Proper way to run python venv with sudo privileges within nix-shell?

Trying NixOS out in order to see if it is something for me or not, and if I should go for NixOS rather than e.g. Debian.

In my job I sometimes have to use python scripts made by others, and every now and then some of the scripts require python to be run with e.g. sudo due communication with a serial device or whatever. Most of these projects come with a requirements.txt file and for now I’ve always dealt with this by just making a venv for that specific project and installing the required packages with pip. However, sometimes I also have to install various system packages for things to work, and that is one of the things that tempts me with NixOS, e.g. not having to install all sorts of packages system wide just because one project depends on them.

I’ve made a shell.nix for one of these projects that I’m trying to make work, but I keep running into issues with missing libraries and whatnot, and it seems like I can’t find out the correct way to do this to make the project work under NixOS:

Some of the python packages from the requirements.txt:

  • libusb1
  • pyserial
  • pycrypto
  • pycryptodome
  • fusepy

My shell.nix looks like the following:

{ pkgs ? import <nixpkgs> { } };

with pkgs:
  nativeBildInputs = [
    pkg-config
  ];

  buildInputs = [
    openssl_1_1
    libusb1
    hidapi #not sure if I need this, but doesn't matter for now
    fuse3
    python311Packages.fusepy
  ];
  shellHook = ''
    export LD_LIBRARY_PATH=${pkgs.openssl}/lib:${pkgs.libusb1}/lib:${pkgs.stdevn.cc.cc.lib}/lib:${pkgs.fuse3}/lib:$LD_LIBRARY_PATH
  '';
}

Due to the dependency on the old version of openssl for this exact project have already run export NIXPKGS_INSECURE=1

Now, this is where it get’s annoying. If I do it this way,

nix-shell shell.nix
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python3 somescript.py

Script runs, but only until I reach the point where uid of the current user is checked, and then it fails, because I need to run the script with sudo privileges.

However, if I run sudo venv/bin/python3 somescript.py, I get the following error OSError: libusb-1.0.so: cannot open shared object file: No such file or directory

Trying to bypass this by running nix-shell with sudo privileges (sudo NIXPKGS_INSECURE=1 nix-shell shell.nix ... etc) results in pip not being able to build scrypt due to not finding openssl, so basically the LD_LIBRARY_PATH that is exported with the shellHook in the shell.nix is missing, so just a new set of issues.

I also assume this is not the right way to do this, thus I wonder what’s the correct thing to do in order to be able to run a python venv with elevated privileges inside a nix-shell?

Probably not the nix-way to do things, but found a solution which makes the script work as intended, which is good enough for me.

“Solution” was to run it this way sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH PYTHONPATH=$PYTHONPATH venv/bin/python3 script.py

Sudo normally resets the environment to a clean state which can interfere with nix because the correct version of the lib to use is set in the environment.

I would have tried:

sudo -E python script.py

Which tells sudo not to reset the environment.