Hosting a Binary Cache on Artifactory?

Hello. We’re currently exploring using Nix for our application, and one of the big things I’d really like to do is have our Artifactory act as a binary cache for all the systems. Generally speaking, enterprises like the features of things like Artifactory or Nexus or similar, and it’s not really acceptable to say “well, we need to have a specific machine run just this special daemon for our project”.

I’m (nix) building on a docker image I have already, so I’ve got a bunch of Nix packages in a local /nix/store that I’d like to publish to Artifactory. My presumption is that I use nix-copy to push to Artifactory. However, this is a plain HTTPS repository, nothing special.

Two main things:

  1. How do I configure Artifactory to serve as a Nix binary cache? Are there directory structures or things I need to create/populate? I’m not building on the Artifactory machines, so what I’m after is just having an Artifactory HTTPS repository filled with the binaries and signatures that can then be used by client machines to pull from.

  2. Our Artifactory requires authentication (which is pretty standard for such enterprise installations). Is there any reasonable way to embed my auth in the local Nix configuration? Both for when I push to Artifactory, and for client machines when I want to point to Artifactory as the binary cache.

And no, I’m not interested in using Artifactory as a caching server for external sources. I’m specifically looking to run my own local binary cache which will contain both packages from external sources and custom-made ones of our own.

And one final thing: how does signing work in my scenario? I have a local key which I’m signing our custom Nix packages with, and I’m presuming that’s going to create binary packages with our key signature that’s pushed to Artifactory. But what about packages I download to my build machine from external sources? (e.g. cache.nix.org) When I push them to Artifactory, does it sign with my key, or does it somehow keep the key from the original binary cache?

You might look into how attic does it.

Am I missing something here?

Shouldn’t a Binary Store just consist of tarballs (compressed), the derivation file, and a signature file for each package?

Tarballs of what exactly?

of the built binaries and files in the package.

Looking at what Nix does when I’m installing something, it appears to fetch <checksum>-<package-name>.tar.xz and <checksum>-<package>.drv from the cache server. Or am I getting that wrong?

Actually it’s .nar.xz (nar is nix’s own archive format), also you need to serve .narinfo files as well. Introducing nix-casync, a more efficient way to store and substitute Nix store paths · flokli (written by @flokli) seems to have a good writeup on this.