Enterprise: Difference between revisions
imported>Bobvanderlinden mNo edit summary |
imported>Bobvanderlinden No edit summary |
||
Line 11: | Line 11: | ||
curl: (22) The requested URL returned error: 401 Unauthorized | curl: (22) The requested URL returned error: 401 Unauthorized | ||
Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from curl that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual]. | Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from <code>curl</code> that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the [https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html GNU manual]. | ||
For our example, we will create the file in <code>/etc/nix/netrc</code>. The contents will look similar to the following: | For our example, we will create the file in <code>/etc/nix/netrc</code>. The contents will look similar to the following: | ||
Line 22: | Line 22: | ||
netrc-file = /etc/nix/netrc | netrc-file = /etc/nix/netrc | ||
Lastly, the default way of fetching urls is using curl inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. | Lastly, the default way of fetching urls is using <code>curl</code> inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. <code>netrc-file</code> is thus only applicable to fetches being done by Nix itself. In addition, we do not want to place the netrc file inside the sandbox, because that could potentially leak private credentials into builds. <code>fetchurlBoot</code> uses this builtin function and makes sure the call-sign is mostly compatible with the regular <code>fetchurl</code>. This function is used most often to bootstrap some of the more basic packages like <code>curl</code> itself, but it can also be very useful for fetching files outside of the sandbox. | ||
Since '''fetchurlBoot''' is mostly compatible with '''fetchurl''' we can override '''fetchurl''' where needed: | Since '''fetchurlBoot''' is mostly compatible with '''fetchurl''' we can override '''fetchurl''' where needed: |
Revision as of 06:28, 23 May 2018
When trying to use Nix and NixOS in corporations there are a number of issues one will run into. This page tries to provide a solution to each of these issues.
Private resources
Building internal projects will require fetching of internal (private) source code and other resources. These resources usually are protected by some form of credentials.
fetchurl
fetchurl
is used to retrieve HTTP resources, but is also used by fetchFromGithub
. For private resources this will usually result in an error like the following:
curl: (22) The requested URL returned error: 401 Unauthorized
Nix will not know about your credentials in your home directory, as the builders have no access to those files. However, Nix has a few options borrowed from curl
that will help in this situation. A netrc file can be used that holds the credentials for all domains that require authorisation. More information on netrc can be found in the GNU manual.
For our example, we will create the file in /etc/nix/netrc
. The contents will look similar to the following:
machine DOMAINNAME login USERNAME password SECRET
Next the netrc file needs to be accessible in the builds. We will configure Nix to allow access to this file directly from the build sandboxes. Edit your /etc/nix/nix.conf
file so that it includes the following lines:
netrc-file = /etc/nix/netrc
Lastly, the default way of fetching urls is using curl
inside a build sandbox. This is a powerful command, but it will not use (and cannot use) a netrc file that is outside of the build sandbox. netrc-file
is thus only applicable to fetches being done by Nix itself. In addition, we do not want to place the netrc file inside the sandbox, because that could potentially leak private credentials into builds. fetchurlBoot
uses this builtin function and makes sure the call-sign is mostly compatible with the regular fetchurl
. This function is used most often to bootstrap some of the more basic packages like curl
itself, but it can also be very useful for fetching files outside of the sandbox.
Since fetchurlBoot is mostly compatible with fetchurl we can override fetchurl where needed:
mypackage = callPackage <mypackage.nix> {
fetchurl = fetchurlBoot;
};
Now the package is built exactly the same way as before, but resources will be fetched using fetchurlBoot. fetchurlBoot will in turn download the resources within Nix itself, which will use the netrc-file and use the right credentials for the domain names that you have defined.
TLS Intercepting Proxy
As of right now there currently does not seem to be a way to install nix packages via an intercepting proxy which replaces the original TLS certificate with the certificate created by the intercepting proxy, see nix issue #1896.
The proxy itself can be set via the environment variables HTTP_PROXY
and HTTPS_PROXY
.