Allow CLI to pass environment variables to FOD builder (#8830)

Add a new experimental `impure-env` setting that is a key-value list of environment variables to inject into FOD derivations that specify the corresponding `impureEnvVars`. This allows clients to make use of this feature (without having to change the environment of the daemon itself) and might eventually deprecate the current behaviour (pick whatever is in the environment of the daemon) as it's more principled and might prevent information leakage.
2025-07-06 21:41:48 +02:00 · 2023-10-11 19:58:42 +08:00 · 2023-10-11 19:58:42 +08:00 · 94e91566ed
commit 94e91566ed
parent 301623f3a3
8 changed files with 99 additions and 4 deletions
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -4,6 +4,7 @@
 #include "types.hh"
 #include "config.hh"
 #include "util.hh"
+#include "experimental-features.hh"

 #include <map>
 #include <limits>
@ -1052,6 +1053,25 @@ public:
          ```
        )"
    };
+
+    Setting<StringMap> impureEnv {this, {}, "impure-env",
+        R"(
+          A list of items, each in the format of:
+
+          - `name=value`: Set environment variable `name` to `value`.
+
+          If the user is trusted (see `trusted-users` option), when building
+          a fixed-output derivation, environment variables set in this option
+          will be passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md##adv-attr-impureEnvVars).
+
+          This option is useful for, e.g., setting `https_proxy` for
+          fixed-output derivations and in a multi-user Nix installation, or
+          setting private access tokens when fetching a private repository.
+        )",
+        {}, // aliases
+        true, // document default
+        Xp::ConfigurableImpureEnv
+    };
 };