spongix

README

Spongix

A proxy that acts as binary cache for Nix

• Signs Narinfo in flight with own private key
• Authenticates with S3 to forward NARs for long-term storage
• Keeps a local cache on disk for faster responses.
• Provides a minimal Docker registry

Usage

Start spongix:

nix key generate-secret --key-name foo > skey
nix build
./result/bin/spongix \
  --substituters "https://cache.nixos.org" "https://hydra.iohk.io" \
  --secret-key-files ./skey \
  --trusted-public-keys "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" \
  --listen :7745 \
  --dir /tmp/spongix

To add store paths to the cache, you can use nix copy:

nix copy --to 'http://127.0.0.1:7745?compression=none' github:nixos/nix

To use this as your binary cache, specify it as a substituter:

nix build github:nixos/nix \
  --option substituters http://127.0.0.1:7745 \
  --option trusted-public-keys "$(< pkey)"

Signatures are checked against the the trusted-public-keys of your configuration.

Upload after every build

Set a post-build-hook in your nix configuration to a script like this:

#!/bin/sh
set -euf
export IFS=' '
if [[ -n "$OUT_PATHS" ]]; then
  echo "Uploading to cache: $OUT_PATHS"
  exec nix copy --to 'http://127.0.0.1:7745?compression=none' $OUT_PATHS
fi

TODO

• Write better integration tests (with cicero)
• Healthchecks
• A way to horizontally scale (probably by just locking via consul, s3, raft, postgres, rqlite, dqlite, ...)
• Proper CLI usage
• Benchmark of desync index vs db lookup performance
• Additional signing for a set of allowed public keys
• Disk cache size limits and LRU eviction
• Forward lookups across multiple upstream caches
• Identify and solve concurrency issues
• Prometheus metrics
• Store narinfo in a database
• Upload to S3 as well as the local store
• Verify existing signatures