Fetchzip with credentials?

Looking for some guidance/input on how to fetchzip from private file share.

We’ve read thru this thread “How to fetchurl with credentials” and the “Enterprise Wiki”, which outlines how to fetch content from private file shares by setting up a ‘/etc/nix/netrc’ with proper machine and credentials for fetchurl.

We’re assuming the same approach should function work for ‘fetchzip’?

Our use case differs slightly from the how-to described in the “Enterprise Wiki”, which outlines the manual steps for setting up the ‘/etc/nix/netrc’ and ‘/etc/nix/nix.conf’ files whereas we’d like to achieve the same automatically via our ‘configuration.nix’ (i.e. nixos-rebuild switch).

Is there a way to automatically generate the ‘/etc/nix/netrc’ and update the /etc/nix/nix.conf’ (netrc-file = /etc/nix/netrc)?

We understand that secrets (user/pass or security tokens) will need to be placed inside our configuration.nix or similar.

Thoughts?

I’ve still not actually used nix with authentication, but given fetchzip internally just calls fetchurl, I think that’s highly likely: https://github.com/NixOS/nixpkgs/blob/7002a54979fae9d0df692be017aedf4298eab200/pkgs/build-support/fetchzip/default.nix#L26

Firstly, do not just simply place tokens in configuration.nix. This will cause nix to copy them into the world readable nix store, which makes things very much not secret.

There are a couple of approaches, but the ones that see the most use at the minute seem to be GitHub - Mic92/sops-nix: Atomic secret provisioning for NixOS based on sops and GitHub - ryantm/agenix: age-encrypted secrets for NixOS and Home manager.

Instead of placing the token in configuration.nix, they instead add an encrypted file, and have modules to install and decrypt that file at runtime.

Secret management was a big topic a year or so ago, other alternatives are described on the wiki: Comparison of secret managing schemes - NixOS Wiki

nix.conf can of course just be edited with the NixOS option for it: nix.settings. If you use this the netrc file doesn’t really need to be in /etc/nix/netrc either, you can just use it from the store with pkgs.writeText or such.

@TLATER Thanks for the feedback. We’ll take a look at your recommendations. We knew there had to be a better ‘nixify’ means of addressing our use case. Encrypting/decrypting secrets sounds like a viable approach.