Announcing ncps: A Nix Cache Proxy Server for Faster Builds!

kalbasit · January 1, 2025, 9:08pm

Update: Ncps v0.6.0: High Availability with PostgreSQL, MySQL, and Redis support

Hey Nix community,

I’m excited to announce ncps, a new proxy server designed to speed up your Nix dependency retrieval and build times, especially in environments with multiple machines.

ncps acts as a local binary cache on your network, fetching store paths from upstream caches (like cache.nixos.org) and storing them locally. This means:

Reduced bandwidth usage: Each dependency is pulled only once onto the cache, and then all machines on your network can use it, saving on internet costs and improving network performance.
Faster build times: Get your projects built quicker with readily available dependencies.

Here’s what makes ncps stand out:

Easy setup: Get it running with just a few configuration flags.
Multiple upstream caches: Configure multiple sources for redundancy and flexibility.
Secure caching: ncps signs cached paths with its own key, ensuring integrity.
Cache size management: Prevent your cache from growing indefinitely with configurable maximum size and automated cleanup.
Zstandard compression support: Specifically designed for use with Harmonia, ncps efficiently stores and serves NAR files compressed with zstd as received during HTTP transport, without any decompression overhead. This results in faster storage and retrieval of dependencies.
OpenTelemetry support: Integrate with OpenTelemetry for centralized logging, metrics, and tracing.

Ready to try it out?

Head over to the GitHub repository for installation instructions, documentation, and examples: https://github.com/kalbasit/ncps

I’d love to hear your feedback and any suggestions you might have. Feel free to open issues or submit pull requests on GitHub.

Give ncps a try and let’s make Nix builds fly!

p.s:

I’d like to thank @Mic92 and @zimbatm for their input and help.
ncps has landed in nixpkgs.
The NixOS module is up for review.

bbigras · January 1, 2025, 10:47pm

Does nix.settings.substituters work well with unreachable caches, like when you are not home and your cache is using a lan ip?

uep · January 1, 2025, 11:05pm

no, nix does not handle this well; you need to put things like this in trusted-substituters and specify them on the command line when you want to use them.

One key hope for a proxy like this is that it might help handle the errors more gracefully, as long as the proxy itself is reachable (which perhaps means local)

kalbasit · January 2, 2025, 1:23am

I was thinking of adding a feature to return priority based on client’s IP address: Less than 30 for local clients and >100 for remote; But I wanted to wait to gather more use-cases before I commit to adding more complexity.

crertel · January 2, 2025, 6:44am

Ah, this is sick! Great work–hopefully once this hits nixpkgs it’ll end up in a lot of folks’ toolbelts!

shimun · January 2, 2025, 9:01am

Are they any plans to used content defined chunks to store the nars on disks to save space?

TheDragon · January 2, 2025, 9:54am

This looks really interesting, as this duplication of downloads is something I’m definitely hitting!

However I was hoping to use a binary cache also for anything I end up compiling, when it’s not already in the official cache.

Is there a way I could achieve that automatically, as well as ncps primary benefits?
If not, is some kind of ability to automatically push locally built packages to ncps a realistic possibility in future?

srd424 · January 2, 2025, 10:03am

The readme suggests it supports PUT with the appropriate command line option - not sure if. Nix supports uploads to http stores though?

srd424 · January 2, 2025, 10:05am

Ah, yes, it seems so: Documentation on how the http(s) binary cache API works? - #2 by domenkozar

bjornfor · January 2, 2025, 11:58am

Does nix.settings.substituters work well with unreachable caches, […]

No, and here’s a PR that aimed to fix that: Allow missing binary caches by default by arcuru · Pull Request #7188 · NixOS/nix · GitHub

pbek · January 2, 2025, 4:20pm

Nice, this is what I was looking for a few years ago, when I needed a package proxy and then used nginx as a reverse proxy!

bbigras · January 2, 2025, 8:57pm

Is there any nix proposal that would allow us to “set a cache proxy” that would always be used when fetching store paths and would allow us to cache store paths from every nix caches we use?

In other words, with ncps, we need to specify the upstream caches in advance. Wouldn’t it be nice to just have a “proxy” that would cache everything (without having to use a MITM proxy)?

numinit · January 2, 2025, 10:09pm

Secure caching: ncps signs cached paths with its own key, ensuring integrity.

Does it replace Hydra’s signature, or add another one? Also, is it doing the verifying, or is Nix?

kalbasit · January 2, 2025, 10:26pm

ncps pulls from upstream cache, and verifies signature. Once verified, it adds its signature to the existing ones.

Here’s an example of the hello package pulled directly from cache.nixos.org and then from my ncps on my network:

❯ curl https://cache.nixos.org/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl.narinfo
StorePath: /nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1
URL: nar/1dglqjx5wm3sdq0ggngcyh4gpcwykngkxps0a8v4v1f1f2lzdwd1.nar.xz
Compression: xz
FileHash: sha256:1dglqjx5wm3sdq0ggngcyh4gpcwykngkxps0a8v4v1f1f2lzdwd1
FileSize: 50364
NarHash: sha256:1bn7c3bf5z32cdgylhbp9nzhh6ydib5ngsm6mdhsvf233g0nh1ac
NarSize: 226560
References: 1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1 wn7v2vhyyyi6clcyn0s9ixvl7d4d87ic-glibc-2.40-36
Deriver: k1rx7pnkdlzfscv6jqzwl4x89kcknfy1-hello-2.12.1.drv
Sig: cache.nixos.org-1:qt4d4o04/cklIMANVntoLYHh36t1j+y/35qWoK2GeeeEeYU5RElnV/gpXrc5jgx4p2MQ38TasPhHg8rN6O+5Dw==

❯ curl https://nix-cache.cluster.ifcsn0.nasreddine.com/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl.narinfo
StorePath: /nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1
URL: nar/1dglqjx5wm3sdq0ggngcyh4gpcwykngkxps0a8v4v1f1f2lzdwd1.nar.xz
Compression: xz
FileHash: sha256:1dglqjx5wm3sdq0ggngcyh4gpcwykngkxps0a8v4v1f1f2lzdwd1
FileSize: 50364
NarHash: sha256:1bn7c3bf5z32cdgylhbp9nzhh6ydib5ngsm6mdhsvf233g0nh1ac
NarSize: 226560
References: 1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1 wn7v2vhyyyi6clcyn0s9ixvl7d4d87ic-glibc-2.40-36
Deriver: k1rx7pnkdlzfscv6jqzwl4x89kcknfy1-hello-2.12.1.drv
Sig: cache.nixos.org-1:qt4d4o04/cklIMANVntoLYHh36t1j+y/35qWoK2GeeeEeYU5RElnV/gpXrc5jgx4p2MQ38TasPhHg8rN6O+5Dw==
Sig: nix-cache.cluster.nasreddine.com:vzh0W8CrV0waXOQU7Ai3klxsvsO7vG5CEoi2u4QtN0h0h30MoMbt+cW5R7N5HblUa2ChIz+/xMflrsZiJOriDQ==

kalbasit · January 2, 2025, 10:30pm

Yes, it does. I use it all the time. I build my servers locally, send them to my nix cache and when I apply each server it goes pretty fast since it pulls from the cache over my 10G network; My aim is to minimize downtime on my Kubernetes cluster.

Example of how I use it:

nix copy --to "https://nix-cache.cluster.ifcsn0.nasreddine.com" $(readlink -f result)

kalbasit · January 2, 2025, 10:32pm

That’s exactly why I added the PUT functionality gated with the --cache-allow-put-verb which allows you to push directly to the cache. Example of how I use it:

nix copy --to "https://nix-cache.cluster.ifcsn0.nasreddine.com" $(readlink -f result)

Be aware, that PUT is unauthenticated currently so if your cache is publicly accessible, it will allow anyone to push to it.

kalbasit · January 2, 2025, 10:35pm

Not at this time since that will complicate garbage collection (implemented as LRU). I would be willing to review pull requests for it. Please consider opening an issue on ncps to allow people to vote on it, with enough votes, I’d consider spending the time on it.

ruffsl · September 3, 2025, 1:11am

Looks like that PR has since stalled out, and @philipwilk has now picked up the torch! Although they could use some help with patching nix for system wide testing and dogfooding:

github.com/NixOS/nix

Comment by philipwilk - 'Gracefully' fallback from failing substituters

master ← philipwilk:graceful-subfallback

Took another look just now and i think switching the for loops around in `Store:…:querySubstitutablePathInfos` is enough to fix it, it seemed to work when i pulled in packages by running `nix shell nixpkgs#(name)` in the installPhase environment, but I'm struggling a bit to figure out how to patch nix post 2.26 so I can test it on my whole system in different situations. <details> <summary>I've tried using this overlay that recompiles but doesnt seem to actually apply the patch</summary> nix reports its version as `nix (Nix) 2.30.2+1` but it definitely hasn't applied my patch because it isn't behaving like the installPhase version is. ```nix (final: prev: { nixVersions = prev.nixVersions.extend ( finalNixV: prevNixV: { nixComponents_2_30 = (prevNixV.nixComponents_2_30.overrideScope ( finalScope: prevScope: { aws-sdk-cpp = null; withAWS = false; } )).appendPatches [ ./ffb2ee8eefc9946a8ebb406cb1fe02734549406d.patch ]; } ); }) ``` </details>

philipwilk · September 8, 2025, 10:36pm

Worked on the patch over nixcon and im pretty happy with it rn, it’s covering my expected scenarios - trying other substituters (at all) if one fails, and not exploding if one substituter starts giving 500s.

DavHau · December 12, 2025, 12:00pm

Well, now that it supports gentle failover I would like to deploy it to all individual machines in my fleet and put it in front of the local nix by default, to prevent nix to crash when a cache is not available. But I don’t want to cache store paths in a separate directory on each machine. Can I disable the ‘cache’ and instead just use it as a ‘proxy’? The idea would be to have one ‘caching’ instance per location, and one ‘proxy’ instance on each machine.

Also does it support parallel cache downloads from the same origin? cache.nixos.org is often extremely slow in Asia. I’m talking less than 1 mbyte/s despite being on a gigabit internet. If it could download 10 paths in parallel, that would improve the UX most likely.