Usage with private NPM packages?

[rpearce]

Hi, thanks for the work here! I'm somewhat familiar with nix but definitely am new to this project and was trying to see if there's a current solution for working with private NPM packages?

Thank you!

[svanderburg]

Currently there isn't. I actually don't use private NPM packages myself, but it would definitely be an interesting feature to have, but this is something that needs to be investigated.

[rpearce]

Thank you for the quick response!

[lionello]

This worked for me:

let
  netrc = builtins.path { name = "netrc"; path = ~/.netrc; };
  fetchurlPrivate = opts: fetchurl (opts // {
    curlOpts = "${opts.curlOpts or ""} --netrc-file ${netrc}";
  });
  nodeEnv = import ./default.nix {
    inherit pkgs;
    fetchurl = fetchurlPrivate;
  };
in nodeEnv.shell

Put your usernames/passwords in ~/.netrc according to https://ec.haxx.se/usingcurl-netrc.html. Change the generated default.nix and add fetchurl ? pkgs.fetchurl as an arg on top.

[bobvanderlinden]

Good suggestion, does the .netrc file also need to be included as sandbox-paths in the nix.conf?

[lionello]

@bobvanderlinden No need!

[rpearce]

@lionello I will try this out soon. Thank you for responding

[locallycompact]

How do you get node2nix to run in the first instance in order to generate the default.nix? I get a 401 unauthorized when I try to run node2nix with a custom --registry flag.

[lionello]

@locallycompact I used a .netrc file

[locallycompact]

Placed where, used how?

[locallycompact]

@lionello If I have a ~/.netrc in my home directory node2nix doesn't pick it up. I can't use the snippet you posted above because I can't run node2nix in the first instance to generate the required default.nix. How do I get around this?

[lionello]

Sorry, I meant ~/.npmrc:

_auth=auth-key-from-private-npm-registry
email=email-for-private-npm-registry
registry=https://url-for-private-npm-registry
always-auth=true

I also noticed that node2nix now has a --use-fetchgit-private option, which you can use with

export NIX_PATH="ssh-config-file=/etc/ssh/ssh_config:ssh-auth-sock=$SSH_AUTH_SOCK:$NIX_PATH"

[codygman]

I would also find this feature very useful.

[jamesottaway]

https://nixos.wiki/wiki/Enterprise has some relevant info on how to instruct Nix builds to use creds found in /etc/nix/netrc.

[adrian-gierakowski]

@lionello in your solution the netrc file ends up being copied to nix-store, doesn't it? In which case it's not secure

[lionello]

Yeah you're right. Nowadays you should be able to use builtins.fetchurl instead.

[camelpunch]

This is still an issue. If you try to use builtins.fetchurl, you end up with another problem: the derivations generated by node2nix use sha512, which isn't recognised by builtins.fetchurl. You can try to use import <nix/fetchurl.nix> instead, but that doesn't unpack the tarball.

[camelpunch]

I ended up with the following hack. In my case I wanted to build a private npm package that depended upon private npm packages, all located on GitHub packages. I first ran node2nix with:

  --registry https://registry.npmjs.org \
  --registry https://npm.pkg.github.com \
  --registry-auth-token "$token" \
  --registry-scope @my-scope

This generates default.nix, node-env.nix and node-packages.nix.

To avoid changing any of these generated files, I replaced nixpkgs' fetchurl with <nix/fetchurl.nix>. That derivation uses builtins.fetchurl, which cares about netrc files. But it doesn't untar, so I added that:

nodeEnv = import ./default.nix {
  pkgs = pkgs // {
    fetchurl =
      let
        otherFetchurl = import <nix/fetchurl.nix>;
      in
      args: pkgs.runCommand "custom-fetched-${args.url}" { } ''
        mkdir $out
        cd $out
        tar --strip-components=1 -xf ${otherFetchurl args}
      '';
  };
  nodejs = pkgs.nodejs;
};