[Nix-dev] nix on the corporate world (no direct internet access)

Utku Demir utdemir at gmail.com
Sat Jul 9 15:42:06 CEST 2016 

On our company, we're dealing a lot with nasty corp network environments,
and using nix only with minor hiccups.

We have the exact same problem (Corporate firewalls); but a slightly
different use case, our only objective is to install a specific derivation.

We first generate a binary cache and serve that `$cache_dir` with a simple
static web server:

$ nix-push --dest $cache_dir /nix/store/000000-myPackage

And on the client, we just install nix and run:

$ nix-store --option extra-binary-caches https://our-server/our-path --realise
/nix/store/000000-myPackage
$ nix-env -i /nix/store/000000-myPackage

We iterated a while trying different options (`nix-install-package` etc.)
and found this to be most robust way.

Some problems we got:

* Some security devices can block big files (> 100mb), we had to split some
of our larger derivations to smaller ones
* nix can make hundreds of HTTP requests to the cache when realising a
derivation. DOS prevention devices can interfere with that
* We could only use HTTPS web servers with self-signed certificates (bec.
they have no domain), but our version of nix didn't have an option to
disable certificate control. We had to patch nix's source to allow that.

Feel free to ask if you have more questions.

Utku

On Fri, 8 Jul 2016 at 13:56 Azul <mail at azulinho.com> wrote:

> Hey all,
>
> So I am using nix on one of those nasty corp network environments, where
> not even DNS works and everything needs to go through the corporate proxy.
>
> The proxy is slow, a lot of URLs are blocked down as 'gambling' (just try
> to download a jenkins plugin !!) and using tooling like cntlm is hard, as
> it hangs more often than not on load.
>
> in my production environment, I won't have internet access so I need to
> install nix packages from a on-premises repository.
>
>
> So we're looking into caching the nix packages we consume through a remote
> repository in artifactory (which can get much friendlier 'red tape' in
> accessing the outside world).
>
> My question, is has anyone done this ?
> would a silly url like http://artifactory/remote_nix/file_paths
> invalidate the hydra cache and force all packages to be built locally ?
>
> -azul
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160709/1e43e1f7/attachment-0001.html>

More information about the nix-dev mailing list