Enterprise: Difference between revisions

Line 11:

curl: (22) The requested URL returned error: 401 Unauthorized

Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from curl that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual].

Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from <code>curl</code> that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual].

For our example, we will create the file in <code>/etc/nix/netrc</code>. The contents will look similar to the following:

Line 22:

netrc-file = /etc/nix/netrc

Lastly, the default way of fetching urls is using curl inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. ~~Note that~~ we do not want to place the netrc file inside the sandbox, because that could leak private credentials into builds. ~~The Nix package manager itself can also fetch HTTP(S) resources. It can do so using '''~~fetchurlBoot~~'''~~. This is ~~usually~~ used to bootstrap some of the more basic packages like ~~'''~~curl~~'''~~ itself, but it can also be very useful for fetching files outside of the sandbox.

Lastly, the default way of fetching urls is using <code>curl</code> inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. <code>netrc-file</code> is thus only applicable to fetches being done by Nix itself. In addition, we do not want to place the netrc file inside the sandbox, because that could potentially leak private credentials into builds. <code>fetchurlBoot</code> uses this builtin function and makes sure the call-sign is mostly compatible with the regular <code>fetchurl</code>. This function is used most often to bootstrap some of the more basic packages like <code>curl</code> itself, but it can also be very useful for fetching files outside of the sandbox.

Since '''fetchurlBoot''' is mostly compatible with '''fetchurl''' we can override '''fetchurl''' where needed:

@@ Line 11: / Line 11: @@
   curl: (22) The requested URL returned error: 401 Unauthorized
-Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from curl that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual].
+Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from <code>curl</code> that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual].
 For our example, we will create the file in <code>/etc/nix/netrc</code>. The contents will look similar to the following:
@@ Line 22: / Line 22: @@
   netrc-file = /etc/nix/netrc
-Lastly, the default way of fetching urls is using curl inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. Note that we do not want to place the netrc file inside the sandbox, because that could leak private credentials into builds. The Nix package manager itself can also fetch HTTP(S) resources. It can do so using '''fetchurlBoot'''. This is usually used to bootstrap some of the more basic packages like '''curl''' itself, but it can also be very useful for fetching files outside of the sandbox.
+Lastly, the default way of fetching urls is using <code>curl</code> inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. <code>netrc-file</code> is thus only applicable to fetches being done by Nix itself. In addition, we do not want to place the netrc file inside the sandbox, because that could potentially leak private credentials into builds. <code>fetchurlBoot</code> uses this builtin function and makes sure the call-sign is mostly compatible with the regular <code>fetchurl</code>. This function is used most often to bootstrap some of the more basic packages like <code>curl</code> itself, but it can also be very useful for fetching files outside of the sandbox.
 Since '''fetchurlBoot''' is mostly compatible with '''fetchurl''' we can override '''fetchurl''' where needed: