Enterprise: Difference between revisions
imported>Makefu No edit summary |
imported>Makefu syntaxHighlight |
||
Line 22: | Line 22: | ||
build-sandbox-paths = /etc/nix/netrc | build-sandbox-paths = /etc/nix/netrc | ||
Lastly, the builds need to know that they need to use the netrc file in fetchurl. We will override the definition of fetchurl to include <code>--netrc-file /etc/nix/netrc</code> in the curl options used by fetchurl. The following shows how this might look in your Nix file: | Lastly, the builds need to know that they need to use the netrc file in <code>fetchurl</code>. We will override the definition of <code>fetchurl</code> to include <code>--netrc-file /etc/nix/netrc</code> in the curl options used by <code>fetchurl</code>. The following shows how this might look in your Nix file: | ||
<syntaxHighlight lang=nix> | |||
let pkgs = import <nixpkgs> { | let pkgs = import <nixpkgs> { | ||
config = { | config = { | ||
Line 30: | Line 30: | ||
curlOpts = "${pkgs.lib.optionalString (opts ? curlOpts) "${opts.curlOpts}"} --netrc-file /etc/nix/netrc"; | curlOpts = "${pkgs.lib.optionalString (opts ? curlOpts) "${opts.curlOpts}"} --netrc-file /etc/nix/netrc"; | ||
}); | }); | ||
fetchurl = fetchurlPrivate; | |||
}; | }; | ||
} | } | ||
in | in | ||
... | |||
</syntaxHighlight> | |||
Now all fetchurl calls will use the specified netrc file with the credentials of your choice. | Now all '''fetchurl''' calls will use the specified netrc file with the credentials of your choice. | ||
== SSL Intercepting Proxy == | == SSL Intercepting Proxy == | ||
As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy, see [https://github.com/NixOS/nix/issues/1896 nix issue #1896] . The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>. | As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy, see [https://github.com/NixOS/nix/issues/1896 nix issue #1896] . The proxy itself can be set via the environment variables <code>HTTP_PROXY</code> and <code>HTTPS_PROXY</code>. |
Revision as of 21:29, 14 May 2018
When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.
Private resources
Building internal projects will require fetching of internal (private) source code and other resources. These resources usually are protected some form of credentials.
fetchurl
fetchurl
is used to retrieve HTTP resources, but is also used by fetchFromGithub
. For private resources this will usually result in an error like the following:
curl: (22) The requested URL returned error: 401 Unauthorized
Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from curl that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the GNU manual.
For our example, we will create the file in /etc/nix/netrc
. The contents will look similar to the following:
machine DOMAINNAME login USERNAME password SECRET
Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your /etc/nix/nix.conf
file so that it includes the following lines:
build-sandbox-paths = /etc/nix/netrc
Lastly, the builds need to know that they need to use the netrc file in fetchurl
. We will override the definition of fetchurl
to include --netrc-file /etc/nix/netrc
in the curl options used by fetchurl
. The following shows how this might look in your Nix file:
let pkgs = import <nixpkgs> {
config = {
packageOverrides = pkgs: rec {
fetchurlPrivate = opts: pkgs.fetchurl (opts // {
curlOpts = "${pkgs.lib.optionalString (opts ? curlOpts) "${opts.curlOpts}"} --netrc-file /etc/nix/netrc";
});
fetchurl = fetchurlPrivate;
};
}
in
...
Now all fetchurl calls will use the specified netrc file with the credentials of your choice.
SSL Intercepting Proxy
As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy, see nix issue #1896 . The proxy itself can be set via the environment variables HTTP_PROXY
and HTTPS_PROXY
.