Using private (authenticated) dependencies
Uv2nix uses pkgs.fetchurl for fetching from PyPI, and inherits authentication support from nixpkgs.
Getting authentication running in the sandbox requires some system setup.
Project setup
[project]
name = "with-private-deps"
version = "0.1.0"
requires-python = ">=3.12"
dependencies = ["iniconfig"]
[[tool.uv.index]]
name = "my-index"
url = "https://pypi-proxy.fly.dev/basic-auth/simple"
explicit = true
[tool.uv.sources]
iniconfig = { index = "my-index" }
[build-system]
requires = ["setuptools>=42"]
build-backend = "setuptools.build_meta"
Creating a netrc file
In this documentation we assume that the netrc file is saved as /etc/nix/netrc
.
machine pypi-proxy.fly.dev
login public
password heron
To use this netrc file inside our development shell run:
$ export NETRC=/etc/nix/netrc
Overriding source fetching
While pkgs.fetchurl
can use a netrc file, it won't do so by default.
We'll need to override our authenticated package's src
attribute to use our provided file.
let
pyprojectOverrides = _final: prev: {
iniconfig = prev.iniconfig.overrideAttrs(old: {
src = old.src.overrideAttrs(_: {
# Make curl use our netrc file.
curlOpts = "--netrc-file /etc/nix/netrc";
# By default pkgs.fetchurl will fetch _without_ TLS verification for reproducibility.
# Since we are transferring credentials we want to verify certificates.
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
});
});
};
in ...
Building
To build a package we need to provide our netrc file inside the Nix sandbox.
nix build -L -v --option extra-sandbox-paths /etc/nix/netrc
For a persistent setup extra-sandbox-paths
should be added to nix.conf
.