Fetch with sshpass

jacg · November 7, 2022, 12:56pm

I’m trying to nixify some build instructions which require fetching some resources with sshpass.

How should I go about doing this?

Is it possible to create fixed-output fetchers that use arbitrary fetching commands?

TLATER · November 7, 2022, 11:22pm

Yes, that’s how fetchurl is implemented. In fact, this is abused here and there in nixpkgs to build things in ways that end up being unreproducible.

To get that behavior you basically just need to set these three args in stdenv.mkDerivation: tlaterpkgs/pkgs/maptool.nix at 2bd6d586cd570cc984e7fbe6f57128f02b5089b6 · TLATER/tlaterpkgs · GitHub

Try not to abuse this knowledge too much.

You’ll probably struggle provisioning credentials, though. Might be worth looking at exactly how fetchurl does this.

jacg · November 9, 2022, 8:34am

Not sure what you mean. outputHashAlgo, outputHashMode and outputHash? These seem related to verifying that I have fetched what I expect to be fetched, but I don’t see how this specifies how it should be fetched.

Where can I find the source of fetchurl?

NobbZ · November 9, 2022, 9:43am

By specifying outputHash* family of options to derivation you can lift some of the sandbox restrictions like not having network access.

Without knowing sshpass, I am not sure if that actually is able to help you.

fetchurls implementation can be found in pkgs/top-level/all-packages.nix, the definition starting around line 820 seems to be the most relevant.

Which loads and overrides pkgs/build-supprt/fetchurl/default.nix if I see it right. You might consider both locations to get the full grasp of it.

TLATER · November 9, 2022, 10:28am

Yep, as @NobbZ says, they just make your derivation an FOD. The actual builder (and thereby stdenv’s various phases) is then allowed to run almost arbitrary commands, at least it’s far less restricted.

jacg · November 9, 2022, 10:39am

So perhaps the way to go is to create a derivation just for the resource that I need to fetch using sshpass and simply use sshpass in a custom builder in that derivation. The outputHash* trick can be used in that derivation only, limiting the liberty to do arbitrary stuff to just this tiny area. And then this derivation can be used as a dependency in the bigger derivation that needs access to the sshpass-fetchable resource.