Enterprise: Difference between revisions

Line 1:

When trying to use Nix and NixOS in corporations there are a number of ~~hurdles to overcome that aren't always clear from the start. This page describes a number of practices that will help integrating Nix within a company.~~

When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.

~~== Overlays ==~~

Most companies will need additional packages that should not be in Nixpkgs. This includes internal packages, but also variations and patched versions of existing packages. A practical way to include these is by using an overlay. More information about overlays can be found in the [https://nixos.org/nixpkgs/manual/#chap-overlays Nixpkgs manual].

~~A good example of a company owned and open source overlay is [https://github.com/mozilla/nixpkgs-mozilla nixpkgs-mozilla].~~

~~== Reproducibility across workstations and pinning==~~

~~Most examples of Nix expressions use the following to import Nixpkgs:~~

~~let pkgs = import <nixpkgs> { }~~

~~in ...~~

~~This is fine when you're the only~~ one ~~using this expression, however when others also use this expression you~~ will run into ~~reproducability issues~~. ~~<code><nixpkgs></code> is~~ a ~~reference~~ to ~~the <code>nixpkgs</code> entry in your <code>NIX_PATH</code> or nix-channels. That means different workstations will have different versions~~ of ~~Nixpkgs.~~

~~To solve this problem we will pin the version of Nixpkgs in our package definition. The following example will pin on the latest revision of release-18.03 of Nixpkgs at the time of writing:~~

~~let pkgs = import ((import <nixpkgs> { }).fetchFromGitHub {~~

~~owner = "NixOS";~~

~~repo = "nixpkgs";~~

~~rev = "c674fa8eac306ffe79348b39cd814cec18da3425";~~

~~sha256 = "1jpyhir2fvbg92frq8rzahds4jxbi0p9p6rjs6lwfbxfxc3yvg8i";~~

~~}) { }~~

~~in ...~~

~~When nixpkgs is pinned all users of the expression will have the exact same build, no matter what nix-channels or NIX_PATH are configured~~.

== Private resources ==

Line 34:

Line 7:

=== fetchurl ===

<code>fetchurl</code> is used to retrieve HTTP~~(S)~~ resources, but is also used by <code>fetchFromGithub</code>. For private resources this will usually result in an error like the following:

<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>fetchFromGithub</code>. For private resources this will usually result in an error like the following:

curl: (22) The requested URL returned error: 401 Unauthorized

Line 45:

Line 18:

password SECRET

~~Also, make sure the nix-daemon and nixbld users have permission to this file.~~

Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your <code>/etc/nix/nix.conf</code> file so that it includes the following lines:

Line 61:

Line 33:

};

}

in ...

in

...

Now all fetchurl calls will use the specified netrc file with the credentials of your choice.

== SSL Intercepting Proxy ==

As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy, see [https://github.com/NixOS/nix/issues/1896 nix issue #1896] . The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>.

@@ Line 1: / Line 1: @@
-When trying to use Nix and NixOS in corporations there are a number of hurdles to overcome that aren't always clear from the start. This page describes a number of practices that will help integrating Nix within a company.
+When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.
-== Overlays ==
-Most companies will need additional packages that should not be in Nixpkgs. This includes internal packages, but also variations and patched versions of existing packages. A practical way to include these is by using an overlay. More information about overlays can be found in the [https://nixos.org/nixpkgs/manual/#chap-overlays Nixpkgs manual].
-A good example of a company owned and open source overlay is [https://github.com/mozilla/nixpkgs-mozilla nixpkgs-mozilla].
-== Reproducibility across workstations and pinning==
-Most examples of Nix expressions use the following to import Nixpkgs:
- let pkgs = import <nixpkgs> { }
- in ...
-This is fine when you're the only one using this expression, however when others also use this expression you will run into reproducability issues. <code>&lt;nixpkgs&gt;</code> is a reference to the <code>nixpkgs</code> entry in your <code>NIX_PATH</code> or nix-channels. That means different workstations will have different versions of Nixpkgs.
-To solve this problem we will pin the version of Nixpkgs in our package definition. The following example will pin on the latest revision of release-18.03 of Nixpkgs at the time of writing:
- let pkgs = import ((import <nixpkgs> { }).fetchFromGitHub {
-   owner = "NixOS";
-   repo = "nixpkgs";
-   rev = "c674fa8eac306ffe79348b39cd814cec18da3425";
-   sha256 = "1jpyhir2fvbg92frq8rzahds4jxbi0p9p6rjs6lwfbxfxc3yvg8i";
- }) { }
- in ...
-When nixpkgs is pinned all users of the expression will have the exact same build, no matter what nix-channels or NIX_PATH are configured.
 == Private resources ==
@@ Line 34: / Line 7: @@
 === fetchurl ===
-<code>fetchurl</code> is used to retrieve HTTP(S) resources, but is also used by <code>fetchFromGithub</code>. For private resources this will usually result in an error like the following:
+<code>fetchurl</code> is used to retrieve HTTP resources, but is also used by <code>fetchFromGithub</code>. For private resources this will usually result in an error like the following:
   curl: (22) The requested URL returned error: 401 Unauthorized
@@ Line 45: / Line 18: @@
       password SECRET
-Also, make sure the nix-daemon and nixbld users have permission to this file.
 Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your <code>/etc/nix/nix.conf</code> file so that it includes the following lines:
@@ Line 61: / Line 33: @@
     };
   }
-  in ...
+  in
+ ...
 Now all fetchurl calls will use the specified netrc file with the credentials of your choice.
+== SSL Intercepting Proxy ==
+As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy, see [https://github.com/NixOS/nix/issues/1896 nix issue #1896] . The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>.