Self-host cache signature isn't recognized

blackheaven · August 7, 2023, 4:34pm

I’m trying to self-host a nix-cache server.

I have started by generating my keys:

$ nix-store --generate-binary-cache-key nix.example.tld nix-cache.pem nix-cache.pub
$ tail nix*
==> nix-cache.pem <==
nix.example.tld:nOmZC9NbPf0s5Cv2BIjbT4+XWWU/Z9euZby2SRKUbKPdLhYEul9OkZlo5PJz9NHZb+xihi9UG7zt4hSHPMPCcQ==
==> nix-cache.pub <==
nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=

Then I start the server:

export NIX_SECRET_KEY_FILE=/etc/nix-serve/nix-cache.pem
exec ${nix-serve-ng}/bin/nix-serve --listen 0.0.0.0:4999 --verbose --priority 0

I change one of my flake.nix

nixConfig.extra-trusted-substituters = "https://nix.acme.tld";
nixConfig.extra-trusted-public-keys = "nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=";

I do a build on my nix-cache server, then I try to locate the path I want to copy:

nix-eval-jobs --check-cache-status --flake '.#defaultPackage' | jq -r '.|{drvPath, isCached, outputs}'
warning: unknown setting 'allowed-users'
warning: unknown setting 'trusted-users'
warning: `--gc-roots-dir' not specified
Using saved setting for 'extra-trusted-public-keys = nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=' from ~/.local/share/nix/trusted-settings.json.
Using saved setting for 'extra-trusted-substituters = https://nix.example.tld' from ~/.local/share/nix/trusted-settings.json.
{
  "drvPath": "/nix/store/97wc...-myproject-1.0.drv",
  "isCached": true,
  "outputs": {
    "out": "/nix/store/gwrg...-myproject-1.0"
  }
}

If I try to verify it, it works:

$ nix verify --store https://nix.example.tld --trusted-public-keys 'nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=' /nix/store/gwrg...-myproject-1.0
warning: 'verify' is a deprecated alias for 'store verify'

But copying fail:

$ nix copy --from https://nix.example.tld /nix/store/gwrg...-myproject-1.0
error: cannot add path '/nix/store/gwrg...-myproject-1.0' because it lacks a signature by a trusted key

Even if I put it in my /etc/nix/nix.conf. however, specifying directly works:

$ nix copy --trusted-public-keys 'nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=' --from https://nix.example.tld /nix/store/gwrg...-myproject-1.0

Am I missing something?

shimun · August 7, 2023, 4:45pm

blackheaven:

$ nix-store --generate-binary-cache-key nix.example.tld nix-cache.pem nix-cache.pub
$ tail nix*
==> nix-cache.pem <==
nix.example.tld:nOmZC9NbPf0s5Cv2BIjbT4+XWWU/Z9euZby2SRKUbKPdLhYEul9OkZlo5PJz9NHZb+xihi9UG7zt4hSHPMPCcQ==
==> nix-cache.pub <==
nix.example.tld:3S4WBLpfTpGZaOTyc/TR2W/sYoYvVBu87eIUhzzDwnE=

That’s your private key, hope you are aware.

Is your user trusted? Otherwise you can’t set trusted-public-keys from cli, have you tried adding the key to /etc/nixos/nix.conf ?

blackheaven · August 7, 2023, 5:07pm

Yes, but these are not my actual (production) keys (nor my domain name).

I tried to put them in my /etc/nix/nix.conf, but it had no effect.