Impure Nix Derivations
I’ve been writing about Nix for a few years now, and it has become a staple for all my personal projects. It solves the thorny problem of setting up reproducible development environments in a flexible and general way, while still allowing me to use my tooling the way I want to. I no longer have to worry about my GitHub Actions having different versions of tools from my local dev environment, which is a huge relief.
I’ve started making my CI jobs use nix flake check,
which lets me write and run my CI checks using Nix syntax,
further removing any differences between local development and CI.
However, I sometimes have tests that want to use the network,
which usually isn’t allowed.
I recently discovered that you can use __impure = true; to remove the networking sandbox:1
# flake.nix
{
inputs = {
nixpkgs.url = "nixpkgs";
};
outputs = { nixpkgs, ... }: {
checks.x86_64-linux.foo =
let
pkgs = import nixpkgs { system = "x86_64-linux"; };
in pkgs.stdenvNoCC.mkDerivation {
name = "foo-check";
src = ./.;
__impure = true;
nativeBuildInputs = [
pkgs.cacert
pkgs.curl
];
buildPhase = ''
runHook preBuild
curl -fsSL https://example.com/ > /dev/null
runHook postBuild
'';
installPhase = ''
runHook preInstall
touch "$out"
runHook postInstall
'';
};
};
}
For this to work, you must also set extra-experimental-features = impure-derivations ca-derivations in /etc/nix/nix.conf.2
Just passing a command-line argument doesn’t seem to work in my usage
with Nix 2.13.3 in a multi-user installation.
Since this feature is still experimental, it’s not widely advertised or documented. Hopefully this helps you use it for your own tests.
-
“Release 2.8 (2022-04-19) - Nix Reference Manual,” Nix Reference Manual. Accessed: Nov. 11, 2023. [Online]. Available: https://nixos.org/manual/nix/stable/release-notes/rl-2.8 ↩︎
-
“Experimental Features - Nix Reference Manual,” Nix Reference Manual. Accessed: Nov. 11, 2023. [Online]. Available: https://nixos.org/manual/nix/stable/contributing/experimental-features ↩︎