docs: add section on cachix to dev-env docs #4588
Conversation
docs/dev-env.md
Outdated
| and [trusted public keys](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-public-keys) | ||
| for more information. | ||
|
|
||
| Now you can run `nix develop` and benefit from the binary cache. |
There was a problem hiding this comment.
nix develop should ask on first start if you want to trust our cachix repo as well.
There was a problem hiding this comment.
Yeah agree. Not sure if that's possible.
Did a little digging, and it's possible to "extend" nix.conf on a flake-by-flake basis using the nixConfig output.
I see this already exists:
Lines 377 to 380 in 85f4e49
BUT, the catch is that this only has an effect when the user sets the accept-flake-config global setting.
So, maybe the solution is to encourage the user to turn on "accept-flake-config" in the docs.
There was a problem hiding this comment.
Yeah agree. Not sure if that's possible.
@emilioziniades I mean - that's already happening, or is at least supposed to.
Line 377 in 8d88f30
is responsible for it, and it always worked for me (thought I already answered it and saved my choice so I don't see it anymore).
There was a problem hiding this comment.
BUT, the catch is that this only has an effect when the user sets the
accept-flake-configglobal setting.
Nope. I don't have that set, and would not enable it globally. I personally don't want to trust any binary caches on my personal devices. I still get the prompt asking.
There was a problem hiding this comment.
Nope. I don't have that set, and would not enable it globally. I personally don't want to trust any binary caches on my personal devices. I still get the prompt asking.
Makes complete sense.
@emilioziniades I mean - that's already happening, or is at least supposed to.
Ah apologies, I misunderstood you.
When I run nix develop for the first time, I get this warning
warning: ignoring untrusted substituter 'https://fedimint.cachix.org', you are not a trusted user.
And then it proceeds to build everything from source.
This is what my nix.conf (using nix-darwin) looks like:
# WARNING: this file is generated from the nix.* options in
# your nix-darwin configuration. Do not edit it!
allowed-users = *
auto-optimise-store = false
build-users-group = nixbld
builders =
cores = 0
experimental-features = nix-command flakes
extra-sandbox-paths =
max-jobs = auto
require-sigs = true
sandbox = false
sandbox-fallback = false
trusted-substituters =
trusted-users = root
substituters = https://cache.nixos.org https://cache.nixos.org/
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
But when I add my user to trusted-users, then it uses cachix without any issues.
Have you added your user to trusted-users?
And, do you know if there are any security implications to doing so?
There was a problem hiding this comment.
you are not a trusted user.
OOooooooh. I see. Nix build daemon will only trust users in trusted-users with substituting binary caches. That's why it won't even display the prompt for users that don't have their unix user added there.
I didn't think of that.
Yeah, you probably want to add your own user to it, if that's your own machine and you trust yourself enough. :)
There was a problem hiding this comment.
So yeah, I guess it's worth documenting that the user needs to be in a trusted-users config for binary caching to work.
There was a problem hiding this comment.
So yeah, I guess it's worth documenting that the user needs to be in a
trusted-usersconfig for binary caching to work.
Ok cool, I've modified the docs change to reflect what we've discussed here - would you mind taking another look?
emilioziniades
force-pushed
the
docs-cachix-cache
branch
from
a403494
to
91557cf
Compare
emilioziniades
force-pushed
the
docs-cachix-cache
branch
from
91557cf
to
90a4c35
Compare
| to your nix configuration. | ||
|
|
||
| ``` | ||
| nix develop .#bootstrap -c cachix use fedimint |
There was a problem hiding this comment.
I don't think this actually adds user to trusted-users... . I don't see it anywhere in the code.
There was a problem hiding this comment.
That's not what the comment claims, the command edits ~/.config/nix/nix.conf and adds the binary substituter there.
EDIT: idk why that works for untrusted users 🤷♂️
There was a problem hiding this comment.
To clarify, the section is saying "there are two ways to use the binary cache: either add yourself to trusted-users, or run this command (which happens to modify nix.conf in a different way)"
Does it thought?
Yes. Before adding my user to trusted-users, I ran cachix use fedimint and my /etc/nix/nix.conf was updated. It added https://fedimint.cachix.org to trusted-substituters and added the public key to trusted-public-keys
Looks like the fallback is /etc/nix/nix.conf for untrusted users: https://docs.cachix.org/faq#what-happens-when-i-run-cachix-use-both-immediately-and-any-stateful-effects-for-the-future.
Doesn't make much sense to me- I haven't had to use a non-nixpkgs binary cache before so this is all new to me.
There was a problem hiding this comment.
Does it thought?
For me it did, I removed cachix from the file and ran watch cat ~/.config/nix/nix.conf and saw it happen ^^
Ran into this footgun trying to get a dev environment set up. Since it's in the bootstrap script it makes sense to include it here as well. Closes #2149.