Binary Cache: Difference between revisions

(26 intermediate revisions by 18 users not shown)

Line 1:

{{Expansion|What is the format of a binary cache? How does it differ from a local/remote Nix store? See [https://github.com/NixOS/nix/pull/6870 `NixOS/nix` PR #6870]. (Maybe even splitting it into a guide and a reference?)}}

A binary cache builds Nix packages and caches the result for other machines. Any machine with Nix installed can be a binary cache for another one, no matter the operating system.

== Setting up a binary cache ==

== Setting up a binary cache with attic and caddy ==

Here's a snippet enabling [https://github.com/zhaofengli/attic Attic] and [https://caddyserver.com/ Caddy].

Please refer to the [https://docs.attic.rs/ Attic documentation] to set it up correctly. The goal here is to show how those two services can be used together to provide a solid solution.<syntaxhighlight lang="nix" line="1">

{

networking.firewall = {

allowedTCPPorts = [ 8080 ];

};

services = {

atticd = {

enable = true;

settings = {

listen = "127.0.0.1:8081";

};

# Path to an EnvironmentFile containing required environment variables:

# ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.

environmentFile = "/root/.attic-env-file";

};

# Inspired from:

# 1. https://github.com/phanirithvij/system/blob/main/nixos/applications/nix/selfhosted/proxy-cache.nix

# 2. https://github.com/rnl-dei/nixrnl/blob/master/profiles/proxy-cache.nix

caddy = {

enable = true;

package = pkgs.caddy.withPlugins {

plugins = [ "github.com/caddyserver/cache-handler@v0.16.0" ];

hash = "sha256-CecAx6KelOHEDiOKDTKLlDcnWtRNnDzBw1AzgN5JaFw=";

};

globalConfig = ''

order cache before rewrite

cache {

# Global default cache duration (if not overridden below)

ttl 1h

log_level debug

}

'';

virtualHosts.":8080" = {

extraConfig = ''

log {

format console

}

# Nix cache info endpoint

@nix_cache_info path /nix-cache-info

handle @nix_cache_info {

header Cache-Control "public, max-age=300"

# 2. Tell Caddy's internal cache to hold this for 5 minutes

cache {

ttl 300s

}

reverse_proxy https://cache.nixos.org {

header_up Host cache.nixos.org

}

# NAR files (the actual packages)

@nar path /nar/*

handle @nar {

header Cache-Control "public, max-age=31536000, immutable"

# Cache the actual nar packages for a year

cache {

ttl 8760h

}

reverse_proxy https://cache.nixos.org {

header_up Host cache.nixos.org

}

# Narinfo files (metadata about packages)

@narinfo path_regexp ^/[^/]+\.narinfo$

handle @narinfo {

header Cache-Control "public, max-age=86400"

# Narinfo can change, so cache them locally for 24 hours

cache {

ttl 24h

}

reverse_proxy https://cache.nixos.org {

header_up Host cache.nixos.org

}

# Fallback for other requests

handle {

# We omit the `cache` directive here so Caddy doesn't interfere

# with Attic's API operations or package pushing (PUT/POST requests).

reverse_proxy 127.0.0.1:8081

}

'';

};

</syntaxhighlight>

== Setting up a binary cache with nix-serve and nginx ==

This tutorial explains how to setup a machine as a binary cache for other machines, serving the nix store on TCP port 80 with signing turned on. It assumes that an {{ic|[[nginx]]}} service is already running, that port 80 is open,<ref group="cf."> {{manual:nixos|sec=#sec-firewall|chapter=11.5. Firewall}}</ref> and that the hostname {{ic|binarycache.example.com}} resolves to the server.<ref group="cf.">{{nixos:option|networking.hostName}}</ref>

Line 7:

Line 114:

=== 1. Generating a private/public keypair ===

A keypair is necessary to sign Nix packages.

A keypair is necessary to sign Nix packages. Replace <code>binarycache.example.com</code> with your domain.

{{bc|

$ nix-store --generate-binary-cache-key binarycache.example.com cache-priv-key.pem cache-pub-key.pem

cd /var

~~# mv cache~~-~~priv-key.pem /var/~~cache-priv-key.pem

nix-store --generate-binary-cache-key binarycache.example.com cache-priv-key.pem cache-pub-key.pem

~~# chown nix-serve /var/~~cache-priv-key.pem

chown nix-serve cache-priv-key.pem

~~# chmod 600 /var/~~cache-~~priv~~-key.pem

chmod 600 cache-priv-key.pem

cat cache-pub-key.pem

}}

Line 48:

Line 156:

services.nginx = {

enable = true;

recommendedProxySettings = true;

virtualHosts = {

# ... existing hosts config etc. ...

"binarycache.example.com" = {

~~serverAliases = [ "binarycache" ];~~

locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";

locations."/".~~extraConfig~~ = ''

~~proxy_pass~~ http://~~localhost~~:${toString config.services.nix-serve.port};

~~proxy_set_header Host $host;~~

~~proxy_set_header X-Real-IP $remote_addr;~~

~~proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;~~

'';

};

Line 114:

Line 217:

== Using a binary cache ==

To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the ~~options~~ {{ic|~~substituters}} and {{ic|extra-~~substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}).

To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the option {{ic|substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}).

{{Warning|When adding a third-party binary cache you now trust all packages being served from that cache. Make sure this is a conscious decision. Trusting arbitrary caches can open you up to suppply chain attacks.

For more context: https://discourse.nixos.org/t/garnix-blog-stop-trusting-nix-caches/70177 (if source unavailable, https://web.archive.org/web/20251001172145/https://garnix.io/blog/stop-trusting-nix-caches)}}{{tip|If you are facing problems with derivations not being in a cache, try switching to a release version. Most caches will have many derivations for a specific release.}}

Permanent use of binary cache:

# /etc/nixos/configuration.nix

nix = {

settings = {

substituters = [

"http://binarycache.example.com"

"https://nix-community.cachix.org"

"https://cache.nixos.org/"

];

trusted-public-keys = [

"binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"

"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="

];

};

</syntaxhighlight>As described on [https://search.nixos.org/options?show=nix.settings.substituters&type=packages&query=substituters search.nixos.org] by default <nowiki>https://cache.nixos.org/</nowiki> is added to the substituters. You may need to use lib.mkForce to override this and ensure your substituter is the primary choice.<syntaxhighlight lang="nix">

# /etc/nixos/configuration.nix

{ config, lib, pkgs, ... }:

{

nix = {

settings = {

substituters = lib.mkForce [

"http://binarycache.example.com"

];

trusted-public-keys = [

"binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"

];

};

}

</syntaxhighlight>{{Warning|Keys that are entered incorrectly or are otherwise invalid, aside from preventing you from benefiting from the cached derivations, may also prevent you from rebuilding your system. This is most likely to occur after garbage collection (e.g., via <code>nix-collect-garbage -d</code>). Consult [https://github.com/NixOS/nix/issues/8271 NixOS/nix#8271] for additional details and a workaround.}}

Temporary use of binary cache:

Line 125:

Line 270:

warning: you did not specify '--add-root'; the result might be removed by the garbage collector

/nix/store/gdh8165b7rg4y53v64chjys7mbbw89f9-hello-2.10

</syntaxhighlight>

=== Using a binary cache on non-NixOS installations ===

To use a binary cache with a Nix that has been installed on an operating system other than NixOS (e.g. Ubuntu or macOS) {{ic|/etc/nix/nix.conf}} will need to be edited manually. This can be done by adding something similar to the following lines to {{ic|/etc/nix/nix.conf}}:

<pre>

trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=

trusted-substituters = https://nix-community.cachix.org https://cache.nixos.org

trusted-users = root @wheel

</pre>

Note that not all of that information is needed, see the manual for the respective options ([https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-public-keys trusted-public-keys], [https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-substituters trusted-substituters], [https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users trusted-users]).

With the {{ic|trusted-*}} options set correctly, a user can benefit permanently from a substituter by add the following to their {{ic|~/.config/nix/nix.conf}}

<pre>

substituters = https://nix-community.cachix.org https://cache.nixos.org

</pre>

or temporarily as explained above.

=== Binary cache hint in Flakes ===

You can place a hint to your binary cache in your Flake so when someone builds an output of your Flake, the nix command will ask interactively to trust the specified binary cache.

{

nixConfig = {

extra-substituters = [

"https://colmena.cachix.org"

];

extra-trusted-public-keys = [

"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="

];

};

outputs = { ... }: {

...

};

}

</syntaxHighlight>

=== Binary cache priority ===

Each binary cache has a priority field. A lower number indicates a higher priority.<syntaxhighlight lang="shell-session">

$curl https://cache.nixos.org/nix-cache-info

StoreDir: /nix/store

WantMassQuery: 1

Priority: 40

</syntaxhighlight>You may want to override this value by appending <code>?priority=n</code> at the end of the cache url.<syntaxhighlight lang="nix">

substituters = https://nix-community.cachix.org?priority=1 https://cache.nixos.org?priority=2

</syntaxhighlight>

Line 135:

Line 333:

$ nix copy --to ssh://binarycache.example.com PACKAGE

</syntaxhighlight>

For details see the [https://nixos.org/nix/~~manual~~/~~#sec~~-sharing-packages Sharing Packages Between Machines] in the Nix manual.

For details see the [https://nixos.org/manual/nix/stable/package-management/sharing-packages.html Sharing Packages Between Machines] in the Nix manual.

== Signing Existing Packages ==

It is also possible to sign all the packages that already exist in the nix store of the machine serving the binary cache to make them immediately available.

<code>$ nix store sign --extra-experimental-features nix-command --all --key-file /var/cache-priv-key.pem</code>

Note : As of NixOS 24.11 {{ic|--extra-experimental-features nix-command}} is required for {{ic|store sign}} if this is not in your configuration.nix.

== Hosted binary cache ==

Line 174:

Line 377:

/nix/store/xim9l8hym4iga6d4azam4m0k0p1nw2rm-libidn2-2.3.0

</syntaxhighlight>

Example: Fetch metadata of <code>bash</code>

<pre>

curl https://cache.nixos.org/$(readlink -f $(which bash) | cut -c12-43).narinfo

</pre>

== Command Line Options ==

It is also possible to pass {{ic|substituters}} and {{ic|trusted-public-keys}} on the command line if they are not in {{ic|configuration.nix}} or you want to use a particular binary cache server.

$ nix-build --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD" '<nixpkgs>' -A pkgs.PACKAGE

$ nixos-rebuild --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD" switch

To do an offline install (providing your binary cache contains all the packages required);

$ nixos-install --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"

== See also ==

* [https://discourse.nixos.org/t/how-to-use-binary-cache-in-nixos/5202/4 How to use binary cache in NixOS]

* [https://github.com/zhaofengli/attic attic: Multi-tenant Nix Binary Cache]

~~<references group="cf~~."/>

* [https://discourse.nixos.org/t/nix-binary-cache-for-macos-nix-darwin-with-attic/40118 Nix Binary Cache for MacOS/Nix-Darwin with Attic]

@@ Line 1: / Line 1: @@
+{{Expansion|What is the format of a binary cache? How does it differ from a local/remote Nix store? See [https://github.com/NixOS/nix/pull/6870 `NixOS/nix` PR #6870]. (Maybe even splitting it into a guide and a reference?)}}
 A binary cache builds Nix packages and caches the result for other machines. Any machine with Nix installed can be a binary cache for another one, no matter the operating system.
-== Setting up a binary cache ==
+== Setting up a binary cache with attic and caddy ==
+Here's a snippet enabling [https://github.com/zhaofengli/attic Attic] and [https://caddyserver.com/ Caddy].
+Please refer to the [https://docs.attic.rs/ Attic documentation] to set it up correctly. The goal here is to show how those two services can be used together to provide a solid solution.<syntaxhighlight lang="nix" line="1">
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 8080 ];
+  };
+  services = {
+    atticd = {
+      enable = true;
+      settings = {
+        listen = "127.0.0.1:8081";
+      };
+      # Path to an EnvironmentFile containing required environment variables:
+      # ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.
+      environmentFile = "/root/.attic-env-file";
+    };
+    # Inspired from:
+    # 1. https://github.com/phanirithvij/system/blob/main/nixos/applications/nix/selfhosted/proxy-cache.nix
+    # 2. https://github.com/rnl-dei/nixrnl/blob/master/profiles/proxy-cache.nix
+    caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [ "github.com/caddyserver/cache-handler@v0.16.0" ];
+        hash = "sha256-CecAx6KelOHEDiOKDTKLlDcnWtRNnDzBw1AzgN5JaFw=";
+      };
+      globalConfig = ''
+        order cache before rewrite
+        cache {
+          # Global default cache duration (if not overridden below)
+          ttl 1h
+          log_level debug
+        }
+      '';
+      virtualHosts.":8080" = {
+        extraConfig = ''
+          log {
+            format console
+          }
+          # Nix cache info endpoint
+          @nix_cache_info path /nix-cache-info
+          handle @nix_cache_info {
+            header Cache-Control "public, max-age=300"
+            # 2. Tell Caddy's internal cache to hold this for 5 minutes
+            cache {
+              ttl 300s
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # NAR files (the actual packages)
+          @nar path /nar/*
+          handle @nar {
+            header Cache-Control "public, max-age=31536000, immutable"
+            # Cache the actual nar packages for a year
+            cache {
+              ttl 8760h
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # Narinfo files (metadata about packages)
+          @narinfo path_regexp ^/[^/]+\.narinfo$
+          handle @narinfo {
+            header Cache-Control "public, max-age=86400"
+            # Narinfo can change, so cache them locally for 24 hours
+            cache {
+              ttl 24h
+            }
+            reverse_proxy https://cache.nixos.org {
+              header_up Host cache.nixos.org
+            }
+          }
+          # Fallback for other requests
+          handle {
+            # We omit the `cache` directive here so Caddy doesn't interfere
+            # with Attic's API operations or package pushing (PUT/POST requests).
+            reverse_proxy 127.0.0.1:8081
+          }
+        '';
+      };
+    };
+  };
+};
+</syntaxhighlight>
+== Setting up a binary cache with nix-serve and nginx ==
 This tutorial explains how to setup a machine as a binary cache for other machines, serving the nix store on TCP port 80 with signing turned on. It assumes that an {{ic|[[nginx]]}} service is already running, that port 80 is open,<ref group="cf."> {{manual:nixos|sec=#sec-firewall|chapter=11.5. Firewall}}</ref> and that the hostname {{ic|binarycache.example.com}} resolves to the server.<ref group="cf.">{{nixos:option|networking.hostName}}</ref>
@@ Line 7: / Line 114: @@
 === 1. Generating a private/public keypair ===
-A keypair is necessary to sign Nix packages.
+A keypair is necessary to sign Nix packages. Replace <code>binarycache.example.com</code> with your domain.
 {{bc|
-$ nix-store --generate-binary-cache-key binarycache.example.com cache-priv-key.pem cache-pub-key.pem
+cd /var
-# mv cache-priv-key.pem /var/cache-priv-key.pem
+nix-store --generate-binary-cache-key binarycache.example.com cache-priv-key.pem cache-pub-key.pem
-# chown nix-serve /var/cache-priv-key.pem
+chown nix-serve cache-priv-key.pem
-# chmod 600 /var/cache-priv-key.pem
+chmod 600 cache-priv-key.pem
+cat cache-pub-key.pem
 }}
@@ Line 48: / Line 156: @@
 services.nginx = {
    enable = true;
+  recommendedProxySettings = true;
    virtualHosts = {
      # ... existing hosts config etc. ...
      "binarycache.example.com" = {
-      serverAliases = [ "binarycache" ];
+       locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
-       locations."/".extraConfig = ''
-        proxy_pass http://localhost:${toString config.services.nix-serve.port};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      '';
      };
    };
@@ Line 114: / Line 217: @@
 == Using a binary cache ==
-To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the options {{ic|substituters}} and {{ic|extra-substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}).
+To configure Nix to use a certain binary cache, refer to the Nix manual.<ref group="cf.">[https://nixos.org/nix/manual/#ch-files Nix Manual, 21. Files]</ref> Add the binary cache as substituter (see the option {{ic|substituters}}) and the public key to the trusted keys (see {{ic|trusted-public-keys}}).
+{{Warning|When adding a third-party binary cache you now trust all packages being served from that cache. Make sure this is a conscious decision. Trusting arbitrary caches can open you up to suppply chain attacks.
+For more context: https://discourse.nixos.org/t/garnix-blog-stop-trusting-nix-caches/70177 (if source unavailable, https://web.archive.org/web/20251001172145/https://garnix.io/blog/stop-trusting-nix-caches)}}{{tip|If you are facing problems with derivations not being in a cache, try switching to a release version. Most caches will have many derivations for a specific release.}}
+Permanent use of binary cache:
+<syntaxhighlight lang="nix">
+# /etc/nixos/configuration.nix
+  nix = {
+    settings = {
+      substituters = [
+        "http://binarycache.example.com"
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+</syntaxhighlight>As described on [https://search.nixos.org/options?show=nix.settings.substituters&type=packages&query=substituters search.nixos.org] by default <nowiki>https://cache.nixos.org/</nowiki> is added to the substituters. You may need to use lib.mkForce to override this and ensure your substituter is the primary choice.<syntaxhighlight lang="nix">
+# /etc/nixos/configuration.nix
+{ config, lib, pkgs, ... }:
+{
+  nix = {
+    settings = {
+      substituters = lib.mkForce [
+        "http://binarycache.example.com"
+      ];
+      trusted-public-keys = [
+        "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"
+      ];
+    };
+  };
+}
+</syntaxhighlight>{{Warning|Keys that are entered incorrectly or are otherwise invalid, aside from preventing you from benefiting from the cached derivations, may also prevent you from rebuilding your system. This is most likely to occur after garbage collection (e.g., via <code>nix-collect-garbage -d</code>). Consult [https://github.com/NixOS/nix/issues/8271 NixOS/nix#8271] for additional details and a workaround.}}
+Temporary use of binary cache:
 <syntaxhighlight lang="bash">
@@ Line 125: / Line 270: @@
 warning: you did not specify '--add-root'; the result might be removed by the garbage collector
 /nix/store/gdh8165b7rg4y53v64chjys7mbbw89f9-hello-2.10
+</syntaxhighlight>
+=== Using a binary cache on non-NixOS installations ===
+To use a binary cache with a Nix that has been installed on an operating system other than NixOS (e.g. Ubuntu or macOS)  {{ic|/etc/nix/nix.conf}} will need to be edited manually. This can be done by adding something similar to the following lines to {{ic|/etc/nix/nix.conf}}:
+<pre>
+trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+trusted-substituters = https://nix-community.cachix.org https://cache.nixos.org
+trusted-users = root @wheel
+</pre>
+Note that not all of that information is needed, see the manual for the respective options ([https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-public-keys trusted-public-keys], [https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-substituters trusted-substituters], [https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users trusted-users]).
+With the {{ic|trusted-*}} options set correctly, a user can benefit permanently from a substituter by add the following to their {{ic|~/.config/nix/nix.conf}}
+<pre>
+substituters = https://nix-community.cachix.org https://cache.nixos.org
+</pre>
+or temporarily as explained above.
+=== Binary cache hint in Flakes ===
+You can place a hint to your binary cache in your Flake so when someone builds an output of your Flake, the nix command will ask interactively to trust the specified binary cache.
+<syntaxHighlight lang="nix">
+{
+  nixConfig = {
+    extra-substituters = [
+      "https://colmena.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
+    ];
+  };
+  outputs = { ... }: {
+    ...
+  };
+}
+</syntaxHighlight>
+=== Binary cache priority ===
+Each binary cache has a priority field. A lower number indicates a higher priority.<syntaxhighlight lang="shell-session">
+$curl https://cache.nixos.org/nix-cache-info
+StoreDir: /nix/store
+WantMassQuery: 1
+Priority: 40
+</syntaxhighlight>You may want to override this value by appending <code>?priority=n</code> at the end of the cache url.<syntaxhighlight lang="nix">
+substituters = https://nix-community.cachix.org?priority=1 https://cache.nixos.org?priority=2
 </syntaxhighlight>
@@ Line 135: / Line 333: @@
 $ nix copy --to ssh://binarycache.example.com PACKAGE
 </syntaxhighlight>
-For details see the [https://nixos.org/nix/manual/#sec-sharing-packages Sharing Packages Between Machines] in the Nix manual.
+For details see the [https://nixos.org/manual/nix/stable/package-management/sharing-packages.html Sharing Packages Between Machines] in the Nix manual.
+== Signing Existing Packages ==
+It is also possible to sign all the packages that already exist in the nix store of the machine serving the binary cache to make them immediately available.
+ <code>$ nix store sign --extra-experimental-features nix-command --all --key-file /var/cache-priv-key.pem</code>
+Note : As of NixOS 24.11 {{ic|--extra-experimental-features nix-command}} is required for {{ic|store sign}} if this is not in your configuration.nix.
 == Hosted binary cache ==
@@ Line 174: / Line 377: @@
 /nix/store/xim9l8hym4iga6d4azam4m0k0p1nw2rm-libidn2-2.3.0
 </syntaxhighlight>
+Example: Fetch metadata of <code>bash</code>
+<pre>
+curl https://cache.nixos.org/$(readlink -f $(which bash) | cut -c12-43).narinfo
+</pre>
+== Command Line Options ==
+It is also possible to pass {{ic|substituters}} and {{ic|trusted-public-keys}} on the command line if they are not in {{ic|configuration.nix}} or you want to use a particular binary cache server.
+ $ nix-build --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD" '<nixpkgs>' -A pkgs.PACKAGE
+ $ nixos-rebuild --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD" switch
+To do an offline install (providing your binary cache contains all the packages required);
+ $ nixos-install --option substituters "<nowiki>http://binarycache.example.com</nowiki>" --option trusted-public-keys "binarycache.example.com-1:dsafdafDFW123fdasfa123124FADSAD"
 == See also ==
+<references group="cf."/>
+* [https://discourse.nixos.org/t/how-to-use-binary-cache-in-nixos/5202/4 How to use binary cache in NixOS]
+* [https://github.com/zhaofengli/attic attic: Multi-tenant Nix Binary Cache]
-<references group="cf."/>
+* [https://discourse.nixos.org/t/nix-binary-cache-for-macos-nix-darwin-with-attic/40118 Nix Binary Cache for MacOS/Nix-Darwin with Attic]