# Fetch from PyPi legacy API as documented in https://warehouse.pypa.io/api-reference/legacy.html { runCommand, lib, python3, cacert, }@pkgs: let inherit (lib) optionalAttrs fetchers optional inPureEvalMode filter head concatStringsSep escapeShellArg ; impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC"; in lib.makeOverridable ( { # package name pname, # Package index url ? null, # Multiple package indices to consider urls ? [ ], # filename including extension file, # SRI hash hash, # allow overriding the derivation name name ? null, # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; } cacert ? pkgs.cacert, }: let urls' = urls ++ optional (url != null) url; pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath; netrc_file = if (pathParts != [ ]) then (head pathParts).path else ""; in # Assert that we have at least one URL assert urls' != [ ]; runCommand file ( { nativeBuildInputs = [ python3 cacert ]; inherit impureEnvVars; outputHashMode = "flat"; # if hash is empty select a default algo to let nix propose the actual hash. outputHashAlgo = if hash == "" then "sha256" else null; outputHash = hash; } // optionalAttrs (name != null) { inherit name; } // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; } ) '' python ${./fetch-legacy.py} ${ concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls') } --pname ${pname} --filename ${file} mv ${file} $out '' )