I’ve written a simple blog post on how to setup a S3 binary cache.
Many of the guides online are focused on nix-serve & integration with NixOS.
(I can’t believe nix-serve is a Perl CGI script)
I wanted something simpler, non-NixOS specific and using S3 since it’s pretty cheap.
First 50 TB / Month $0.023 per GB
Up to 1 GB / Month $0.00 per GB
Next 9.999 TB / Month $0.09 per GB
Using S3 was surprising a pretty straightforward way to achieve a personal binary cache; although distributing the public keys are a bit of a hassle.
Biggest pain points though seem to be:
- Not a simple way to programmatically update the nix.conf file for the new binary caches.
I think there’s an opportunity here to make a simple program to update the values given a CLI.
Looks like cachix edits the file itself in the Haskell code.
- Somewhat scary if you’d like to have multiple contributors to your new binary cache by sharing the single private key.
I would love to start a discussion on maybe using X.509 certificate chains for signing.
I think Nix could then store the public leaf & intermediate certificates alongside the NAR which would allow multiple individuals to have their own signing key for a single root public key (CA).