Binary Cache: Difference between revisions
m Removed extra-substituters as not available since 22.05, Added Signing Existing Packages, Added Command Line Options |
Daemonfire (talk | contribs) I think this https://discourse.nixos.org/t/garnix-blog-stop-trusting-nix-caches/70177 raises a valid point that should be added to the wiki to educate people about the implications. |
||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
A binary cache builds Nix packages and caches the result for other machines. Any machine with Nix installed can be a binary cache for another one, no matter the operating system. | A binary cache builds Nix packages and caches the result for other machines. Any machine with Nix installed can be a binary cache for another one, no matter the operating system. | ||
== Setting up a binary cache == | == Setting up a binary cache == | ||
| Line 115: | Line 113: | ||
To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the option {{ic|substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}). | To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the option {{ic|substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}). | ||
{{Warning|When adding a third-party binary cache you now trust all packages being served from that cache. Make sure this is a conscious decision. Trusting arbitrary caches can open you up to suppply chain attacks. | |||
For more context: https://discourse.nixos.org/t/garnix-blog-stop-trusting-nix-caches/70177 (if source unavailable, https://web.archive.org/web/20251001172145/https://garnix.io/blog/stop-trusting-nix-caches)}}{{tip|If you are facing problems with derivations not being in a cache, try switching to a release version. Most caches will have many derivations for a specific release.}} | |||
Permanent use of binary cache: | Permanent use of binary cache: | ||
| Line 207: | Line 207: | ||
} | } | ||
</syntaxHighlight> | </syntaxHighlight> | ||
=== Binary cache priority === | |||
Each binary cache has a priority field. A lower number indicates a higher priority.<syntaxhighlight lang="shell-session"> | |||
$curl https://cache.nixos.org/nix-cache-info | |||
StoreDir: /nix/store | |||
WantMassQuery: 1 | |||
Priority: 40 | |||
</syntaxhighlight>You may want to override this value by appending <code>?priority=n</code> at the end of the cache url.<syntaxhighlight lang="nix"> | |||
substituters = https://nix-community.cachix.org?priority=1 https://cache.nixos.org?priority=2 | |||
</syntaxhighlight> | |||
== Populating a binary cache == | == Populating a binary cache == | ||
| Line 221: | Line 233: | ||
It is also possible to sign all the packages that already exist in the nix store of the machine serving the binary cache to make them immediately available. | It is also possible to sign all the packages that already exist in the nix store of the machine serving the binary cache to make them immediately available. | ||
<code>$ nix store sign --extra-experimental-features nix-command --all --key-file /var/cache-priv-key.pem</code> | <code>$ nix store sign --extra-experimental-features nix-command --all --key-file /var/cache-priv-key.pem</code> | ||
Note : As of NixOS 24. | Note : As of NixOS 24.11 {{ic|--extra-experimental-features nix-command}} is required for {{ic|store sign}} if this is not in your configuration.nix. | ||
== Hosted binary cache == | == Hosted binary cache == | ||