I’m trying to create a flake for an internal project that uses poetry2nix and requires python packages from an internal package repository.
Because of the way that poetry.lock files work, there is no way to infer the exact url to download but does have a hash. poetry2nix has a fixed-output derivation that does some html sleuthing to get the download link, downloads the package, and moves it to the output folder. This can’t be replaced with
fetchurl to get native nix netrc credentials support. the devs have a workaround, by adding the netrc file to the nix path, and passing the netrc file into the build environment via
extra-sandbox-paths. (this seems like a security risk, but that’s another topic).
My problem is that when running in flake mode, even with the
--impure option enabled, the netrc file doesn’t get passed into the sandbox.
Does anyone know of another way to inject credentials into flakes? I’m open to contributing an alternative implementation back to poetry2nix, but I don’t really know where to start.