diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix index 3222866dc781..c139030ea973 100644 --- a/pkgs/build-support/fetchgit/default.nix +++ b/pkgs/build-support/fetchgit/default.nix @@ -21,6 +21,11 @@ in postFetch ? "" , preferLocalBuild ? true , fetchLFS ? false +, # Shell code to build a netrc file for BASIC auth + netrcPhase ? null +, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes) + # needed for netrcPhase + netrcImpureEnvVars ? [] }: /* NOTE: @@ -64,10 +69,17 @@ stdenvNoCC.mkDerivation { inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName postFetch; + postHook = if netrcPhase == null then null else '' + ${netrcPhase} + # required that git uses the netrc file + mv {,.}netrc + export HOME=$PWD + ''; + GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ - "GIT_PROXY_COMMAND" "SOCKS_SERVER" + impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [ + "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER" ]; inherit preferLocalBuild; diff --git a/pkgs/build-support/fetchgit/nix-prefetch-git b/pkgs/build-support/fetchgit/nix-prefetch-git index 6e869ab5e437..10b402de6145 100755 --- a/pkgs/build-support/fetchgit/nix-prefetch-git +++ b/pkgs/build-support/fetchgit/nix-prefetch-git @@ -17,6 +17,10 @@ branchName=$NIX_PREFETCH_GIT_BRANCH_NAME out=${out:-} http_proxy=${http_proxy:-} +# allow overwritting cacert's ca-bundle.crt with a custom one +# this can be done by setting NIX_GIT_SSL_CAINFO and NIX_SSL_CERT_FILE enviroment variables for the nix-daemon +GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$GIT_SSL_CAINFO} + # populated by clone_user_rev() fullRev= humanReadableRev=