S3 Binary Cache Tutorial

I’ve written a simple blog post on how to setup a S3 binary cache.
Many of the guides online are focused on nix-serve & integration with NixOS.
(I can’t believe nix-serve is a Perl CGI script)

I wanted something simpler, non-NixOS specific and using S3 since it’s pretty cheap.

First 50 TB / Month $0.023 per GB
Up to 1 GB / Month $0.00 per GB
Next 9.999 TB / Month $0.09 per GB


Using S3 was surprising a pretty straightforward way to achieve a personal binary cache; although distributing the public keys are a bit of a hassle.

Biggest pain points though seem to be:

  1. Not a simple way to programmatically update the nix.conf file for the new binary caches.

I think there’s an opportunity here to make a simple program to update the values given a CLI.
Looks like cachix edits the file itself in the Haskell code.

  1. Somewhat scary if you’d like to have multiple contributors to your new binary cache by sharing the single private key.

I would love to start a discussion on maybe using X.509 certificate chains for signing.
I think Nix could then store the public leaf & intermediate certificates alongside the NAR which would allow multiple individuals to have their own signing key for a single root public key (CA).


I’d just like to note that majority of costs for most users is in the bandwidth, which is $0.09 per GB :slight_smile:

Also Cachix will soon be able to decouple signing key from access, which is important for most teams lifecycle.