Enterprise: Difference between revisions

Line 20:

Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your <code>/etc/nix/nix.conf</code> file so that it includes the following lines:

~~build~~-~~sandbox-paths~~ = /etc/nix/netrc

netrc-file = /etc/nix/netrc

Lastly, the ~~builds need to know that they need to~~ use ~~the~~ netrc file ~~in <code>fetchurl</code>~~. ~~We will override~~ the ~~definition of <code>fetchurl</code> to include <code>--~~netrc-file ~~/etc/nix/netrc</code> in~~ the ~~curl options used by <code>fetchurl</code>~~. The ~~following shows how this might look in your~~ Nix ~~file~~:

Lastly, the default way of fetching urls is using curl inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. Note that we do not want to place the netrc file inside the sandbox, because that could leak private credentials into builds. The Nix package manager itself can also fetch HTTP(S) resources. It can do so using '''fetchurlBoot'''. This is usually used to bootstrap some of the more basic packages like '''curl''' itself, but it can also be very useful for fetching files outside of the sandbox.

Since ```fetchurlBoot``` is mostly compatible with ```fetchurl``` we can override ```fetchurl``` where needed:

~~let pkgs~~ = ~~import~~ <~~nixpkgs~~> {

mypackage = callPackage <mypackage.nix> {

~~config = {~~

fetchurl = fetchurlBoot;

~~packageOverrides = pkgs: rec {~~

};

~~fetchurlPrivate = opts: pkgs.~~fetchurl ~~(opts // {~~

~~curlOpts~~ = ~~"${pkgs.lib.optionalString (opts ? curlOpts) "${opts.curlOpts}"} --netrc-file /etc/nix/netrc";~~

});

};

}

in

~~...~~

</syntaxHighlight>

Now '''~~fetchurlPrivate~~''' ~~can be used just like~~ '''~~fetchurl~~''', ~~but~~ will use the netrc file ~~that includes~~ the credentials ~~of your choice~~ for ~~specific domainnames~~.

Now the package is built exactly the same way as before, but resources will be fetched using '''fetchurlBoot'''. '''fetchurlBoot''' will in turn download the resources within Nix itself, which will use the netrc-file and use the right credentials for the domain names that you have defined.

== TLS Intercepting Proxy ==

@@ Line 20: / Line 20: @@
 Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your <code>/etc/nix/nix.conf</code> file so that it includes the following lines:
-  build-sandbox-paths = /etc/nix/netrc
+  netrc-file = /etc/nix/netrc
-Lastly, the builds need to know that they need to use the netrc file in <code>fetchurl</code>. We will override the definition of <code>fetchurl</code> to include <code>--netrc-file /etc/nix/netrc</code> in the curl options used by <code>fetchurl</code>. The following shows how this might look in your Nix file:
+Lastly, the default way of fetching urls is using curl inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. Note that we do not want to place the netrc file inside the sandbox, because that could leak private credentials into builds. The Nix package manager itself can also fetch HTTP(S) resources. It can do so using '''fetchurlBoot'''. This is usually used to bootstrap some of the more basic packages like '''curl''' itself, but it can also be very useful for fetching files outside of the sandbox.
+Since ```fetchurlBoot``` is mostly compatible with ```fetchurl``` we can override ```fetchurl``` where needed:
 <syntaxHighlight lang=nix>
- let pkgs = import <nixpkgs> {
+mypackage = callPackage <mypackage.nix> {
-   config = {
+  fetchurl = fetchurlBoot;
-     packageOverrides = pkgs: rec {
+};
-       fetchurlPrivate = opts: pkgs.fetchurl (opts // {
-         curlOpts = "${pkgs.lib.optionalString (opts ? curlOpts) "${opts.curlOpts}"} --netrc-file /etc/nix/netrc";
-       });
-   };
- }
- in
-   ...
 </syntaxHighlight>
-Now '''fetchurlPrivate''' can be used just like '''fetchurl''', but will use the netrc file that includes the credentials of your choice for specific domainnames.
+Now the package is built exactly the same way as before, but resources will be fetched using '''fetchurlBoot'''. '''fetchurlBoot''' will in turn download the resources within Nix itself, which will use the netrc-file and use the right credentials for the domain names that you have defined.
 == TLS Intercepting Proxy ==