Binary Cache: Difference between revisions

← Older edit

VisualWikitext

@@ Line 3: / Line 3: @@
 A binary cache builds Nix packages and caches the result for other machines. Any machine with Nix installed can be a binary cache for another one, no matter the operating system.
-== Setting up a binary cache ==
+== Setting up a binary cache with attic and caddy ==
+Here's a snippet enabling [https://github.com/zhaofengli/attic Attic] and [https://caddyserver.com/ Caddy].
+Please refer to the [https://docs.attic.rs/ Attic documentation] to set it up correctly. The goal here is to show how those two services can be used together to provide a solid solution.<syntaxhighlight lang="nix" line="1">
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 8080 ];
+  };
+  services = {
+    atticd = {
+      enable = true;
+      settings = {
+        listen = "127.0.0.1:8081";
+      };
+      # Path to an EnvironmentFile containing required environment variables:
+      # ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.
+      environmentFile = "/root/.attic-env-file";
+    };
+    # Inspired from:
+    # 1. https://github.com/phanirithvij/system/blob/main/nixos/applications/nix/selfhosted/proxy-cache.nix
+    # 2. https://github.com/rnl-dei/nixrnl/blob/master/profiles/proxy-cache.nix
+    caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [ "github.com/caddyserver/cache-handler@v0.16.0" ];
+        hash = "sha256-CecAx6KelOHEDiOKDTKLlDcnWtRNnDzBw1AzgN5JaFw=";
+      };
+      globalConfig = ''
+        order cache before rewrite
+        cache {
+          # Global default cache duration (if not overridden below)
+          ttl 1h
+          log_level debug
+        }
+      '';
+      virtualHosts.":8080" = {
+        extraConfig = ''
+          log {
+            format console
+          }
+          # Nix cache info endpoint
+          @nix_cache_info path /nix-cache-info
+          handle @nix_cache_info {
+            header Cache-Control "public, max-age=300"
+            # 2. Tell Caddy's internal cache to hold this for 5 minutes
+            cache {
+              ttl 300s
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # NAR files (the actual packages)
+          @nar path /nar/*
+          handle @nar {
+            header Cache-Control "public, max-age=31536000, immutable"
+            # Cache the actual nar packages for a year
+            cache {
+              ttl 8760h
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # Narinfo files (metadata about packages)
+          @narinfo path_regexp ^/[^/]+\.narinfo$
+          handle @narinfo {
+            header Cache-Control "public, max-age=86400"
+            # Narinfo can change, so cache them locally for 24 hours
+            cache {
+              ttl 24h
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # Fallback for other requests
+          handle {
+            # We omit the `cache` directive here so Caddy doesn't interfere
+            # with Attic's API operations or package pushing (PUT/POST requests).
+            reverse_proxy 127.0.0.1:8081
+          }
+        '';
+      };
+    };
+  };
+};
+</syntaxhighlight>
+== Setting up a binary cache with nix-serve and nginx ==
 This tutorial explains how to setup a machine as a binary cache for other machines, serving the nix store on TCP port 80 with signing turned on. It assumes that an {{ic|[[nginx]]}} service is already running, that port 80 is open,<ref group="cf."> {{manual:nixos|sec=#sec-firewall|chapter=11.5. Firewall}}</ref> and that the hostname {{ic|binarycache.example.com}} resolves to the server.<ref group="cf.">{{nixos:option|networking.hostName}}</ref>