Nithin (Jan 03 2025 at 14:57): Nithin (Jan 03 2025 at 14:57):What makes a derivation impure ? Say for example i source the contents of a file from my filesystem and use it inside of my .nix files, is that an impure derivation?
I'm confused about this, because I'm trying to read my secrets that are decrypted by agenix into /etc/secrets. The agenix github already says this is an anti pattern and must not be used here , but certain services only have a option that is
password = ""; (a string)
and not an equivalent
passwordFile = "<path>";
Is the correct way just make a module that implements the option to read the path? ( also need help understanding how nixos packages are built.)
or is there a easier way to go about this?
Nithin (Jan 03 2025 at 14:59):So far, @Srid has clarified that anything that is not in my "inputs" are impure, and must not be used in derivations. (ideally, at least)
Srid (Jan 03 2025 at 15:10):What is the type of passwordFile? Is it type.path or types.string.
The later is most suitable here, because the former will have your derivation depend on an absolute path. The use of absolute paths will make it impure because they cannot be part of a derivation's inputs.
Just like how a pure function can only depend on its inputs and not global variables.
Nikhil Singh (Jan 29 2025 at 18:40):Check out my derivation of a font; it might help. It’s not the cleanest way to achieve this, but it uses sops decryption to decrypt a paid font file. My password is stored in an age key file.
Font Derivation
This derivation is also impure because it doesn’t take the key as an input but instead relies on the availability of the key on the host system.
To do this in the purest and most declarative way, you would need to store your key in a private repository and pass it as an input or override your inputs. (There are several ways to achieve this.)
Keep in mind that anything not coming from your flake directory or the flake’s local environment is considered impure, as its reproduction is not guaranteed to be 100% reliable.
Nikhil Singh (Jan 29 2025 at 18:40):@Nithin
Last updated: Feb 21 2025 at 17:45 UTC