[partially solved here: https://plus.google.com/110416349762686874861/posts/PVGHL1Tpeb9; but not entirely]
I want to use one of my NixOS machines as a cache for the packages, to not pull everything from Hydra for each one on every upgrade. So I try to do this:
https://nixos.org/nix/manual/#sec-sharing-packages. But
-
When I try to use
nix-serve -p <port>
,nix-env --option extra-binary-caches http://<host>:<port>/
(even when run asroot
!) just ignores this cache, saying that "NAR info file" … "lacks a signature", and attempts to switch tocache.nixos.org
. Sonix-serve
doesn't work as expected.
Does it mean that the documentation is not actual anymore, or thatnix-serve
is broken? -
While
nix-copy-closure --to <user>@<host>
does work (if<user>
is added as trusted user intonix.trustedUsers
). But doing this on every upgrade would be very inconvenient. BTW. What also puzzles me here is how--from
is supposed to be used?
I have general understanding of how cryptographic signatures work, and why they are used to sign packages (and repositories). But
-
In these circumstances I simply don't need it: the risk of a MITM is not something to worry about. I just want to copy few GiB's of binaries from one machine to another, regularly and effortlessly.
I could, of course, simply disable the verification completely vianix.requireSignedBinaryCaches = false
, but isn't there a less radical way?
If, say, I invokenix-env
asroot
, or as a "trusted user" and have this "extra" binary cache registered as "trusted binary cache"; doesn't it imply that I know what I'm doing, and don't need the system nagging about missing signatures? (without the need for disabling the checking altogether)
I haven't found how to disable the verification only for a certain "trusted" source/user, and pretty much suspect it doesn't exist (i.e. bug). -
I could probably also, to comply with this signing mechanism, try to set up a "full-fledged" binary cache, by making use of
nix-store --generate-binary-cache-key
, thennix-push --dest <somewhere> --key-file <secret-1> --none <cherrypicked-paths>
, and registering the public key on the client(s). But it's quite not what I want: storing the archives on the "server" and setting the paths fornix-push
explicitly. I just want that eithernix-serve
signed those shared packages before delivery, so that the receiving side would be happy, ornix-env
to not complain about the lack of signing, if I'm absolutely sure that this particular source is trustworthy!
In conclusion: I'm pretty sure nix-serve
or the signature checking mechanism (or both) are simply broken/unmaintained. So one can consider it all less as a question, more as a bug report candidate. But if I'm wrong — yet better.
Best Answer
Here is how you configure the server and client for using a signed binary cache served via the
nix-serve
command. This does not require usingnix-push
to generate the cache and you can serve your/nix/store
directly using this method.This is documented in the
man
-page fornix-push
so if you want more details you can check that out, tooServer configuration
This example assumes that your server's hostname is
cache.example.com
.First, you need to generate a signing-key pair using
nix-store --generate-binary-cache-key
, like this:... just replacing
cache.example.com
with any appropriate hostname for your server. It doesn't have to match the real host name, but it helps if they match so that you can easily distinguish which server a public key belongs to.If your cache server is running
NixOS
then you can serve your cache by adding these two lines to yourNixOS
configuration file:... and make sure that the
nix-serve
user has read-access to thenix-serve.sec
key.If you are not using
NixOS
and you want to serve your cache directly using thenix-serve
executable, then you need to use theNIX_SECRET_KEY_FILE
environment variable to specify the path to the secret key, like this:Client configuration
If your client machine is a
NixOS
machine, then you can add these lines to yourNixOS
configuration file:If you are not on a
NixOS
machine then you can manually edit yournix.conf
file to have the following settings:If you prefer to enable a binary cache for just one build you can instead pass these binary cache configuration flags directly to any Nix utility like
nix-build
ornixos-rebuild
, like this: