cachix / cachix Goto Github PK

Command line client for Nix binary cache hosting:

Haskell 98.39% Nix 1.53% Shell 0.08%

dhall haskell nix nixos servant

cachix's Introduction

Cachix - Nix binary cache hosting: Never build software twice.

$ cachix --help
https://cachix.org command line interface

Usage: cachix [--hostname URI] [-c|--config CONFIGPATH] [-v|--verbose]
              (-V|--version)

  To get started log in to https://app.cachix.org

Available options:
  -h,--help                Show this help text
  --hostname URI           Host to connect to (default: https://cachix.org)
  -c,--config CONFIGPATH   Cachix configuration file
                           (default: "/home/domen/.config/cachix/cachix.dhall")
  -v,--verbose             Verbose mode
  -V,--version             Show cachix version

Available commands:
  authtoken                Configure an authentication token for Cachix
  config                   Manage configuration settings for cachix
  daemon                   Run a daemon that listens to push requests over a
                           unix socket
  generate-keypair         Generate a signing key pair for a binary cache
  push                     Upload Nix store paths to a binary cache
  import                   Import the contents of a binary cache from an
                           S3-compatible object storage service into Cachix,
                           e.g. s3://localhost:9000/mybucket
  pin                      Pin a store path to prevent it from being garbage
                           collected
  watch-exec               Run a command while watching /nix/store for newly
                           added store paths and upload them to a binary cache
  watch-store              Watch /nix/store for newly added store paths and
                           upload them to a binary cache
  use                      Configure a binary cache in nix.conf
  remove                   Remove a binary cache from nix.conf
  deploy                   Manage remote Nix-based systems with Cachix Deploy

Installation

Install the Cachix client using Nix:

nix-env -iA cachix -f https://cachix.org/api/v1/install

Also available as pkgs.cachix in nixpkgs.

Development

Install Cachix from master:

nix-env -if https://github.com/cachix/cachix/tarball/master --substituters 'https://cache.nixos.org https://cachix.cachix.org' --trusted-public-keys 'cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY='

Or with Nix 2.4+:

nix profile install github:cachix/cachix/latest --accept-flake-config

Support

Changelog

Cachix changelog for the command
API changelog (Haskell)

cachix's People

Contributors

Stargazers

Watchers

Forkers

zimbatm asymmetric nh2 rbarraud garbas chessai petersjt014 mmahut k0001 srid hercules-ci sedlund sorki laobiz indocomsoft lazamar matthewbauer kiwi glottologist 3noch roitangene remexre jtojnar xc-jp kira-bruneau yihuang yssource centromere sandydoo hazelweakly rycee serokell sakulk pinkdiamond1 gonixway k900 eswar2001 fracek yabosa mbrukman drunkod helenakew jamedbrandt vipassanacoder

cachix's Issues

Authenticated caches

Just an idea for the future. It'd be nice if caches could be configured to be private, so that it requires authentication to access. I suppose you could argue that merely having the hash of the build is authentication enough, but I'm not 100% sure on that. At the very least, cachix itself serves as an extra attack vector, since presumably admins can see all builds everywhere.

No --version flag

% cachix --version
Invalid option `--version'

would be handy to file issues.

Typo in cachix.org homepage

…it will built identically…

Is the code for the website publicly available, by the way?

Send custom user agent with cachix version

Once cachix is released, start sending version number with http requests to see distribution of versions in the wild.

setRequestHeader "User-Agent" ["cachix 1.0"]

Retry transient HTTP errors

Looks like some transient error--perhaps if this is common/expected cachix can automatically handle retrying internally? Dunno.

FatalError {fatalErrorMessage = "FailureResponse (Response {responseStatusCode = Status {statusCode = 500, statusMessage = \"Internal Server Error\"}, responseHeaders = fromList [(\"Server\",\"nginx\"),(\"Date\",\"Tue, 26 Jun 2018 19:45:20 GMT\"),(\"Content-Type\",\"text/plain; charset=utf-8\"),(\"Transfer-Encoding\",\"chunked\"),(\"Connection\",\"keep-alive\")], responseHttpVersion = HTTP/1.1, responseBody = \"Something went wrong\"})"}

store path of cachix used, FWIW: /nix/store/f1h61j4b01ya3rqpqrmh2z6m4haf0rak-cachix-0.1.0.0/bin/cachix (which is valiid path on https://cachix.cachix.org)

Interrupt sometimes causes segmentation fault

When I stop cachix push with ctrl+C, somewhere around half the time it terminates with a segmentation fault.

chris@cubby ~ ❯❯❯ echo /nix/var/nix/profiles/system | cachix push chris-martin
pushing /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1
pushing /nix/store/bm7pb1s7rx1ad80706b5xqrznq7fgpgx-gcc-7.3.0
pushing /nix/store/3v8p0pvcplr3bfvrnh4fyqrqk2ddyl6f-ghc-8.2.2
pushing /nix/store/pxy47wnmlfr4hjcvldv7ggk34skpgaw6-libxml2-2.9.7
^C
user interrupt
fish: Process 30323, “cachix” “echo /nix/var/nix/profiles/syst…” terminated by signal SIGSEGV (Address boundary error)

I haven't seen any consequences of this so far, but reporting just in case, since it seems indicative of a problem.

Cachix doesn't finish upload

I run the following command:

nix-build -A pureMD5 | cachix push alexeyraga

have the following log:

pushing /nix/store/12yshvbpz9hjn7khzzf0ar67kaw6g7f7-Libsystem-osx-10.11.6
pushing /nix/store/l7blcd7ks0mkmai1f33zc5fxwabhjsrs-ncurses-6.1
pushing /nix/store/qm51pj3fsvvb34kl7s9p4vvis92vq3ml-libffi-3.2.1
pushing /nix/store/553hwxk54h8z87m4xgga4n8dznd6n8vp-zlib-1.2.11
pushing /nix/store/zl3vsrqfwx4xvxagdrdqav73yl53cxps-libc++-5.0.1
pushing /nix/store/dgmvv6in4xd1w82lcm0s1zfw5jfja13c-libc++abi-5.0.1
pushing /nix/store/4az8fqi87afk9b910gan6z171k6lwqfa-binutils-2.30
pushing /nix/store/19r7vlnvq647094vlhg5wmdf9jak74s5-llvm-5.0.1-lib
pushing /nix/store/l19niir50lz2x13n3fjywzldglr46yyi-ICU-osx-10.10.5
pushing /nix/store/55qbcpgpnl8b0skn4lbcmdz9s751bl65-CF-osx-10.10.5
pushing /nix/store/6xismd1mcjqnsj873wmx1fr0p62v13f2-libiconv-osx-10.11.6
pushing /nix/store/d76595pnzkrzw4mk5q0pib3srva5w5l4-gmp-6.1.2
pushing /nix/store/5lkrw9dnsgy62qm1ampvww1c5n1pdm4b-coreutils-8.29
pushing /nix/store/i40csys22i701i73bn9mwy9c18wkvsff-libiconv-osx-10.11.6
pushing /nix/store/r24xdkvwi3mx4lyaxzi1r1cdadifndim-pcre-8.41
pushing /nix/store/r8bx3qf1bpncb14i9gzma4vr089pc3pv-bash-4.4-p19
pushing /nix/store/c3sa761qjcaa5rg0s8h8qxj0mghkidv5-gnugrep-3.1
pushing /nix/store/c54gynas6rdl26d1v0nrfq0qcdhsl2p4-clang-5.0.1-lib
pushing /nix/store/vxz1cnizcw6q3fkw409bbhhbd8lb3ifp-cctools-port-895
pushing /nix/store/kdff2gim6417493yha769kh00n63lnrw-cctools-binutils-darwin
pushing /nix/store/m1vi2bcx01pri6rfkbm6kl96s5r6ai8b-expand-response-params
pushing /nix/store/jxmp27m26646f67faji9v94d5471ma8y-cctools-binutils-darwin-wrapper
pushing /nix/store/7ii7dyiqh3lv2y9jgvmkikrggg6l12di-ncurses-6.1-man
pushing /nix/store/926k3c6zc5i7xv6f2fk15p408cs5hqld-ncurses-6.1-dev
pushing /nix/store/byjz3zsj2397x4bllp4axqcnc517jdl7-zlib-1.2.11-dev
pushing /nix/store/c0halv3c1zxax8dj7zwsyg0jlwicp64z-llvm-5.0.1
pushing /nix/store/p85m242dg1zd85ln3cg0agx0q1n0n6h0-clang-5.0.1
pushing /nix/store/8b0gj3bmcy5bh1zcnhn0146199b3m5kb-clang-wrapper-5.0.1
pushing /nix/store/lizm7q36j5sf5524bw9gsykflv9i2l7z-perl-5.24.3
pushing /nix/store/mfianj09v9mibv0iflhkjbizm2fnl8j1-gmp-6.1.2-dev
pushing /nix/store/x9kcsxrzpri3c3chns5qz17lagi3yysz-ghc-8.2.2-doc
pushing /nix/store/g8i6m5d8h7sv52gxfn1rzws3q6zx26ja-ghc-8.2.2
pushing /nix/store/mi4xx2888xh33hswv1y0c6cf4inaq01m-Cabal-2.0.1.1
pushing /nix/store/58b5p9akvdr6ivrrfddxbknsvqm2jzb2-entropy-0.3.8
pushing /nix/store/gwld25c9lqy8zjiyikis6i111pw5l96m-cereal-0.5.5.0
pushing /nix/store/ygric0ifkg6j0wdindvwdcjdz6kbmcx3-transformers-compat-0.5.1.4
pushing /nix/store/k35j5wfrviyb9dgzr9szn5lzsfx0dzim-tagged-0.8.5
pushing /nix/store/czm96fsm1bkgzgh7q7pb52gbfpj8d7pb-crypto-api-0.13.3
pushing /nix/store/8p2jjnym3jx9vjgr02zmpa1qmhj2rsq0-pureMD5-2.1.3

As we can see, the last one is pureMD5 package, the one that I requested. It is a very small package, but cachix doesn't finish uploading and sits with this log for a very long time (maybe 20 minutes, maybe more) now.

Expected result: Exit with success or exit with error.

cachix push --watch-store

Use inotify to watch /nix/store and sync new paths as they come into cachix.org

File containing secret key is world-readable

Cachix creates ~/.config/cachix/cachix.dhall with permissions 644 - I think that ought to be locked down more so that the secret key isn't world-readable.

Also maybe cachix authtoken should prompt for the secret key instead of accepting it as a command-line argument? I imagine most users aren't going to think to disable their shell history when following the getting-started instructions.

Multiple signature support (Signatures removed on push)

Signatures placed on builds are removed when pushed.

It is possible to keep those signatures on the cache and get them back when pulling them back?

related: #28
possibly related: NixOS/nix#2127 (are signatures even transferred?)

edit: grammar

Can't logout from cachix.org

I logged in to cachix.org using GitHub but it doesn't look like the UI allows one to log out.

Documentation (+API)

Although current HTTP API is served at https://cachix.org/api/v1/ - it's not finalized. In following months I'd like to gather feedback and document in-depth how cachix works and how to integrate it into different services (Hydra, other CIs, etc).

remove c prefix in NarInfoCreate types
tests all ToJSON/FromJSON outputs
use tags http://hackage.haskell.org/package/servant-swagger-1.1.5/docs/Servant-Swagger.html#g:3

Pushing an updated package to the cache fails.

In pushing a rebuilt/update package to cachix, I receive the following error:

FatalError {fatalErrorMessage = "ConnectionError \"HttpExceptionRequest Request {\\n  host                 = \\\"cachix.org\\\"\\n  port                 = 443\\n  secure               = True\\n  requestHeaders       = []\\n  path                 = \\\"/api/v1/cache/charity-soft/27x7pinqdsl9f3rpbm8bsszd9fhwq266.narinfo\\\"\\n  queryString          = \\\"\\\"\\n  method               = \\\"HEAD\\\"\\n  proxy                = Nothing\\n  rawBody              = False\\n  redirectCount        = 10\\n  responseTimeout      = ResponseTimeoutDefault\\n  requestVersion       = HTTP/1.1\\n}\\n (InternalException (HostCannotConnect \\\"cachix.org\\\" [Network.Socket.connect: <socket: 0>: does not exist (Network is unreachable),Network.Socket.connect: <socket: 23>: does not exist (Network is unreachable)]))\""}

As a note, trying to read the error is an exercise in frustration, given all of the \\ns and such in there.

Spec test for nix.conf: parse . render == id

Currently NixConfSpec tests hardcoded values only, but we'd get more coverage using quickcheck.

A test for constant memory streaming of store paths

A test to prove memory is constant while pushing.

Search over executables

Given that nar files coming to binary cache contain list of file names it should be possible to also create an index of files and provide a search over binary cache. Possibly offline and online.

Don't depend on servant-server and servant-auth-server

Stretch:

servant-swagger-ui-core depends on servant-server

Installing cachix builds everything from source if Nix user isn't trusted

This shows as:

warning: ignoring untrusted substituter 'https://cachix.cachix.org'

long term fix is to release cachix to hackage as per #13, but I wonder what can be done mid-term:

a) static musl binary

b) documentation to configure user as trusted

c) use at least cache.nixos.org

xz compression caps upload at ~3-5mbit/s

cachix push is uploading with 3-5 Mbit's from my 1000 Mbit/s connection from Zurich.

I suspect the biggest reason is lack of HTTP keepalive; every upload is a new HTTP(s!) / TCP connection. That resets the TCP window size for every package.

I think that if you move this code that creates the HTTP manager

cachix/cachix/src/Cachix/Client/Commands.hs

Lines 235 to 237 in fed0a71

    
           let newEnv = env { 
        
                 baseUrl = (baseUrl env) { baseUrlHost = toS name <> "." <> baseUrlHost (baseUrl env)} 
        
               }

out of the go loop, it will use keepalive across all packages, one TCP connection, and be a lot faster.

Further consider to enable BBR congestion control on the server side. For my servers it has a huge impact and allows me to push 1 Gbit/s over oceans without problems.

{
    boot.kernelModules = [ "tcp_bbr" ];

    # Enable BBR congestion control
    boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
    boot.kernel.sysctl."net.core.default_qdisc" = "fq"; # see https://news.ycombinator.com/item?id=14814530
}

FatalError {fatalErrorMessage = "You need to: export CACHIX_SIGNING_KEY=XXX"}

This is what happens when I try to push:

echo /nix/store/m46qjsrf6q0y7sqx8cp99mc556xl3wxb-nixos-system-monadic-party-18.03pre-git | cachix push chris-martin
pushing /nix/store/2kcrj1ksd2a14bm5sky182fv2xwfhfap-glibc-2.26-131pushing /nix/store/069g827lh3hrhp4vkcq3rsh5jh65pm3l-ncurses-6.0-20171125

pushing /nix/store/lird33c2j4mr289q1q17qihqhwq188wh-acl-2.2.52pushing /nix/store/cb3slv3szhp46xkrczqw7mscy5mnk64l-coreutils-8.29


FatalError {fatalErrorMessage = "You need to: export CACHIX_SIGNING_KEY=XXX"}

Is CACHIX_SIGNING_KEY something I should need to set manually?

IP whitelisting

It would be cool if it were possible to specify a list of IPs that are allowed to push.

cachix index command

error: cannot download certdata2pem.py from any mirror

The install command failed:

nix-env -if https://github.com/cachix/cachix/tarball/master --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=
...
trying https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20170717
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
...
curl: (22) The requested URL returned error: 404 Not Found error: cannot download certdata2pem.py from any mirror builder for '/nix/store/yr263pahwwzadxxzh5qk65i34dhax7rl-certdata2pem.py.drv' failed with exit code 1

I'm not sure how to specify the correct URL: https://salsa.debian.org/debian/ca-certificates/raw/master/mozilla/certdata2pem.py

Release 0.1 to hackage

Requires servant release (0.14)
Requires servant-auth release
#62
wait for LTS-12

Optimize: check before uploading nars

At the moment, even if nar already exists, cachix will still upload it. This is a waste of bandwidth, but currently cachix doesn't try to compute final sha as that would mean doing the full dump+compress twice.

This would match binary cache HTTP upload protocol in Nix 2.0

~~This depends first on cachix server to not throw 500 if nar is not found.~~ fixed.

Optimise packages upload

I noticed that uploading a package that already exists is as slow as uploading it for the first time.

It is very noticeable on big packages, such as llvm or ghc: every time I call nix-build -A xxx | cachix push name it seems to re-upload all the dependencies.

I would expect that if the package hash already exists in cache then cachix could skip uploading it and move on to the next package.

`cachix use` to print out nixos configuration.nix

or at least provide an option for that instead of writing it to the nix.conf file in the XDG_CONFIG_DIR.

e.g.:

Add the following to your configuration.nix:

nix.binaryCaches = [ https://pjan.cachix.org/ ];
nix.binaryCachePublicKeys = [ pjan.cachix.org-..... ];

Command line interface output

Once initial version of Cachix is out, I'd like to properly format and design cachix output so that:

it's possible to follow the flow of commands
for each error, user is instructed what are possible options to recover
uses color encoding for what to pay attention to
allow different verbosity levels

Installation if failing due to a missing remote file

nix-env -if https://github.com/cachix/cachix/tarball/master --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=
...
...
...
building '/nix/store/xvi3psnh96kb7pxqj56y5084cr9w5jdr-megaparsec-6.4.0.tar.gz.drv'...
building '/nix/store/yr263pahwwzadxxzh5qk65i34dhax7rl-certdata2pem.py.drv'...

trying http://hackage.haskell.org/package/megaparsec-6.4.0/revision/2.cabal
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

trying http://hackage.haskell.org/package/megaparsec-6.4.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

trying http://tarballs.nixos.org/sha256/1z05vkpaj54xdypmaml50hgsdpw29dhbs2r7magx0cm199iw73mv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  5610    0  5610    0     0  26093      0 --:--:-- --:--:-- --:--:-- 26093
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
building '/nix/store/7905rg02rigagvbkjlr17y9jp5mv4hs8-coverage-4.5.1.tar.gz.drv'...

trying https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20170717
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

trying https://files.pythonhosted.org/packages/source/c/coverage/coverage-4.5.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 91457  100 91457    0     0  74964      0  0:00:01  0:00:01 --:--:--  696k
building '/nix/store/1nmfw0l7bgs6janwd9ybqinaqlnp0f9r-cryptography-2.1.4.tar.gz.drv'...
100  370k  100  370k    0     0   746k      0 --:--:-- --:--:-- --:--:--  746k
building '/nix/store/78s8aggr6bs66wymqkcrcd8wn3nckgr9-cryptography_vectors-2.1.4.tar.gz.drv'...
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
curl: (22) The requested URL returned error: 404 Not Found
error: cannot download certdata2pem.py from any mirror
builder for '/nix/store/yr263pahwwzadxxzh5qk65i34dhax7rl-certdata2pem.py.drv' failed with exit code 1
building '/nix/store/i25rxixl1llig16wd3gvqniapyazz15z-docutils-0.14.tar.gz.drv'...
cannot build derivation '/nix/store/fgnm222idj8gpjm751j9q95cvimpjdrc-nss-cacert-3.35.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/sdl80hxyl6s1sj6r0lci9b0mxg3wgvc1-servant-63253f0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/c3sxhq7cnl494v7rrlahcmhbrh7k24n5-servant-auth-d03dc77.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/76qxyhq75hznynvwv86c88zh6ik9cf00-servant-0.13.0.1.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/4ggkmj8d1bb1l9j2a4gfn1k270c9frxn-servant-auth-0.3.1.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/kdwdwbcirwljpsag8v31jwl4a019i6wc-servant-auth-client-0.3.2.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/765sam8jh8y89hv3hm77v7cdvr00330b-servant-auth-server-0.3.3.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/a1fd2rvll8nba82p61zdsjhzl115hq6w-servant-auth-swagger-0.2.9.0.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/ykawh8k65wnl8949rdlqhwhxy7hjizds-servant-client-0.13.0.1.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/b4qf4f8gis403lrnlcd8wg1xy82j8n0p-servant-client-core-0.13.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/74x3krz3qda8mafw3l5wl1c6z7nchmf5-servant-server-0.13.0.1.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/ynydrdgvi27r6mcdchf3x8v8va8avpyx-cachix-0.1.0.0.drv': 1 dependencies couldn't be built
error: build of '/nix/store/ynydrdgvi27r6mcdchf3x8v8va8avpyx-cachix-0.1.0.0.drv' failed

I added the substituters cache.nixos.org to get this derivation from the NixOS cache. Why it is not in the cachix.cachix.org binary cache? Is it intended?

Garbage collection

Since binary caches can grow, there should be a way to configure a garbage collection strategy. I envision the simplest one that would cover 80% of use cases is: collect oldest uploads that go over certain date or storage size.

Browse public packages (and/or derivations)

Do you plan on adding visibility options to packages so that these could be browsed by others?

I'm fairly new to nix and loving it, but I already see that the current nixpkgs repo is getting out of control and contribution is also not the friendliest.

Thanks a lot for all your efforts putting Cachix together!

Support per-project .cachix.dhall

So that it's easy to do:

nix-build | cachix sync
cachix use

and cachix knows what binary caches to configure.

Suggested by @zimbatm

Overlays integration

Add seamless integration for nixpkgs overlays.

It would allow users of a Nix project to say like:

cachix overlay add github://domenkozar/foo

Which would essentially do a git clone ... and cachix use foo as per #5

Add signal handling to the daemon

In order to avoid having to call cachix push twice, we can do the following:

Add signal handling to the daemon mode
Have a signal that, when received, finishes pushing and then exits
Run the daemon in a job in parallel with nix-build
Send that signal after nix-build

Partial trust?

The packages used to boot my laptop should probably (definitely) be from the official Nix cache or from my own builders.

Using cachix seems to require trusting everything at this level as well, which is rather unfortunate.

One might be willing to run some random person's build of a tool (perhaps in a sandbox) without wanting to trust them at a system level.

Diverted stores are partial solution but fully duplicate files already in /nix/store and have a number of problems re: direct execution, use with nix-env, etc.

This might require changes in Nix, depending on what thoughts are.

Maybe a good way to specify signatures used for nixos-rebuild, but I'm not sure that's the right granularity.

Thoughts? :)

When blocking third party scripts, copying does not work...

... and user-select: none makes it impossible to select the commands and copy them manually. Aditionally, removing this rule doesn't make the text selectable because of how it is wrapped in a <button>.

Here's the (expected) error in the console:

Uncaught ReferenceError: ClipboardJS is not defined
    at Object.<anonymous> (main.4339786de62f925e3bc7.js:1)
    at e (main.4339786de62f925e3bc7.js:1)
    at main.4339786de62f925e3bc7.js:1
    at main.4339786de62f925e3bc7.js:1

This has been blocked by my default µmatrix rules.

From my experience in web development, I would:

Not block text selection where text can be used (here, it's commands)
- Selection is blocked by the css framework making .ui.button non-selectable. Which would be arguably fine if it wasn't that this isn't technically semantically a button, but is a text box which turns out to be clickable.
Add the "press to copy to clipboard" tooltips conditionally on ClipboardJS being hooked.

Additionally, I would look into moving the command text outside of <button> elements as they won't allow selection on most platform. Were I to build the DOM, the copy icon would be in a button, and the commands in a <pre>, within a common parent element. Since styling side-by-side elements that can grow is hard, the button styling would be applied to the parent element (and unstyle the actual button). All of the behaviour of the button would work, tabbing would select the icon, allowing activation, and when something happens to break ClipboardJS, manual selection would work too.

Finally, some users to which this product caters may be wary of click-to-copy even if no bugs happen, which would mean that selection has to work (I think).

How does one use cachix to share nix-shell environments?

First of all, thanks for cachix! It’s an awesome project!

Now to my question: I have a bunch of projects that have fairly expensive (in terms of build time) development environments (e.g. they require debugging builds of LLVM) so cachix would be perfect for sharing these environments with other developers.
However, I’m not really sure what the best way of doing that is.

Support Nix 1.0

As requested by @lukego

The secret key should go into a separate file

The secret key currently goes into the same file as the rest of the configuration; it would be nice to keep it separate so that the rest of the config can be shared publicly.

On single-user installations, provide a good error when invoking cachix with root

nix wants to be installed as non-root on non-NixOS.

Then I do that, and cachix use gets me:

$ cachix use static-haskell-nix
Configured https://static-haskell-nix.cachix.org binary cache in /home/niklas/.config/nix/nix.conf
Warning: Couldn't create /etc/nix :/etc/nix: createDirectory: permission denied (Permission denied)Warning: Couldn't create /etc/nix :/etc/nix: createDirectory: permission denied (Permission denied)

then as root:

# cachix use static-haskell-nix
cachix: command not found

# /home/niklas/.nix-profile/bin/cachix use static-haskell-nix
nix-env: readCreateProcessWithExitCode: runInteractiveProcess: exec: does not exist (No such file or directory)

# . /home/niklas/.nix-profile/etc/profile.d/nix.sh
Nix: WARNING: bad ownership on /nix/var/nix/profiles/per-user/root, should be 0
Nix: WARNING: bad ownership on /nix/var/nix/gcroots/per-user/root, should be 0

No easy time yet!

hydra integration / plugin?

It's hinted that this may already be possible in #19, but perhaps I'm misunderstanding. If not, consider this a feature request and if it's just a matter of discussion then I suppose we can close as dupe :).

Deleting objects from the cache

Hi,

Thanks for the awesome project.

Is it possible to delete object from the cache? For example, if an error occured and a build containing private keys was pushed. This can also allow cache purging, so that unused builds are not kept indefinitely (à la garbage collection).

NixOS instructions to add cache configuration are not formatted

cachix use r-ryantm currently prints:

NixOSInstructions "Add following lines to your NixOS configuration file:\n\nnix = {\n  binaryCaches = [\n    \"https://r-ryantm.cachix.org\"\n  ];\n  binaryCachePublicKeys = [\n    \"Just \"r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=\"\"\n  ];\n};"

instead of:

Add following lines to your NixOS configuration file:

nix = {
  binaryCaches = [
    "https://r-ryantm.cachix.org"
  ];
  binaryCachePublicKeys = [
    "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c="
  ];
};

Installing cachix on darwin multi-user installation fails

Description

Installing cachix on darwin multi-user installation after adding cachix to trusted binary caches fails with an "Nix daemon out of memory" error. It seems to fails on openssl-1.0.2o

Steps to reproduce

--- ~ » nix-env -if https://github.com/cachix/cachix/tarball/master --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=   
installing 'cachix-0.1.0.0'
these paths will be fetched (46.89 MiB download, 199.68 MiB unpacked):
  /nix/store/12r38kqsdlgn9h1k49l43hzhjgrnkaxx-python-2.7.15
  /nix/store/3902ar9ma7smrkxk11fmwv7wf0vvb2ac-libsecurity_cdsa_utilities-osx-10.7.5
  /nix/store/3pvhj68p90drq05qsxlwjwl3m5l0wb3b-libsecurity_cssm-osx-10.7.5
  /nix/store/5bqdkk0gmi4lgfbnafxrn29v362pjy6p-libsecurityd-osx-10.7.5
  /nix/store/5jf7l7g8256gprb911sh22p55adq71ld-apple-framework-ApplicationServices
  /nix/store/5xi0cc24lp264jbx2hy1jxmz655ary08-libsecurity_cdsa_plugin-osx-10.7.5
  /nix/store/9kg506g9z1qbp9bncqfm1xjycmfpm4ax-apple-framework-CoreText
  /nix/store/a75h1bpv686dachi1wg5rcrcvc5rvk9y-MacOS_SDK-10.10
  /nix/store/b3dfa0sdw0hkwwca0sw9nl2g16alx10r-libsecurity_asn1-osx-10.7.5
  /nix/store/ccpqzf300x866z4cj1xgj4v44dmdxf2w-apple-lib-xpc
  /nix/store/fp7r9w89qcsiy8acs9hfxa0wpq3ccix5-apple-framework-CoreGraphics
  /nix/store/ghbijgv793292q27wlzyc5c85bcxk4gn-apple-framework-ImageIO
  /nix/store/gpl8l4p7758vx9pbglfv4gzc4f6iiias-libsecurity_filedb-osx-10.7.5
  /nix/store/gsvjs6fp1hrpxady3hgb7d6c1264y1z8-SecurityTool-55115
  /nix/store/gxchi77svi5yiqhfcskgw6b201jmy9ad-apple-framework-Foundation
  /nix/store/h96r9s652kmciikx3ian0dsigmgsxqrh-libsecurity_sd_cspdl-osx-10.7.5
  /nix/store/hhwpvbgm1kxjpdhfl8nja3z67fijn2jg-libsecurity_mds-osx-10.7.5
  /nix/store/hiqqnqqgaklchsncrx9rhf5c8f550fg3-libsecurity_keychain-osx-10.7.5
  /nix/store/ikmhr8sglkmx25vkawbdblaxpw47520x-openssl-1.0.2o
  /nix/store/j7dr3mn3b8h867807hznl9cc7j005bcj-cachix-0.1.0.0
  /nix/store/mql2vlcwd0v8g147y5z9pk287z27gz8z-libsecurity_utilities-osx-10.7.5
  /nix/store/s56axdis6wdjh7rfizqsvr90xc06kk2x-libsecurity_apple_csp-osx-10.7.5
  /nix/store/wr7m3k4y4529hh3v0zk50p272l7xdamd-apple-framework-IOSurface
  /nix/store/wzjdl5myc8v86hxskwgz8511qpq2f3g5-libsecurity_pkcs12-osx-10.7.5
  /nix/store/y299fcxg1snzy2w5p44jlj62mvjv1niq-libsecurity_apple_cspdl-osx-10.7.5
  /nix/store/yjx9la0zx983r4874b2652y4jskwrynq-libsecurity_cdsa_client-osx-10.7.5
copying path '/nix/store/ikmhr8sglkmx25vkawbdblaxpw47520x-openssl-1.0.2o' from 'https://cachix.cachix.org'...
error: Nix daemon out of memory

Nix system info

system: "x86_64-darwin", 
multi-user?: yes, 
version: nix-env (Nix) 2.0.4, 
channels(root): "nixpkgs-18.03pre116939.d7d774deea", channels(ptsirakidis): "", 
nixpkgs: /PATH/TO/nixpkgs

Upstream binary cache

There is a common use case why a binary cache would declare other caches as upstream: It expects binaries to come from another binary cache: it is true for all cachix binary caches to depend on official cache.nixos.org

Possible solutions:

a) "Proxy": if there is no such narinfo in current cache, query upstream caches and redirect. Possible issue here is how Nix handles signatures to match the binary cache declared, but I think it could work.

b) "Resign": currently not possible as signing key is not available to cachix and I'd prefer not to support such option.

Brought up by @zimbatm in #15 (comment)

error: imported archive of ‘/nix/store/w27br1fgdqpvsxb5rb4mvvwc83lq2dkf-master’ lacks a signature

When I install cachix according to the installation command, it display imported archive lacks a signature?

$ nix-env -if https://github.com/cachix/cachix/tarball/master --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=

error: imported archive of ‘/nix/store/w27br1fgdqpvsxb5rb4mvvwc83lq2dkf-master’ lacks a signature

My nix version is nix (Nix) 2.0.1.

cachix claims "all done" when echo'ing multiple paths on same line?

Somewhere I think I saw a suggestion that echo /nix/store//path | cachix push $MYCACHIX, which I've been using for items I've already built or when the store path is more handy than the original derivation (which I have too but may be in a different machine's shell history :P or something).

Anyway, when I wanted to upload two paths I tried this:

$ echo /nix/store/zzcy2xwz618jw9ggfqqsj4vn5xjggaxb-aarch64-unknown-linux-musl-ghc-8.2.2 /nix/store/ziacs8l9ny5ag5dxw8zm48xwm1is57fi-hello-1.0.0.2-aarch64-unknown-linux-musl|cachix push allvm
All done.

Which appears to not be recognized as two paths but zero paths?

Not sure if this is expected, but thought I'd report/ask to double-check :).

On the same subject-- when piping a nix-build to cachix (as some examples suggest I believe) what sort of paths are pushed? Anything matching some pattern? Any path printed by itself on a single line? Thanks! :)

Implement custom Nix base32 in Haskell

Depends on haskell-nix/hnix-store#25

Easier per-project cachix configuration

Cater for the following scenario:

$ cd projectA
$ nix-build # this should use the binary cache of projectA
$ cd ../projectB
$ nix-build # this should use the binary cache of projectB

Ideally both projects don't need any configuration and nix-build knows how to use the right binary cache.

Potentially introduce a cachix run -- dispatcher that wraps all the nix CLI tools with the right config.

runtime/build-time dependencies

Currently cachix only uploads runtime closure, but one could upload all build-time dependencies using:

nix-store -qR --include-outputs /nix/store/blabla.drv

	let newEnv = env {
	baseUrl = (baseUrl env) { baseUrlHost = toS name <> "." <> baseUrlHost (baseUrl env)}
	}