Can't get nix-serve working. Help appreciated

ldeck · April 27, 2022, 6:17pm

I’m trying to use nix-serve to share binary caches from my personal macbook pro to my work macbook pro as I’m seeing an opendns problem on my work machine for one dependency.

So I’ve done on macbook 1:

% nix-store --generate-binary-cache-key ./.nix-cache-key.sec ./.nix-cache-key.pub
% chmod a+r ./nix-cache-key.sec
% NIX_SECRET_KEY_FILE=./nix-cache-key.sec nix run github:edolstra/nix-serve -- --listen :5001

On macbook 2 - updated /etc/nix/nix.conf

substituters = http://macbook-pro.local:5001 https://cache.nixos.org/
trusted-public-keys = macbook-pro.local-1:fKYXWeTeezaCu7g8EbOgpNqWtwhoQSg8ULiRxo6Odoo= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
build-users-group = nixbld

restarted the nix daemon:

sudo -i sh -c 'launchctl stop org.nixos.nix-daemon && launchctl start org.nixos.nix-daemon'

then run

nix store verify --store http://macbook-pro.local:5001 --trusted-public-keys 'macbook-pro.local-1:fKYXWeTeezaCu7g8EbOgpNqWtwhoQSg8ULiRxo6Odoo=' /nix/store/vdfmplgrw8x0ll3r3i2z7qdxv3prk2rm-visual-fill-column-recipe
path '/nix/store/vdfmplgrw8x0ll3r3i2z7qdxv3prk2rm-visual-fill-column-recipe' was modified! expected hash 'sha256:09985d7cqswiqypxz28kr6lly27nakr71fdqa9ri7q2qn0q03igc', got 'sha256:0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73'

But then when I run home-manager’s switch I get:

...
warning: the substitute for '/nix/store/vdfmplgrw8x0ll3r3i2z7qdxv3prk2rm-visual-fill-column-recipe' from 'http://macbook-pro.local:5001' is not signed by any of the keys in 'trusted-public-keys'
...

What have I missed? Do I need signing?

Using something like peerix would be great, but there’s minimal detail on how to set that up.

macbook pro 1 info

nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-darwin"`
 - host os: `Darwin 21.4.0, macOS 10.16`
 - multi-user?: `no`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.8.0`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/Users/ldeck/.nix-defexpr/channels/nixpkgs`

macbook pro 2 info

nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-darwin"`
 - host os: `Darwin 21.4.0, macOS 10.16`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.8.0`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixpkgs`

ldeck · April 27, 2022, 11:44pm

So I’ve updated my primary Mac to use a multi-user installation of nix.

I’ve then run:

NIX_SECRET_KEY_FILE=.nix-cache-key.sec nix run github:edolstra/nix-serve -- --listen :5001

And then re-run on the other Mac which tells me the store path is untrusted:

% nix store verify --store http://macbook-pro.local:5001 --trusted-public-keys '...' /nix/store/vdfmplgrw8x0ll3r3i2z7qdxv3prk2rm-visual-fill-column-recipe
path '/nix/store/vdfmplgrw8x0ll3r3i2z7qdxv3prk2rm-visual-fill-column-recipe' is untrusted

What is required to make it trusted?

NobbZ · April 28, 2022, 4:54am

From the wiki it seems as if you need to tell it where to find the keys using an env var (NIX_SECRET_KEY_FILE).

ldeck · April 28, 2022, 5:05am

I do have NIX_SECRET_KEY_FILE above though right @NobbZ?

NobbZ · April 28, 2022, 5:07am

Indeed, haven’t seen that, try using an absolute path then.

ldeck · April 28, 2022, 5:39am

It doesn’t appear to make much difference.

on the producer side I’m seeing lots of these:

warning: 'dump-path' is a deprecated alias for 'store dump-path'

on the consumer I see:

% nix store verify ...
error: end of string reached

And when just trying to use it anyway it appears to copy some closures across, but seems to want to build an offending derivation anyway that happily resolves on my personal laptop, but not on my work one.

Further details on that issue here Nix-copy-closure still wants to re-build on remote system from home-manager or nix-env.