Help with Flakes that require authentication credentials

I’m trying to create a flake for an internal project that uses poetry2nix and requires python packages from an internal package repository.

Because of the way that poetry.lock files work, there is no way to infer the exact url to download but does have a hash. poetry2nix has a fixed-output derivation that does some html sleuthing to get the download link, downloads the package, and moves it to the output folder. This can’t be replaced with fetchurl to get native nix netrc credentials support. the devs have a workaround, by adding the netrc file to the nix path, and passing the netrc file into the build environment via extra-sandbox-paths. (this seems like a security risk, but that’s another topic).

My problem is that when running in flake mode, even with the --impure option enabled, the netrc file doesn’t get passed into the sandbox.

Does anyone know of another way to inject credentials into flakes? I’m open to contributing an alternative implementation back to poetry2nix, but I don’t really know where to start.

1 Like

These docs suggest that extra-sandbox-paths should work with flakes.

Does anyone know if there’s any conditions for using extra-sandbox-paths that I may not be hitting?

Turns out that i was passing --option extra-sandbox-paths /etc/nix but nix build wants --extra-sandbox-paths /etc/nix which is now working.