Use ssh-agent for distributed builds

[fricklerhandwerk]

Is your feature request related to a problem?

I may be holding it wrong, but:

Running distributed builds with an encrypted private key seems to be impossible currently. Nix apparently takes the key file verbatim and doesn't ask the agent, and SSH's password prompt fails with

debug1: read_passphrase: can't open /dev/tty: No such device or address

Related: #5133

Proposed solution

What should be possible is adding an encrypted key to ssh-agent and sharing the agent's socket with the root user. Then Nix must consult the agent to unlock the key.

Alternative solutions

As a workaround, do all sorts of stuff where keeping an unecrypted key around in /root/.ssh is unproblematic.

Additional context

Getting remote builds to work is a problem I had since my beginnings of using Nix, and I have strong anecdotal evidence that it's still a very important feature for new users.

https://nix.dev/tutorials/nixos/distributed-builds-setup

Checklist

• checked latest Nix manual (source)
• checked open feature issues and pull requests for possible duplicates

---

Add 👍 to issues you find important.