If you are not maintaining software which uses AWS S3 directly to access the NixOS cache contents, you can stop reading now. This does not impact any access through the cache CDN, e.g. https://cache.nixos.org/ and does not impact Nix/NixOS end-users.
The NixOS cache is hosted on Amazon S3 and its contents are publicly readable to anyone. However, any access to the cache currently results in costs to the NixOS Foundation. We’ve recently noticed that this might be representing a non-trivial portion of the infrastructure costs. As a countermeasure, we will be implementing the following change:
- Accessing the
nix-cacheS3 bucket directly will require authentication. The contents are still worldwide readable and can be accessed without special authorization, but you’ll need an AWS account and requests will need to be properly signed with your credentials. - Additionally, we will be enabling the Requester Pays option on the S3 Bucket. This means that the costs induced for direct access to the
nix-cacheS3 bucket will be charged to the AWS user who sent the request, not the NixOS Foundation. This requires specific opt-in configuration so it shouldn’t take anyone by surprise.
This change will take effect on: 2023-11-04.
Summary of actions required:
- If you use
https://nix-cache.s3.amazonaws.com/orhttps://nix-cache.s3.us-east-1.amazonaws.com/directly: usehttps://cache.nixos.org/instead. You can also use signed HTTP requests with thex-amz-request-payerflag set. - If you use
s3://nix-cachevia a programmatic client or the S3 CLI, make sure that your client has AWS credentials, and configure it to usex-amz-request-payer(docs). - If you are in neither of these cases: you should not be impacted.
- If you switch to
x-amz-request-payer: estimate the costs and ensure you’ll be able to pay the bill that will now be charged to you!
– your friendly NixOS infrastructure team