poetry2nix icon indicating copy to clipboard operation
poetry2nix copied to clipboard

Published 20 hours ago verified publisher icon nix-community

Private Repository Authentication not working for new nix-commands and flakes (pure mode)

Open MartinLoeper opened this issue 2 years ago • 2 comments

Describe the issue

There is support for private repositories which was implemented via https://github.com/nix-community/poetry2nix/pull/390. It seems to work fine using nix-build and the other older nix commands.

However, the new nix-commands like nix develop do not work with the current implementation since builtins.nixPath is empty to ensure purity.

My workaround is to fork the repository and hardcore NETRC. I do not know the proper fix for this issue...

Has anyone an idea how make this work properly in flakes + new nix-commands?

MartinLoeper avatar Nov 19 '23 21:11 MartinLoeper

I had the idea to create a .netrc file from a local poetry.toml:

[http-basic.some_source]
username = "foo"
password = "bar"

I created a working prototype: https://git.moritzboeh.me/moritz/poetry-netrc. In the example directory in default.nix one can see the usage. Maybe if there was a way to explicitly add such a file via the top-level API and pass it down into the actual derivations where it can then be used in a pure manner the issue you and I both face could be resolved. This would mean the passwords would end up in the nix store, but that's the price of pureness. What do you and the maintainers of the project think of such an approach?

MoritzBoehme avatar Jan 15 '24 16:01 MoritzBoehme

A solution that doesn't need a fork and where secrets don't end up in the Nix store would be highly appreciated.

I believe something like allowing to pass secrets through env variables and fetch against an url with those secrets like https://github.com/pypa/pip/pull/10998/files#diff-47789c42d35bbbaca2a6150628b02ae41d1ef286ab87f592056bdc5bb65b3c80R441 could help; then we should be able to pass impureEnvVars (docs) into the fetcher

   runCommand file
      {
        nativeBuildInputs = [ python3 ];
        impureEnvVars = lib.fetchers.proxyImpureEnvVars; <-----------------
        outputHashMode = "flat";
        outputHashAlgo = "sha256";
        outputHash = hash;
        NETRC = netrc_file;
        passthru.isWheel = lib.strings.hasSuffix "whl" file;
      } ''

at https://github.com/nix-community/poetry2nix/blob/3c92540611f42d3fb2d0d084a6c694cd6544b609/vendor/pyproject.nix/fetchers/default.nix#L121

heimalne avatar Mar 27 '24 12:03 heimalne