Enterprise: Difference between revisions

(4 intermediate revisions by 4 users not shown)

Line 1:

When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.

When trying to use Nix and NixOS in corporations there are a number of issues one will run into normally because of networking restrictions. This page tries to provide a solution to each of these issues.

== Private resources ==

Line 7:

=== fetchurl ===

<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>~~fetchFromGithub~~</code>. For private resources this will usually result in an error like the following:

<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>fetchFromGitHub</code>. For private resources this will usually result in an error like the following:

curl: (22) The requested URL returned error: 401 Unauthorized

Line 27:

mypackage = callPackage <mypackage.nix> {

fetchurl = fetchurlBoot;

fetchurl = stdenv.fetchurlBoot;

};

</syntaxHighlight>

Line 34:

== TLS Intercepting Proxy ==

TLS-Intercepting proxies will intercept each and every TLS connection and replace the original certificate with it's own to be able to introspect the traffic. This of course creates validation issues with the "official" ca-certificate project.

Since [https://github.com/NixOS/nix/issues/1896 nix pr #2181] you are able to set your intercepting Proxy certificate via <code>NIX_SSL_CERT_FILE</code> to a file on your system which contains the root and intermediate certificates of your proxy.

See also [https://nixos.org/nix/manual/#sec-nix-ssl-cert-file the appropriate section in the nix manual]

~~As of right now there currently does not seem to~~ be ~~a way to install nix packages~~ via ~~an intercepting proxy which replaces~~ the ~~''original'' TLS certificate with the certificate created by the intercepting proxy, see [https://github.com/NixOS/nix~~/~~issues~~/~~1896 nix issue #1896]~~.

The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>.

The ~~proxy itself can be set via~~ the ~~environment variables <code>HTTP_PROXY<~~/~~code~~> ~~and~~ <~~code>HTTPS_PROXY~~<~~/code>~~.

== Dynamic generation of netrc files ==

Sometimes you have to deal with dynamically short-lived tokens that must be generated on the fly. The above options do not cover this, so the best way forward is to use `fetchurl`'s `netrcPhase` option:

newPkgs = pkgs.extend (

final: prev: {

fetchurl =

args:

(prev.fetchurl.override {

inherit (pkgs) cacert; # required to avoid infrec

})

(

args

// {

netrcPhase =

# do stuff here to get credentials

BAR=\'\'$(dynamic-shell-script)

cat > netrc <<EOF

machine foobar

login FOO

password \'\'$BAR

EOF

'';''

}

);

}

);

now any fetch in newPkgs will dynamically generate tokens with `fetchurl`.

[[Category:Networking]]

@@ Line 1: / Line 1: @@
-When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.
+When trying to use Nix and NixOS in corporations there are a number of issues one will run into normally because of networking restrictions. This page tries to provide a solution to each of these issues.
 == Private resources ==
@@ Line 7: / Line 7: @@
 === fetchurl ===
-<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>fetchFromGithub</code>. For private resources this will usually result in an error like the following:
+<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>fetchFromGitHub</code>. For private resources this will usually result in an error like the following:
   curl: (22) The requested URL returned error: 401 Unauthorized
@@ Line 27: / Line 27: @@
 <syntaxHighlight lang=nix>
 mypackage = callPackage <mypackage.nix> {
-   fetchurl = fetchurlBoot;
+   fetchurl = stdenv.fetchurlBoot;
 };
 </syntaxHighlight>
@@ Line 34: / Line 34: @@
 == TLS Intercepting Proxy ==
+TLS-Intercepting proxies will intercept each and every TLS connection and replace the original certificate with it's own to be able to introspect the traffic. This of course creates validation issues with the "official" ca-certificate project.
+Since [https://github.com/NixOS/nix/issues/1896 nix pr #2181] you are able to set your intercepting Proxy certificate via <code>NIX_SSL_CERT_FILE</code> to a file on your system which contains the root and intermediate certificates of your proxy.
+See also [https://nixos.org/nix/manual/#sec-nix-ssl-cert-file the appropriate section in the nix manual]
-As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy which replaces the ''original'' TLS certificate with the certificate created by the intercepting proxy, see [https://github.com/NixOS/nix/issues/1896 nix issue #1896].
+The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>.
-The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>.
+== Dynamic generation of netrc files ==
+Sometimes you have to deal with dynamically short-lived tokens that must be generated on the fly. The above options do not cover this, so the best way forward is to use `fetchurl`'s `netrcPhase` option:
+ newPkgs = pkgs.extend (
+    final: prev: {
+      fetchurl =
+        args:
+        (prev.fetchurl.override {
+          inherit (pkgs) cacert; # required to avoid infrec
+        })
+          (
+            args
+            // {
+              netrcPhase =
+                # do stuff here to get credentials
+                BAR=\'\'$(dynamic-shell-script)
+                cat > netrc <<EOF
+                machine foobar
+                        login FOO
+                        password \'\'$BAR
+                EOF
+              '';''
+            }
+          );
+    }
+  );
+now any fetch in newPkgs will dynamically generate tokens with `fetchurl`.
+[[Category:Networking]]