raphiz · patwid · Jun 29, 2024
diff --git a/buildGradleApplication/default.nix b/buildGradleApplication/default.nix
@@ -15,13 +15,14 @@
   buildInputs ? [],
   nativeBuildInputs ? [],
   dependencyFilter ? depSpec: true,
+  privateRepository ? null,
   repositories ? ["https://plugins.gradle.org/m2/" "https://repo1.maven.org/maven2/"],
   verificationFile ? "gradle/verification-metadata.xml",
   buildTask ? ":installDist",
   installLocation ? "build/install/*/",
 }: let
   m2Repository = mkM2Repository {
-    inherit pname version src dependencyFilter repositories verificationFile;
+    inherit pname version src dependencyFilter privateRepository repositories verificationFile;
   };
 
   # Prepare a script that will replace that jars with references into the NIX store.

diff --git a/buildGradleApplication/mkM2Repository.nix b/buildGradleApplication/mkM2Repository.nix
@@ -8,6 +8,7 @@
   version,
   src,
   dependencyFilter ? depSpec: true,
+  privateRepository ? null,
   repositories ? ["https://plugins.gradle.org/m2/" "https://repo1.maven.org/maven2/"],
   verificationFile ? "gradle/verification-metadata.xml",
 }: let
@@ -20,13 +21,16 @@
     # Read all build and runtime dependencies from the verification-metadata XML
     builtins.fromJSON (builtins.readFile (
       runCommandNoCC "depSpecs" {buildInputs = [python3];}
-      "python ${./parse.py} ${filteredSrc}/${verificationFile} ${builtins.toString (builtins.map lib.escapeShellArg repositories)}> $out"
+      "python ${./parse.py} -f ${filteredSrc}/${verificationFile} -r ${builtins.toString (builtins.map lib.escapeShellArg repositories)}"
+        + lib.strings.optionalString (privateRepository != null) " -p ${lib.escapeShellArg privateRepository}"
+        + " > $out"
     ))
   );
-  mkDep = depSpec: {
+  mkDep = { privateUrl ? null, ... }@depSpec: {
     inherit (depSpec) urls path name hash component;
     jar = fetchArtifact {
       inherit (depSpec) urls hash name;
+      inherit privateUrl;
     };
   };
   dependencies = builtins.map (depSpec: mkDep depSpec) depSpecs;

diff --git a/buildGradleApplication/parse.py b/buildGradleApplication/parse.py
@@ -3,6 +3,7 @@
 import json
 from dataclasses import dataclass
 import base64
+import argparse
 
 @dataclass
 class Component:
@@ -25,8 +26,16 @@ def main():
     if len(sys.argv) <= 1:
         print("Missing verification.xml file")
         sys.exit(1)
-    artifacts = parse(sys.argv[1])
-    maven_repos = [repository.rstrip("/") for repository in sys.argv[2:]]
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-f", "--verification-file", required=True)
+    parser.add_argument("-r", "--repository", dest="repositories", action="extend", nargs="+")
+    parser.add_argument("-p", "--private-repository")
+    args = parser.parse_args()
+
+    artifacts = parse(args.verification_file)
+    maven_repos = [repository.rstrip("/") for repository in args.repositories]
+    private_maven_repo = None if args.private_repository is None else args.private_repository.rstrip("/")
 
     outputs = []
     for artifact in artifacts:
@@ -42,6 +51,8 @@ def main():
             },
             "hash": toSri(artifact.hash.algo, artifact.hash.value)
         }
+        if private_maven_repo is not None:
+            output["privateUrl"] = f"{private_maven_repo}/{path}/{artifact.name}"
         outputs.append(output)
     print(json.dumps(outputs))
 
@@ -82,4 +93,4 @@ def parse(xml_file):
 
 
 if __name__ == "__main__":
-    main()
+    main()
diff --git a/fetchArtefact/builder.bash b/fetchArtefact/builder.bash
@@ -26,16 +26,14 @@ check_hash() {
     fi
 }
 
-# expected variables to be set:
-name="${name:?}"
-out="${out:?}"
-urls="${urls:?}"
-hash="${hash:?}"
+fetch_url() {
+    local url="$1"
+    local nix_curl_flags=$2
 
-for url in $urls; do
     echo "Downloading $name from $url"
 
-    if "${curl[@]}" --retry 0 --connect-timeout "${NIX_CONNECT_TIMEOUT:-15}" \
+    if "${curl[@]}" $nix_curl_flags --retry 0 \
+        --connect-timeout "${NIX_CONNECT_TIMEOUT:-15}" \
         --fail --silent --show-error --head "$url" \
         --write-out "%{http_code}" --output /dev/null > code 2> log; then
 
@@ -59,6 +57,20 @@ for url in $urls; do
             echo "error checking the existence of $url:"
             cat log
     fi
+}
+
+# expected variables to be set:
+name="${name:?}"
+out="${out:?}"
+urls="${urls:?}"
+hash="${hash:?}"
+
+if [ -n "$private_url" ]; then
+    fetch_url "$private_url" $NIX_CURL_FLAGS
+fi
+
+for url in $urls; do
+    fetch_url "$url"
 done
 
 echo "File $name was not found with hash $hash on any of the given urls"

diff --git a/fetchArtefact/default.nix b/fetchArtefact/default.nix
@@ -4,6 +4,7 @@
   nix,
   cacert,
 }: {
+  privateUrl ? null,
   # A list of URLs specifying alternative download locations. They are tried in order.
   urls,
   # SRI hash.
@@ -19,7 +20,9 @@ stdenvNoCC.mkDerivation {
   builder = ./builder.bash;
   nativeBuildInputs = [curl nix];
   SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+  private_url = privateUrl;
   inherit urls;
+  impureEnvVars = ["NIX_CURL_FLAGS"];
 
   # Doing the download on a remote machine just duplicates network
   # traffic, so don't do that