Forcing impure derivation to be "pure"

StepBroBD · April 3, 2025, 7:24pm

Clickbaity title

So I needed to use a Deno package on my NixOS server, but it would only build with sandbox turned off. But… I really wanted to keep my machine “pure” (avoid --impure flag when building/deploying).

I stumbled upon this cool trick [1] where you can import .nar archives directly as if they’re regular derivations:

importnar = name: url: hash: import <nix/fetchurl.nix> {
  inherit name url hash;
  unpack = true;
};

So I decide to try and make a CI workflow that builds the package with sandbox off, exports the .nar file, and then use <nix/fetchurl.nix> with unpack set to true.

It’s totally a weird and niche workaround, but I thought it was pretty neat!

[1] nixpkgs/pkgs/stdenv/darwin/bootstrap-files/x86_64-apple-darwin.nix at e7241d62601ceef2351aaabaeeee93a4e9f490a2 · NixOS/nixpkgs · GitHub

jade · April 3, 2025, 10:09pm

This looks like the intended use case of sandbox = relaxed and __noChroot. I think zimbatm has a blog post about such things here: Nix packaging, the heretic way

arianvp · April 7, 2025, 10:50am

There is also Built-in Functions - Nix Reference Manual which is the same but works if your nar file has references to other nar files