pyrox.dev
1{ lib }:
2# We provide three paths to get the credentials into the builder's
3# environment:
4#
5# 1. Via impureEnvVars. This method is difficult for multi-user Nix
6# installations (but works very well for single-user Nix
7# installations!) because it requires setting the environment
8# variables on the nix-daemon which is either complicated or unsafe
9# (i.e: configuring via Nix means the secrets will be persisted
10# into the store)
11#
12# 2. If the DOCKER_CREDENTIALS key with a path to a credentials file
13# is added to the NIX_PATH (usually via the '-I ' argument to most
14# Nix tools) then an attempt will be made to read credentials from
15# it. The semantics are simple, the file should contain two lines
16# for the username and password based authentication:
17#
18# $ cat ./credentials-file.txt
19# DOCKER_USER=myusername
20# DOCKER_PASS=mypassword
21#
22# ... and a single line for the token based authentication:
23#
24# $ cat ./credentials-file.txt
25# DOCKER_TOKEN=mytoken
26#
27# 3. A credential file at /etc/nix-docker-credentials.txt with the
28# same format as the file described in #2 can also be used to
29# communicate credentials to the builder. This is necessary for
30# situations (like Hydra) where you cannot customize the NIX_PATH
31# given to the nix-build invocation to provide it with the
32# DOCKER_CREDENTIALS path
33let
34 pathParts =
35 (builtins.filter
36 ({prefix, path}: "DOCKER_CREDENTIALS" == prefix)
37 builtins.nixPath);
38in
39 lib.optionalString (pathParts != []) ((builtins.head pathParts).path)