Building an impure, non-sandboxed package that needs access to proxy environment variables with flakes

I’m porting a project at work to flakes, but only near the end did I realize that there was one package left that’s “very impure”: it uses leiningen and nodejs in the buildPhase. While this builds just fine with --no-sandbox, it’s also built in our client’s CI where there are HTTP_PROXY variables set that need to be known during the buildPhase.

So right now we build it like this:

nix-build --no-sandbox \
          --argstr httpProxy "$HTTP_PROXY" \
          --argstr httpsProxy "$HTTPS_PROXY" \
          --argstr noProxy "$NO_PROXY" \

the_directory/default.nix looks roughly like this:

{ pkgs ? import ../nix/pkgs.nix {}, httpProxy ? ""
, httpsProxy ? "", noProxy ? "" }:

pkgs.stdenv.mkDerivation {
  http_proxy = "${httpProxy}";
  HTTP_PROXY = "${httpProxy}";
  https_proxy = "${httpsProxy}";
  HTTPS_PROXY = "${httpsProxy}";
  no_proxy = "${noProxy}";
  NO_PROXY = "${noProxy}";

  buildInputs = [ pkgs.leiningen pkgs.nodejs ];
  buildPhase = ''
    # These need the proxy settings to download their stuff
    npm install
    lein deps
    lein release

Now with flakes this doesn’t seem possible, as --arg and --argstr are prohibited.

If I knew the values of these environment variables (and if they didn’t change often) I could probably replace the input arguments with a .env file, having separate flake outputs for “with proxy variables” and “without proxy variables”, and then using nix build --no-sandbox .#theRespectiveOutput in CI.

Any ideas or things I might have overlooked here to make this special derivation work with flakes? Or even how to reference the result of an old-style nix-build output in my flake (because the result of this build is then used in another output that wraps a docker image around it with dockerTools).

[If there is no way to make this work with flakes, then I think I could live with using the old-style build for these two packages, but I’d have to somehow “get the pkgs from the flake”. Is this possible?]

I think I’ve solved the problems for the most part:

  • I’ve gotten the values of the proxy variables, put them into a .env file, and conditionally source that during the buildPhase (depending on an input argument). Then there’s two flake outputs, one that sources it and one that doesn’t, and the former one is built in the client’s CI.

  • Alternatively: referencing the pkgs set “from flakes” is also possible, namely by using flake-compat: simply make pkgs a flake output and then one can reference it from the “old world”. For instance, reference a specific package via

(import flake-compat here).defaultNix.outputs.packages.x86_64-linux.pkgs.thePackage`

Other possibilities/hammers are:

  • impureEnvVars
  • __noChroot
  • sandbox = relaxed
  • sandbox-paths