we used it a nixcon, good lord, they don’t like us speak. 
I have used artifactory before.
Marsnix might be a solution for you, if you reach out to @matthewcroughan directly he can give you more information on whats needed to bring that up to release standard and if it fits your needs.
might be useful for you. This populates the nixos tarball server (upload to s3 buckets, download via https).
You copy all the source tarballs onto a server, and point nix at that. and your done.
or hack the /etc/host file , but don’t tell anyone i told you to do that, as thats an ugly hack.
tarballs.nixos.org 192.168.0.100 (or some local https server on your network).
you may have to fiddle with ssl certs a bit to stop it complaining.
You may even be able to point at artifactory itself … if can supply tarballs over https in a way that makes fetchurl happy. nix needs it to be content addressed, so artifactory might not like that.
like…
wget http://tarballs.nixos.org/sha256/1gsfidg3gim5pjbl82vkh0cw4ya253m4p7nirm8nr6yjrsirkzxg
its quite likely artifactory wont understand that, how it might be able to be patch to make it understand.
You can probably get artifactory to check these tar balls for known vulnerabilities at the same time.
your devsecops persons should be able to help you with that.
Some ideas for you.
At the end of the day, nix checks the the hash of each Fixed output derivation, so it doesn’t matter really where it comes from…it could come from a server on the moon over unencrypted satellite link, if that hash matches your all good to go.
.so i’m trying to understand your thread model, if it’s to stop developers on your internal network writing their own derivations and fetching source code ? Maybe you can explain that. or maybe you can’t.
talks about this, with tools ,but it’s focused on binary cache mirroring and caching, which is not what i think you need.
Good luck. and keep nixxing.