac For that I needed to fork and deploy my own Dockerfiles to add a user in sudo group with no password required: https://github.com/staticdev/docker-debian12-ansible/blob/main/Dockerfile#L38 Still would be nice if when we execute |
|
Hmm, that would be nice, but I'm not sure that it's possible. So I just tried the following playbook: ---
- name: Run test task
hosts: localhost
tasks:
- debug:
msg: "HI THERE {{ ansible_env.PATH }}"
- set_fact:
ansible_env.PATH: "{{ ansible_env.PATH }}:/foo/bar"
- debug:
msg: "HI THERE {{ ansible_env.PATH }}"The second
(Same goes for environment:
PATH: "{{ ansible_user_home }}/.nix-profile/bin:{{ ansible_env.PATH }}"...and that should work fine once Nix is installed. Would this be a good solution? |
|
@nre-ableton this should solve your problem: ---
- name: Run test task
hosts: localhost
tasks:
- debug:
msg: "HI THERE {{ ansible_env.PATH }}"
- name: Add Nix to PATH
ansible.builtin.set_fact:
ansible_env: "{{ ansible_env | combine({'PATH': ansible_env.HOME + '/.nix-profile/bin:' + ansible_env.PATH}) }}"
- debug:
msg: "HI THERE {{ ansible_env.PATH }}"But even with that, does not seem a permanent solution it would have to go to specific configs of sh, bash, zsh, fsh, I suppose. |
|
@staticdev Interesting. That does work, but unfortunately in practice, it's not enough to run further Nix commands via Ansible. Despite the However, I think I have a much simpler solution. Since the Nix installer already modifies To save you a click, it looks something like this: - name: Try to install a Nix package
become: true
become_flags: "--login"
become_user: "{{ nix_user }}"
shell: "nix-env -i hello"I'm not super wild about using |
|
@nre-ableton I will try if this is possible but now I changed the whole playbook to connect a non-privileged from the start. I updated the playbook example that just installs kubectl: https://github.com/staticdev/nix-playbook. I also started using I created a separate branch for that running molecule on Github Actions with -v: staticdev/nix-playbook#1 Logs: |
|
Sorry for the late reply, I've been busy with some other stuff these days. Looking at the log, the exact cause of the error seems to be:
We are definitely setting that feature, but in
|
|
Answering in points to your questions:
|
|
Interesting, I'll try to mess around with this a bit more today and hopefully figure out what's going on. |
|
@nre-ableton I spent many hours on this problem and tried many different ansible/molecule settings or changes in my playbook but the problem was not there! The fact was: always tests passed locally for me and never passed on GitHub Actions. I discovered the reason is: nix-user path is a fallback path not the default! In my test machine I do not have a The way to bypass it is by forcing GitHub Actions to clean the value of - name: Run Molecule tests
run: molecule test
env:
PY_COLORS: "1"
ANSIBLE_FORCE_COLOR: "1"
MOLECULE_DISTRO: ${{ matrix.distro }}
XDG_CONFIG_HOME: ""I do not understand the reason behind relying in this variable for installation of nix if you need a defined |
staticdev
changed the title
|
@staticdev Thanks for your detailed investigation! And also, sorry for not getting back to this issue sooner, I was quite busy last week. At first I was a bit puzzled as to what causes this error, because the logic in
However, if I understand correctly, the problem comes from when Maybe a better solution is to harden these conditions, like so: - name: Set fact for XDG user config dir
ansible.builtin.set_fact:
xdg_user_config_dir: "{{ lookup('env', 'XDG_CONFIG_HOME') }}"
when: nix_user == lookup('env', 'USER')
# The lookup module does have a default parameter, but we can't use Jinja2 templates there
- name: Use fallback default for XDG user config dir
ansible.builtin.set_fact:
xdg_user_config_dir: "{{ nix_user_details.home }}/.config"
when: xdg_user_config_dir is not definedI've submitted a PR with the above code here: #155 |
|
Thanks a lot, I have seen it. I just don't understand why |
It's the default because Nix looks at these environment variables if defined (see NixOS/nix#1079). This was implemented in #67, which was submitted by a third-party. You can read the details in that PR thread, but basically it was originally submitted with a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am trying to integrate this role in my workspace playbook but I am having trouble trying to run nix after running the role.
I created a repo with minimal way to reproduce staticdev/nix-playbook#1.
I have this error on molecule as well as on Debian machines. I see everything was created, I add the
.nix-profile/binto path but stillnix profile installfails with missing flakes config.Any idea what might be the cause?
The text was updated successfully, but these errors were encountered: