diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 3362e3e28..52cea1106 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -457,6 +457,29 @@ flag, e.g. --option gc-keep-outputs false.
+ netrc-file
+
+ If set to an absolute path to a netrc
+ file, Nix will use the HTTP authentication credentials in this file when
+ trying to download from a remote host through HTTP or HTTPS. Defaults to
+ $NIX_CONF_DIR/netrc.
+
+ The netrc file consists of a list of
+ accounts in the following format:
+
+
+machine my-machine
+login my-username
+password my-password
+
+
+ For the exact syntax, see the
+ curl documentation.
+
+
+
+
system
This option specifies the canonical Nix system
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index 07ff7b95a..4552ad470 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -62,6 +62,8 @@ my $curlConnectTimeout = int(
$Nix::Config::config{"connect-timeout"} //
$ENV{"NIX_CONNECT_TIMEOUT"} // 0);
+my $netrcFile = $Nix::Config::config{"netrc-file"} //
+ "$Nix::Config::confDir/netrc";
sub addRequest {
my ($storePath, $url, $head) = @_;
@@ -88,6 +90,8 @@ sub addRequest {
$curl->setopt(CURLOPT_FAILONERROR, 1);
$curl->setopt(CURLOPT_CONNECTTIMEOUT, $curlConnectTimeout);
$curl->setopt(CURLOPT_TIMEOUT, 20 * 60);
+ $curl->setopt(CURLOPT_NETRC_FILE, $netrcFile);
+ $curl->setopt(CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
if ($activeRequests >= $maxParallelRequests) {
$scheduled{$curlId} = 1;
@@ -563,7 +567,7 @@ sub downloadBinary {
die if $requireSignedBinaryCaches && !defined $info->{signedBy};
print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n";
checkURL $url;
- if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' $Nix::Config::curlCaFlag '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
+ if (system("$Nix::Config::curl --fail --location --netrc-file $netrcFile --netrc-optional --connect-timeout $curlConnectTimeout -A '$userAgent' $Nix::Config::curlCaFlag '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n";
next;
}
diff --git a/src/libstore/download.cc b/src/libstore/download.cc
index 82f5f7aa9..d9797ff48 100644
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@@ -114,6 +114,10 @@ struct Curl
curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progressCallback_);
curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, (void *) &curl);
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0);
+ /* If no file exist in the specified path, curl continues to work
+ * anyway as if netrc support was disabled. */
+ curl_easy_setopt(curl, CURLOPT_NETRC_FILE, settings.netrcFile.c_str());
+ curl_easy_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
}
~Curl()
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 2aba3d2c1..8bf5f8c2e 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -62,6 +62,7 @@ Settings::Settings()
lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
showTrace = false;
enableImportNative = false;
+ netrcFile = (format("%1%/%2%") % nixConfDir % "netrc").str();
}
@@ -190,6 +191,7 @@ void Settings::update()
_get(preBuildHook, "pre-build-hook");
_get(keepGoing, "keep-going");
_get(keepFailed, "keep-failed");
+ _get(netrcFile, "netrc-file");
string subs = getEnv("NIX_SUBSTITUTERS", "default");
if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 60b11afe6..3d8351aa1 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -210,6 +210,10 @@ struct Settings {
build settings */
Path preBuildHook;
+ /* Path to the netrc file used to obtain usernames/passwords for
+ downloads. */
+ Path netrcFile;
+
private:
SettingsMap settings, overrides;