NixCI Cache

NixCI automatically uses a specialised NixCI Cache at https://cache.nix-ci.com for all builds.

You can benefit from this cache on your own machine as well.

Authentication

Set Netrc file

In order to use the NixCI cache, you need to use a netrc file to authenticate using a user auth token.

Click here to generate a user auth token and netrc file and put it at /home/user/.netrc .

Once you have your netrc file, try it out using curl : 

curl https://cache.nix-ci.com/nix-cache-info

By default, curl does not use the netrc file, so you should see: 

Request rejected
Access to this NixCI cache requires authentication.
You'll need to add your credentials in your netrc file.

Now, try again with --netrc : 

curl --netrc https://cache.nix-ci.com/nix-cache-info

You should see: 

StoreDir: /nix/store
WantMassQuery: 1
Priority: 0
AuthenticationRequired: 'yes'
Authenticated: <your user id>
ReadAllowed: <your repositories>
WriteAllowed: <your user id>

If this works, you have succesfully authenticated with the NixCI cache.

Configure Netrc file

Next, we need to tell Nix to use this netrc file.

On NixOS set this and rebuild: 

nix.settings.netrc-file = "/home/user/.netrc"

Without NixOS, in your /etc/nix/nix.conf and /home/user/.config/nix/nix.conf : 

netrc-file = /var/lib/netrc

To try it out, we can copy something to the cache: 

nix copy github:nixos/nixpkgs#hello --to https://cache.nix-ci.com
If this succeeds, you have succesfully configured Nix to authenticate with the cache.

Pushing to the cache manually

You can push to the cache using nix copy : 

nix copy ./result --to  https://cache.nix-ci.com
or 
nix copy .#yourPackage --to  https://cache.nix-ci.com
NixCI will automatically figure out who to give access to what you push. In particular, your repositories' CI will have access to this cache but other repositories' will not.

Using the cache yourself

All builds on NixCI automatically use the cache already, but you yourself can also use it locally.

Configure the substituter

On NixOS, set this and rebuild:

nix.settings.substituters = ["https://cache.nix-ci.com"];

Trust the signing key

NixCI workers use sign everything they build so you can require a signature of theirs to trust the build outputs.

On NixOS, set this and rebuild:

nix.settings.trusted-public-keys = ["nix-ci:g3xV5BDTLtIBZr/A00IU1x0EtKKlb7YLgBN2SgYgM6A="];

Alternatively you can trust unsigned builds, but that is not recommended and therefore not documented here.

You should see the key listed when you run this command: 

nix config show | grep trusted-public-keys

You can then try to pull from the cache: 

nix copy --from https://cache.staging.nix-ci.com $(nix path-info github:nixos/nixpkgs#hello)

You can also set these in a flake to have per-flake caching instead:

nixConfig = {
  extra-substituters = "https://cache.nix-ci.com";
  extra-trusted-public-keys = "nix-ci:g3xV5BDTLtIBZr/A00IU1x0EtKKlb7YLgBN2SgYgM6A=";
};