Binary Cache: Difference between revisions
imported>Mth No edit summary |
imported>Aleb Detail when the key is used, and how to specify it on non-NixOS |
||
| Line 16: | Line 16: | ||
}} | }} | ||
The packages can be signed before adding them to the binary cache, or on the fly as they are served. | |||
In this tutorial we'll set up {{ic|nix-serve}} to sign packages on the fly when it serves them. | |||
In this case it is important that only {{ic|nix-serve}} can access the private key. | |||
The location {{ic|/var/cache-priv-key.pem}} is just an example. | The location {{ic|/var/cache-priv-key.pem}} is just an example. | ||
| Line 23: | Line 25: | ||
{{ic|nix-serve}} is the service that speaks the binary cache protocol via HTTP. | {{ic|nix-serve}} is the service that speaks the binary cache protocol via HTTP. | ||
To start it on NixOS: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.nix-serve = { | services.nix-serve = { | ||
| Line 28: | Line 31: | ||
secretKeyFile = "/var/cache-priv-key.pem"; | secretKeyFile = "/var/cache-priv-key.pem"; | ||
}; | }; | ||
</syntaxhighlight> | |||
To start it on a different machine at boot, the simplest is to add to /etc/crontab: | |||
<syntaxhighlight lang="crontab"> | |||
NIX_SECRET_KEY_FILE=/var/cache-priv-key.pem | |||
@reboot /home/USER/.nix-profile/bin/nix-serve --error-log /var/log/nix-serve.log --pid /var/run/nix-serve.pid --user USER --daemonize | |||
</syntaxhighlight> | </syntaxhighlight> | ||