-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add section on cachix to dev-env docs #4588
Conversation
docs/dev-env.md
Outdated
and [trusted public keys](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-trusted-public-keys) | ||
for more information. | ||
|
||
Now you can run `nix develop` and benefit from the binary cache. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nix develop
should ask on first start if you want to trust our cachix repo as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah agree. Not sure if that's possible.
Did a little digging, and it's possible to "extend" nix.conf on a flake-by-flake basis using the nixConfig
output.
I see this already exists:
Lines 377 to 380 in 85f4e49
nixConfig = { | |
extra-substituters = [ "https://fedimint.cachix.org" ]; | |
extra-trusted-public-keys = [ "fedimint.cachix.org-1:FpJJjy1iPVlvyv4OMiN5y9+/arFLPcnZhZVVCHCDYTs=" ]; | |
}; |
BUT, the catch is that this only has an effect when the user sets the accept-flake-config
global setting.
So, maybe the solution is to encourage the user to turn on "accept-flake-config" in the docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah agree. Not sure if that's possible.
@emilioziniades I mean - that's already happening, or is at least supposed to.
Line 377 in 8d88f30
nixConfig = { |
is responsible for it, and it always worked for me (thought I already answered it and saved my choice so I don't see it anymore).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BUT, the catch is that this only has an effect when the user sets the
accept-flake-config
global setting.
Nope. I don't have that set, and would not enable it globally. I personally don't want to trust any binary caches on my personal devices. I still get the prompt asking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope. I don't have that set, and would not enable it globally. I personally don't want to trust any binary caches on my personal devices. I still get the prompt asking.
Makes complete sense.
@emilioziniades I mean - that's already happening, or is at least supposed to.
Ah apologies, I misunderstood you.
When I run nix develop
for the first time, I get this warning
warning: ignoring untrusted substituter 'https://fedimint.cachix.org', you are not a trusted user.
And then it proceeds to build everything from source.
This is what my nix.conf (using nix-darwin) looks like:
# WARNING: this file is generated from the nix.* options in
# your nix-darwin configuration. Do not edit it!
allowed-users = *
auto-optimise-store = false
build-users-group = nixbld
builders =
cores = 0
experimental-features = nix-command flakes
extra-sandbox-paths =
max-jobs = auto
require-sigs = true
sandbox = false
sandbox-fallback = false
trusted-substituters =
trusted-users = root
substituters = https://cache.nixos.org https://cache.nixos.org/
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
But when I add my user to trusted-users, then it uses cachix without any issues.
Have you added your user to trusted-users
?
And, do you know if there are any security implications to doing so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are not a trusted user.
OOooooooh. I see. Nix build daemon will only trust users in trusted-users
with substituting binary caches. That's why it won't even display the prompt for users that don't have their unix user added there.
I didn't think of that.
Yeah, you probably want to add your own user to it, if that's your own machine and you trust yourself enough. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So yeah, I guess it's worth documenting that the user needs to be in a trusted-users
config for binary caching to work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So yeah, I guess it's worth documenting that the user needs to be in a
trusted-users
config for binary caching to work.
Ok cool, I've modified the docs change to reflect what we've discussed here - would you mind taking another look?
a403494
to
91557cf
Compare
91557cf
to
90a4c35
Compare
to your nix configuration. | ||
|
||
``` | ||
nix develop .#bootstrap -c cachix use fedimint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this actually adds user to trusted-users... . I don't see it anywhere in the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not what the comment claims, the command edits ~/.config/nix/nix.conf
and adds the binary substituter there.
EDIT: idk why that works for untrusted users 🤷♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it thought?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, the section is saying "there are two ways to use the binary cache: either add yourself to trusted-users, or run this command (which happens to modify nix.conf in a different way)"
Does it thought?
Yes. Before adding my user to trusted-users
, I ran cachix use fedimint
and my /etc/nix/nix.conf
was updated. It added https://fedimint.cachix.org to trusted-substituters
and added the public key to trusted-public-keys
Looks like the fallback is /etc/nix/nix.conf
for untrusted users: https://docs.cachix.org/faq#what-happens-when-i-run-cachix-use-both-immediately-and-any-stateful-effects-for-the-future.
Doesn't make much sense to me- I haven't had to use a non-nixpkgs binary cache before so this is all new to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it thought?
For me it did, I removed cachix from the file and ran watch cat ~/.config/nix/nix.conf
and saw it happen ^^
Ran into this footgun trying to get a dev environment set up. Since it's in the bootstrap script it makes sense to include it here as well. Closes #2149.