Using personal hydra as personal binary cache

NobbZ · March 25, 2021, 12:45pm

Okay, I have set up a hydra server locally yesterday, just to play around with it a bit, and now I want to use its artifacts from my other machines.

What is the best way to do so?

nixinator · March 29, 2021, 8:24pm

actually.,… hydra itself does seems to able to serve build artifacts , i wont call them binaries, because it overloaded word… but it shorter than saying ‘the files and directories are generated as a result of a succesful nix-build’

if your hydra is listening on port 3000…

curl http://127.0.0.1:3000/an7zwa5h3kw1i5kqzd9hc24i4avwfw73.narinfo

StorePath: /nix/store/an7zwa5h3kw1i5kqzd9hc24i4avwfw73-dwarffs-0.1.20210121.f691e2c
URL: nar/an7zwa5h3kw1i5kqzd9hc24i4avwfw73-dwarffs-0.1.20210121.f691e2c
Compression: xz
NarHash: sha256:16ly41r2hhwgwrj4bvhldkmar6hxippcyjldqrd19cyhppc7glcm
NarSize: 458304
References: 5cx1sggg1kin3g8s5l5vl6y2j13gmnqf-nix-2.4pre20210111_6254b1f aj447mx56psmym8lyhw0gm47zka7hxlr-fuse-2.9.9 mj4hk2z68aqcxpl8nr0an5gspbz69gvv-glibc-2.31 p1k3q8nyqr3vjzh8lcn2w58l55zd494m-gcc-9.3.0-lib sxi1jrk3n0d839wcqnij5s7qvwpmigch-nlohmann_json-3.7.3
Deriver: j7xii126ki9lwxz5vsqavw7bi43m8wnk-dwarffs-0.1.20210121.f691e2c.drv
System: aarch64-linux

so i presume that hydra can actually serve .nar file to other machines, however they won’t be cryptographically signed.

The ‘correct’ way , AFAICS is the setup with services.nix-serve

https://nixos.wiki/wiki/Binary_Cache

services.nix-serve = {
  enable = true;
  secretKeyFile = "/var/cache-priv-key.pem";
};

curl http://127.0.0.1:5000/an7zwa5h3kw1i5kqzd9hc24i4avwfw73.narinfo


StorePath: /nix/store/an7zwa5h3kw1i5kqzd9hc24i4avwfw73-dwarffs-0.1.20210121.f691e2c
URL: nar/an7zwa5h3kw1i5kqzd9hc24i4avwfw73.nar
Compression: none
NarHash: sha256:16ly41r2hhwgwrj4bvhldkmar6hxippcyjldqrd19cyhppc7glcm
NarSize: 458304
References: 5cx1sggg1kin3g8s5l5vl6y2j13gmnqf-nix-2.4pre20210111_6254b1f aj447mx56psmym8lyhw0gm47zka7hxlr-fuse-2.9.9 mj4hk2z68aqcxpl8nr0an5gspbz69gvv-glibc-2.31 p1k3q8nyqr3vjzh8lcn2w58l55zd494m-gcc-9.3.0-lib sxi1jrk3n0d839wcqnij5s7qvwpmigch-nlohmann_json-3.7.3
Deriver: j7xii126ki9lwxz5vsqavw7bi43m8wnk-dwarffs-0.1.20210121.f691e2c.drv
Sig: nixos.crypto :yVGjsNgMs1PcjVMEKOtndmGQlvH8AvwtSSid6s+ZE2h66zDvNU87tOMHVZcvWF5ajdhD03mP6np0eJfjG7SAAQ==

you can clearly see the Sig is also being provided to the caller…

This doesn’t cover putting the service infront of reverse proxy, but thats another matter.

I don’t think there anything special about serving a ‘artifacts cache’ apart from the keys, as hydra just populates the /nix/store like a normal ‘nix-build’ would populate. Thats is pretty cool.

NobbZ · March 29, 2021, 8:27pm

Hmmm… I was under the impression that hydra was already signing the pathes, though if it indeed doesn’t do so, then I can indeed just follow the instructions for the binary cache on the wiki.

Thank you for your information!

nixinator · March 29, 2021, 8:28pm

there might be an option for hydra , that it can also signs things, like skynet, I’m learning at a geometric rate.

Your way of collecting garbage, is a lot less destructive than mine… clobber!