5

I'm using stack with nix. I need to pass the environment variable as DB password to connect to Postgres while runtime. Currently, I enabled nix in the YAML and customized my own .nix to put the password in .nix.

stack.yaml:

nix:
  enable: true
  pure: true
  shell-file: shell.nix

shell.nix:

{ghc}:
with (import <nixpkgs> {});

haskell.lib.buildStackProject {
  inherit ghc;
  name = "myenv";
  buildInputs = [ postgresql_10 ];
  PGPASSWORD = "pw";
}

But when I want to commit the code into GitHub/Gitlab and go to CI/CD pipeline, explicit the password in .nix seems not good. I'd like to know is there a good way to deal with this?

Improve this question

1 Answer 1

Reset to default
7

You can use the builtins.getEnv function in a Nix expression to the value of an environment variable from the external environment, so you could do something like this:

PGPASSWORD = builtins.getEnv "PGPASSWORD";

This is just one way to set its value. You could also use import to import a Nix expression file that you never commit to git, or you could use builtins.readFile to read a file that you never commit to git.

Note that none of these import methods will prevent the password from getting added to your Nix store (/nix/store) when you build your project. If other people have access to your machine, you must consider the security implications.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.