Skip to content

feat: add devenv.preFlight for pre-init env injection#2783

Open
ap-1 wants to merge 2 commits into
cachix:mainfrom
ap-1:cachix-token-command
Open

feat: add devenv.preFlight for pre-init env injection#2783
ap-1 wants to merge 2 commits into
cachix:mainfrom
ap-1:cachix-token-command

Conversation

@ap-1

@ap-1 ap-1 commented May 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

A few of devenv's own subsystems (cachix push auth, substituter netrc) read environment variables at process startup, before any module-declared env.X is exported into the resulting shell. Values fetched at module-evaluation time can't reach those subsystems.

For organizations that store CACHIX_AUTH_TOKEN in a secret manager (Vault, OpenBao, 1Password, secretspec), this means there's no way to feed the token into devenv-core's cachix init without each developer running cachix authtoken <token> manually first. The cachix daemon spawns with whatever env devenv was launched with, which doesn't include anything modules declare.

This PR adds a new devenv.preFlight option (attrsOf submodule { command = str; }). Each command is run, in alphabetical key order, before subsystem initialization. Lines of KEY=value written to stdout are merged into devenv's process environment, so the subsequent env::var() reads in devenv-core (cachix, etc.) see them.

devenv.preFlight.cachix-auth.command = ''
  echo "CACHIX_AUTH_TOKEN=$(${pkgs.openbao}/bin/bao kv get \
    -address=https://vault.example.com \
    -field=CACHIX_AUTH_TOKEN secret/cachix)"
'';

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ap-1