Hello. We’re currently exploring using Nix for our application, and one of the big things I’d really like to do is have our Artifactory act as a binary cache for all the systems. Generally speaking, enterprises like the features of things like Artifactory or Nexus or similar, and it’s not really acceptable to say “well, we need to have a specific machine run just this special daemon for our project”.
I’m (nix) building on a docker image I have already, so I’ve got a bunch of Nix packages in a local /nix/store that I’d like to publish to Artifactory. My presumption is that I use nix-copy
to push to Artifactory. However, this is a plain HTTPS repository, nothing special.
Two main things:
-
How do I configure Artifactory to serve as a Nix binary cache? Are there directory structures or things I need to create/populate? I’m not building on the Artifactory machines, so what I’m after is just having an Artifactory HTTPS repository filled with the binaries and signatures that can then be used by client machines to pull from.
-
Our Artifactory requires authentication (which is pretty standard for such enterprise installations). Is there any reasonable way to embed my auth in the local Nix configuration? Both for when I push to Artifactory, and for client machines when I want to point to Artifactory as the binary cache.
And no, I’m not interested in using Artifactory as a caching server for external sources. I’m specifically looking to run my own local binary cache which will contain both packages from external sources and custom-made ones of our own.
And one final thing: how does signing work in my scenario? I have a local key which I’m signing our custom Nix packages with, and I’m presuming that’s going to create binary packages with our key signature that’s pushed to Artifactory. But what about packages I download to my build machine from external sources? (e.g. cache.nix.org) When I push them to Artifactory, does it sign with my key, or does it somehow keep the key from the original binary cache?