diff --git a/docs/.vitepress/config.ts b/docs/.vitepress/config.ts index f957539..1aabd9c 100644 --- a/docs/.vitepress/config.ts +++ b/docs/.vitepress/config.ts @@ -172,6 +172,10 @@ function themeConfigEnglish() { text: "NixOS with Flakes Enabled", link: "/nixos-with-flakes/nixos-with-flakes-enabled.md", }, + { + text: "Adding Custom Cache Servers", + link: "/nixos-with-flakes/add-custom-cache-servers.md", + }, { text: "Getting Started with Home Manager", link: "/nixos-with-flakes/start-using-home-manager.md", @@ -359,6 +363,10 @@ function themeConfigChinese() { text: "使用 Flakes 管理 NixOS", link: "/zh/nixos-with-flakes/nixos-with-flakes-enabled.md", }, + { + text: "添加自定义缓存服务器", + link: "/zh/nixos-with-flakes/add-custom-cache-servers.md", + }, { text: "安装使用 Home Manager", link: "/zh/nixos-with-flakes/start-using-home-manager.md", diff --git a/docs/nixos-with-flakes/add-custom-cache-servers.md b/docs/nixos-with-flakes/add-custom-cache-servers.md new file mode 100644 index 0000000..da36156 --- /dev/null +++ b/docs/nixos-with-flakes/add-custom-cache-servers.md @@ -0,0 +1,254 @@ +# Adding Custom Cache Servers {#add-custom-cache-servers} + +## What is Nix Cache Server {#what-is-nix-cache-server} + +Nix provides an official cache server, [https://cache.nixos.org](https://cache.nixos.org), which caches build results for all packages in nixpkgs under commonly used CPU architectures. When you execute Nix build commands locally, if Nix finds a corresponding cache on the server, it directly downloads the cached file, skipping the time-consuming local build process and significantly improving build speed. + +## Why Add Custom Cache Servers {#why-add-custom-cache-servers} + +> Note: The methods introduced here can only accelerate the download of packages; many `inputs` data sources will still be fetched from GitHub. Also, if the cache is not found, local builds will be executed, which typically requires downloading source code and building dependencies from gitub or somewhre else, may making it slow. To completely address the speed issue, it is still recommended to use solutions such as a local global proxy like a bypass route. + +Two reasons: + +1. Adding a mirrored cache server to accelerate downloads. + 1. The access speed of the official cache server in China is very slow. Without a local global proxy, it is almost unusable. Adding Chinese Nix cache mirrors like ustc/sjtu/tuna can alleviate this issue. +2. In addition to mirrors, there are also cache servers for some third-party projects, such as the nix-community cache server [https://nix-community.cachix.org](https://nix-community.cachix.org), which can significantly improve the build speed of these third-party projects. + +## How to Add Custom Cache Servers {#how-to-add-custom-cache-servers} + +In Nix, you can configure cache servers using the following options: + +1. [substituters](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-substituters): It is a string list, and each string is the address of a cache server. Nix will attempt to find caches from these servers in the order specified in the list. +2. [trusted-public-keys](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-public-keys): To prevent malicious attacks, The [require-sigs](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-require-sigs) option is enabled by default. Only caches with signatures that can be verified by any public key in `trusted-public-keys` will be used by Nix. Therefore, you need to add the public key corresponding to the `substituters` in `trusted-public-keys`. + 1. cache mirror's data are directly synchronized from the official cache server. Therefore, their public keys are the same as those of the official cache server, and you can use the public key of the official cache server without additional configuration. + 2. This entirely trust-based public key verification mechanism transfers the security responsibility to users. If users want to use a third-party cache server to speed up the build process of a certain library, they must take on the corresponding security risks and decide whether to add the public key of that cache server to `trusted-public-keys`. To completely solve this trust issue, Nix has introduced the experimental feature [ca-derivations](https://nixos.wiki/wiki/Ca-derivations), which does not depend on `trusted-public-keys` for signature verification. Interested users can explore it further. + +You can configure the `substituers` and `trusted-public-keys` parameters in the following ways: + +1. Configure in `/etc/nix/nix.conf`, a global configuration that affects all users. + 1. You can use `nix.settings.substituers` and `nix.settings.trusted-public-keys` in any NixOS Module to declaratively generate `/etc/nix/nix.conf`. +2. Configure in the `flake.nix` of a flake project using `nixConfig.substituers`. This configuration only affects the current flake. +3. Temporarily set through the `--option` parameter of the `nix` command, and this configuration only applies to the current command. + +Among these three methods, except for the first global configuration, the other two are temporary configurations. If multiple methods are used simultaneously, later configurations will directly override earlier ones. + +However, there are security risks in temporarily setting `substituers`, as explained earlier regarding the deficiencies of the security verification mechanism based on `trusted-public-keys`. To set `substituers` through the second and third methods, you need to meet one of the following conditions: + +1. The current user is included in the [`trusted-users`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-users) parameter list in `/etc/nix/nix.conf`. +2. The `substituers` specified temporarily via `--option substituers "http://xxx"` are included in the [`trusted-substituters`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-substituters) parameter list in `/etc/nix/nix.conf`. + +Based on the above information, the following are examples of the three configuration methods mentioned earlier. + +Firstly, declaratively configure system-level `substituers` and `trusted-public-keys` using `nix.settings` in `/etc/nixos/configuration.nix` or any NixOS Module: + +```nix{7-27} +{ + lib, + ... +}: { + + # ... + nix.settings = { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + # 2. command line args `--options substituers http://xxx` + trusted-users = ["ryan"]; + + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + ]; + + trusted-public-keys = [ + # the default public key of cache.nixos.org, it's built-in, no need to add it here + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + +} +``` + +The second method is to configure `substituers` and `trusted-public-keys` using `nixConfig` in `flake.nix`: + +> As mentioned earlier, it is essential to configure `nix.settings.trusted-users` in this configuration. Otherwise, the `substituers` we set here will not take effect. + +```nix{5-23,43-47} +{ + description = "NixOS configuration of Ryan Yin"; + + # the nixConfig here only affects the flake itself, not the system configuration! + nixConfig = { + # override the default substituters + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + + # nix community's cache server + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + # nix community's cache server public key + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # omitting several configurations... + }; + + outputs = inputs@{ + self, + nixpkgs, + ... + }: { + nixosConfigurations = { + ai = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hardware-configuration.nix + ./configuration.nix + + { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + nix.settings.trusted-users = [ "ryan" ]; + } + # omitting several configurations... + ]; + }; + }; + }; +} +``` + +Finally, the third method involves using the following command to temporarily specify `substituers` and `trusted-public-keys` during deployment: + +```bash +sudo nixos-rebuild switch --option substituers "https://nix-community.cachix.org" --option trusted-public-keys "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" +``` + +Choose one of the above three methods for configuration and deployment. After a successful deployment, all subsequent packages will preferentially search for caches from domestic mirror sources. + +> If your system hostname is not `nixos-test`, you need to modify the name of `nixosConfigurations` in `flake.nix` or use `--flake /etc/nixos#nixos-test` to specify the configuration name. + +### The `extra-` Prefix for Nix Options Parameters + +As mentioned earlier, the `substituers` configured by the three methods will override each other, but the ideal situation should be: + +1. At the system level in `/etc/nix/nix.conf`, configure only the most generic `substituers` and `trusted-public-keys`, such as official cache servers and domestic mirror sources. +2. In each flake project's `flake.nix`, configure the `substituers` and `trusted-public-keys` specific to that project, such as non-official cache servers like nix-community. +3. When building a flake project, nix should **merge** the `substituers` and `trusted-public-keys` configured in `flake.nix` and `/etc/nix/nix.conf`. + +Nix provides the [`extra-` prefix](https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=extra#file-format) to achieve this **merging** functionality. + +According to the official documentation, if the value of the `xxx` parameter is a list, the value of `extra-xxx` will be appended to the end of the `xxx` parameter: + +In other words, you can use it like this: + +```nix{7,13,37-58} +{ + description = "NixOS configuration of Ryan Yin"; + + # the nixConfig here only affects the flake itself, not the system configuration! + nixConfig = { + # will be appended to the system-level substituters + extra-substituters = [ + # nix community's cache server + "https://nix-community.cachix.org" + ]; + + # will be appended to the system-level trusted-public-keys + extra-trusted-public-keys = [ + # nix community's cache server public key + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # omitting several configurations... + }; + + outputs = inputs@{ + self, + nixpkgs, + ... + }: { + nixosConfigurations = { + ai = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hardware-configuration.nix + ./configuration.nix + + { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + nix.settings.trusted-users = [ "ryan" ]; + + # the system-level substituers & trusted-public-keys + nix.settings = { + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + ]; + + trusted-public-keys = [ + # the default public key of cache.nixos.org, it's built-in, no need to add it here + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + + } + # omitting several configurations... + ]; + }; + }; + }; +} +``` +## Using Local HTTP Proxy to Accelerate Package Downloads {#use-local-http-proxy-to-speed-up-nix-package-download} + +While it has been mentioned earlier that a bypass route can completely solve the NixOS package download speed issue, configuring a bypass route is relatively cumbersome and often requires additional support from a software routing device. + +Many users may prefer to directly accelerate package downloads through a locally running HTTP proxy. Here's how to set it up. + +Directly using methods like `export HTTPS_PROXY=http://127.0.0.1:7890` in the terminal won't be effective because Nix does its work in a background process called `nix-daemon`, not directly in the terminal. + +To enable `nix-daemon` to use a proxy, you need to modify its systemd configuration. Here's how: + +```bash +sudo mkdir /run/systemd/system/nix-daemon.service.d/ +cat << EOF >/run/systemd/system/nix-daemon.service.d/override.conf +[Service] +Environment="http_proxy=socks5h://localhost:7891" +Environment="https_proxy=socks5h://localhost:7891" +Environment="all_proxy=socks5h://localhost:7891" +EOF +sudo systemctl daemon-reload +sudo systemctl restart nix-daemon +``` + +Using this approach, you might need to execute the above commands every time the system is restarted because the `/run` directory is a temporary file system that gets cleared upon a restart. + +## Reference + +- [Roaming Laptop: Network Proxy Configuration - NixOS/nixpkgs](https://github.com/NixOS/nixpkgs/issues/27535#issuecomment-1178444327) diff --git a/docs/nixos-with-flakes/nixos-with-flakes-enabled.md b/docs/nixos-with-flakes/nixos-with-flakes-enabled.md index 7bed2be..9fe84a0 100644 --- a/docs/nixos-with-flakes/nixos-with-flakes-enabled.md +++ b/docs/nixos-with-flakes/nixos-with-flakes-enabled.md @@ -243,71 +243,3 @@ To deploy the changes, run `sudo nixos-rebuild switch`. After that, you can star > If your system's hostname is not `nixos-test`, you need to modify the name of `nixosConfigurations` in `flake.nix`, or use `--flake /etc/nixos#nixos-test` to specify the configuration name. -## Adding Custom Cache Mirrors - -> If you don't need to customize the cache mirror, you can safely skip this section. - -To accelerate package building, Nix provides to cache build results and avoid rebuilding packages locally. - -With the classic configuration method in NixOS, additional cache sources can be added using `nix-channel`. However, Nix Flakes strives to avoid using any system-level configurations or environment variables as much as possible, ensuring that its build results are not affected by the environment. Therefore, after switching to Flakes, the `nix-channel` command becomes ineffective. - -To customize the cache source, we must add the related configuration in `flake.nix` using the `nixConfig` parameter. Here's an example: - -```nix{4-19} -{ - description = "NixOS configuration of Ryan Yin"; - - nixConfig = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = [ - # Replace the official cache with a mirror located in China - "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://cache.nixos.org/" - ]; - - extra-substituters = [ - # Nix community's cache server - "https://nix-community.cachix.org" - ]; - extra-trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; - - inputs = { - # Omit some configurations... - }; - - outputs = { - # Omit some configurations... - }; -} -``` - -After adding the new substituters, it still won't take effect. In this case, when directly deploying the configuration, you'll encounter the following warnings: - -``` -... -warning: ignoring untrusted substituter 'https://mirrors.ustc.edu.cn/nix-channels/store', you are not a trusted user. -... -``` - -This is a security limitation of Nix, where only trusted users can properly use the set substituters. Therefore, we need to add our own user to the trusted list. Add the following configuration to any NixOS module: - -```nix{4-5} -{ - # ... (other configurations omitted) - - # Add your own username to the trusted list - nix.settings.trusted-users = [ "ryan" ]; - - # ... (other configurations omitted) -} -``` - -Now, to apply the configuration and make it effective, use `sudo nixos-rebuild switch`. -Nix will prioritize searching for cached packages from the domestic mirror source after the switch. - -> If your system's hostname is not `nixos-test`, you need to modify the name of `nixosConfigurations` in `flake.nix`, or use `--flake /etc/nixos#nixos-test` to specify the configuration name. - - diff --git a/docs/zh/nixos-with-flakes/add-custom-cache-servers.md b/docs/zh/nixos-with-flakes/add-custom-cache-servers.md new file mode 100644 index 0000000..ee0a785 --- /dev/null +++ b/docs/zh/nixos-with-flakes/add-custom-cache-servers.md @@ -0,0 +1,258 @@ +# 添加自定义缓存服务器 {#add-custom-cache-servers} + +## 什么是 Nix 缓存服务器 {#what-is-nix-cache-server} + +Nix 提供了官方缓存服务器 ,它缓存了 nixpkgs 中所有 packages 在常用 CPU 指令集下的构建结果,当你在本地执行 Nix 构建指令时,如果 Nix 在服务器中匹配到对应的缓存,就会直接下载该缓存文件,跳过耗时的本地编译构建从而大大提升构建速度。 + +## 为什么要添加自定义缓存服务器 {#why-add-custom-cache-servers} + +> 注意:这里介绍的手段只能加速部分包的下载,许多 inputs 数据源仍然会从 Github 拉取。 +> 另外如果找不到缓存,会执行本地构建,这通常仍然需要从国外下载源码与构建依赖,因此仍然会很慢。为了完全解决速度问题,仍然建议使用旁路由等局域网全局代理方案。 + +两个原因: + +1. 添加镜像缓存服务器,用于加速下载。 + 1. 官方缓存服务器在中国的访问速度非常慢,如果没有局域网全局代理的话,基本上是无法使用的。添加 国内的 ustc/sjtu/tuna 等 Nix 缓存镜像源可以缓解此问题。 +2. 除了镜像源,还有一些第三方项目的缓存服务器,例如 nix-community 的缓存服务器 ,可以大大提升这些第三方项目的构建速度。 + +## 如何添加自定义缓存服务器 {#how-to-add-custom-cache-servers} + +Nix 中通过如下几个 options 来配置缓存服务器: + +1. [substituers](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-substituters): 它是一个字符串数组,每个字符串都是一个缓存服务器的地址,Nix 会按照数组中的顺序依次尝试从这些服务器中查找缓存。 +2. [trusted-public-keys](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-public-keys): 为了防范恶意攻击,Nix 默认启用 [require-sigs](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-require-sigs) 功能,只有附带了签名、且签名能被 `trusted-public-keys` 中的任意一个公钥验证通过的缓存,才会被 Nix 使用。因此我们需要将 `substituers` 对应的公钥添加到 `trusted-public-keys` 中。 + 1. 国内的镜像源都是直接从官方缓存服务器中同步的,因此它们的公钥与官方缓存服务器的公钥是一致的,我们可以直接使用官方缓存服务器的公钥,无需额外配置。 + 2. 这种完全依赖公钥机制的验证方式,实际是将安全责任转嫁给了用户。用户如果希望使用某个第三方库,但又希望使用它的第三方缓存服务器加快构建速度,那就必须自己承担对应的安全风险,自行决策是否将该缓存服务器的公钥添加进 `trusted-public-keys`。为了完全解决这个信任问题,Nix 推出了实验特性 [ca-derivations](https://nixos.wiki/wiki/Ca-derivations),它不依赖 `trusted-public-keys` 进行签名校验,有兴趣的可以自行了解。 + +可通过如下几种方式来配置 `substituers` `trusted-public-keys` 两个参数: + +1. 在 `/etc/nix/nix.conf` 中配置,这是全局配置,对所有用户生效。 + 1. 可在任一 NixOS Module 中通过 `nix.settings.substituers` 与 `nix.settings.trusted-public-keys` 来声明式地生成 `/etc/nix/nix.conf`. +2. 在 flake 项目的 `flake.nix` 中通过 `nixConfig.substituers` 来配置,此配置仅对当前 flake 生效。 +3. 可通过 `nix` 指令的 `--option substituers="http://xxx"` 参数来临时设定,此配置仅对当前指令生效。 + +上面三种方式中,除了第一种全局配置外,其他两种都是临时配置。如果同时使用了多种方式,那么后面的配置会直接覆盖前面的配置。 + +但临时设置 `substituers` 存在安全风险,前面我们也解释了基于 `trusted-public-keys` 的安全验证机制存在缺陷。 +将一个不可信的缓存服务器添加到 substituers 中,可能会导致包含恶意内容的缓存被复制到 Nix Store 中。 +因此 Nix 对 substituers 的临时设置做出了限制,要想通过第二三种方式设定 substituers,前提是满足如下任意一个条件: + +1. [`/etc/nix/nix.conf` 中的 `trusted-users`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-users) 参数列表中包含当前用户。 +2. [`/etc/nix/nix.conf` 中的 `trusted-substituters`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-trusted-substituters) 参数列表中包含我们临时指定的 substituers. + +基于上述信息,如下是上述三种配置方式的示例。 + +首先是通过 `nix.settings` 声明式地配置系统层面的 substituers 与 trusted-public-keys, 将如下配置添加到 `/etc/nixos/configuration.nix` 或其他任一 NixOS Module 中即可: + +```nix{7-27} +{ + lib, + ... +}: { + + # ... + nix.settings = { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + # 2. command line args `--options substituers http://xxx` + trusted-users = ["ryan"]; + + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + ]; + + trusted-public-keys = [ + # the default public key of cache.nixos.org, it's built-in, no need to add it here + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + +} +``` + +第二种方案是通过 `flake.nix` 配置 substituers 与 trusted-public-keys,将如下配置添加到 `flake.nix` 中即可: + +> 如前所述,此配置中的 `nix.settings.trusted-users` 也是必须配置的,否则我们在这里设置的 `substituters` 将无法生效。 + +```nix{5-23,43-47} +{ + description = "NixOS configuration of Ryan Yin"; + + # the nixConfig here only affects the flake itself, not the system configuration! + nixConfig = { + # override the default substituters + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + + # nix community's cache server + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + # nix community's cache server public key + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # 省略若干配置... + }; + + outputs = inputs@{ + self, + nixpkgs, + ... + }: { + nixosConfigurations = { + ai = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hardware-configuration.nix + ./configuration.nix + + { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + nix.settings.trusted-users = [ "ryan" ]; + } + # 省略若干配置... + ]; + }; + }; + }; +} +``` + +以及第三种方案,使用如下命令在部署时临时指定 substituers 与 trusted-public-keys: + +```bash +sudo nixos-rebuild switch --option substituers "https://nix-community.cachix.org" --option trusted-public-keys "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" +``` + +选择上述三种方案的任一一种进行配置并部署,部署成功之后,后续所有的包都会优先从国内镜像源查找缓存。 + +> 如果你的系统 Hostname 不是 `nixos-test`,你需要在 `flake.nix` 中修改 `nixosConfigurations` 的名称,或者使用 `--flake /etc/nixos#nixos-test` 来指定配置名称。 + +### Nix options 参数的 `extra-` 前缀 + +前面提到的三种方式配置的 `substituers` 会相互覆盖,但比较理想的情况应该是: + +1. 在系统层面的 `/etc/nix/nix.conf` 中仅配置最通用的 substituers 与 trusted-public-keys,例如官方缓存服务器与国内镜像源。 +2. 在每个 flake 项目的 `flake.nix` 中配置该项目特有的 substituers 与 trusted-public-keys,例如 nix-community 等非官方的缓存服务器。 +3. 在构建 flake 项目时,应该将 `flake.nix` 与 `/etx/nix/nix.conf` 中配置的 substituers 与 trusted-public-keys **合并**使用。 + +Nix 提供了 [`extra-` 前缀](https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=extra#file-format) 实现了这个**合并**功能。 + +据官方文档介绍,如果 `xxx` 参数的值是一个列表,那么 `extra-xxx` 参数的值会被追加到 `xxx` 参数的值后面: + +也就是说我们可以这么用: + +```nix{7,13,37-58} +{ + description = "NixOS configuration of Ryan Yin"; + + # the nixConfig here only affects the flake itself, not the system configuration! + nixConfig = { + # will be appended to the system-level substituters + extra-substituters = [ + # nix community's cache server + "https://nix-community.cachix.org" + ]; + + # will be appended to the system-level trusted-public-keys + extra-trusted-public-keys = [ + # nix community's cache server public key + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # 省略若干配置... + }; + + outputs = inputs@{ + self, + nixpkgs, + ... + }: { + nixosConfigurations = { + ai = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hardware-configuration.nix + ./configuration.nix + + { + # given the users in this list the right to specify additional substituters via: + # 1. `nixConfig.substituers` in `flake.nix` + nix.settings.trusted-users = [ "ryan" ]; + + # the system-level substituers & trusted-public-keys + nix.settings = { + substituters = [ + # cache mirror located in China + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" + # status: https://mirrors.ustc.edu.cn/status/ + # "https://mirrors.ustc.edu.cn/nix-channels/store" + + "https://cache.nixos.org" + ]; + + trusted-public-keys = [ + # the default public key of cache.nixos.org, it's built-in, no need to add it here + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + + } + # 省略若干配置... + ]; + }; + }; + }; +} +``` + +## 通过本地 HTTP 代理加速包下载 {#use-local-http-proxy-to-speed-up-nix-package-download} + +虽然前面提到了,旁路由可以完全解决 NixOS 的包下载速度问题,但是旁路由的配置比较麻烦,而且经常需要额外的软路由设备支持。 + +更多的用户会希望能直接通过本机运行的 HTTP 代理来加速包下载,这里介绍下怎么设置。 + +直接在 Terminal 中使用 `export HTTPS_PROXY=http://127.0.0.1:7890` 这类方式是无法生效的,因为 nix 实际干活的是一个叫 `nix-daemon` 的后台进程,而不是直接在 Terminal 中执行的命令。 + +要让 nix-daemon 使用代理,需要修改它的 systemd 配置,方法如下: + +```bash +sudo mkdir /run/systemd/system/nix-daemon.service.d/ +cat << EOF >/run/systemd/system/nix-daemon.service.d/override.conf +[Service] +Environment="http_proxy=socks5h://localhost:7891" +Environment="https_proxy=socks5h://localhost:7891" +Environment="all_proxy=socks5h://localhost:7891" +EOF +sudo systemctl daemon-reload +sudo systemctl restart nix-daemon +``` + +使用此方案,每次重启系统可能都需要重新执行一遍上述命令,因为 `/run` 目录是临时文件系统,重启后会被清空。 + +## 参考 + +- [roaming laptop: network proxy configuration - NixOS/nixpkgs](https://github.com/NixOS/nixpkgs/issues/27535#issuecomment-1178444327) diff --git a/docs/zh/nixos-with-flakes/nixos-with-flakes-enabled.md b/docs/zh/nixos-with-flakes/nixos-with-flakes-enabled.md index 9416728..f3c2e3e 100644 --- a/docs/zh/nixos-with-flakes/nixos-with-flakes-enabled.md +++ b/docs/zh/nixos-with-flakes/nixos-with-flakes-enabled.md @@ -224,99 +224,5 @@ cat flake.nix > 如果你的系统 Hostname 不是 `nixos-test`,你需要在 `flake.nix` 中修改 `nixosConfigurations` 的名称,或者使用 `--flake /etc/nixos#nixos-test` 来指定配置名称。 -## 为 Flake 添加自定义 cache 源 {#add-cache-source-for-flake} -> 注意:这里介绍的手段只能加速部分包的下载,许多 inputs 数据源仍然会从 Github 拉取。 -> 另外如果找不到缓存,会执行本地构建,这通常仍然需要从国外下载源码与构建依赖,因此仍然会很慢。为了完全解决速度问题,仍然建议使用旁路由等局域网全局代理方案。 - -Nix 为了加快包构建速度,提供了 提前缓存构建结果提供给用户,但是在国内访问这个 cache 地址非常地慢,如果没有局域网全局代理的话,基本上是无法使用的。 -另外 Flakes 的数据源基本都是某个 Github 仓库,在国内从 Github 下载 Flakes 数据源也同样非常非常慢。 - -在旧的 NixOS 配置方式中,可以通过 `nix-channel` 命令添加国内的 cache 镜像源以提升下载速度,但是 Nix Flakes 会尽可能地避免使用任何系统级别的配置跟环境变量,以确保其构建结果不受环境的影响,因此在使用了 Flakes 后 `nix-channel` 命令就失效了。 - -为了自定义 cache 镜像源,我们必须在 `flake.nix` 中添加相关配置,这就是 `nixConfig` 参数,示例如下: - -```nix{4-19} -{ - description = "NixOS configuration of Ryan Yin"; - - nixConfig = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = [ - # replace official cache with a mirror located in China - "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://cache.nixos.org/" - ]; - - # nix community's cache server - extra-substituters = [ - "https://nix-community.cachix.org" - ]; - extra-trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; - - inputs = { - # 省略若干配置... - }; - - outputs = { - # 省略若干配置... - }; -} -``` - -添加完新 substituters 后,它仍然不会生效,这时直接部署配置,会出现这个 warning: - -``` -... -warning: ignoring untrusted substituter 'https://mirrors.ustc.edu.cn/nix-channels/store', you are not a trusted user. -... -``` - -这是 Nix 的安全限制,只有可信用户才能正常使用这里设置好的 substituters,所以我们还需要将自己的用户添加到可信列表中。在任一 NixOS Module 中添加如下配置: - -```nix{4-5} -{ - # 省略若干配置... - - # 将自己的用户名添加到可信列表中 - nix.settings.trusted-users = [ "ryan" ]; - - # 省略若干配置... -} -``` - -现在再使用 `sudo nixos-rebuild switch` 应用配置即可生效,后续所有的包都会优先从国内镜像源查找缓存。 - -> 如果你的系统 Hostname 不是 `nixos-test`,你需要在 `flake.nix` 中修改 `nixosConfigurations` 的名称,或者使用 `--flake /etc/nixos#nixos-test` 来指定配置名称。 - -## 通过本地 HTTP 代理加速包下载 {#use-local-http-proxy-to-speed-up-nix-package-download} - -虽然前面提到了,旁路由可以完全解决 NixOS 的包下载速度问题,但是旁路由的配置比较麻烦,而且经常需要额外的软路由设备支持。 - -更多的用户会希望能直接通过本机运行的 HTTP 代理来加速包下载,这里介绍下怎么设置。 - -直接在 Terminal 中使用 `export HTTPS_PROXY=http://127.0.0.1:7890` 这类方式是无法生效的,因为 nix 实际干活的是一个叫 `nix-daemon` 的后台进程,而不是直接在 Terminal 中执行的命令。 - -要让 nix-daemon 使用代理,需要修改它的 systemd 配置,方法如下: - -```bash -sudo mkdir /run/systemd/system/nix-daemon.service.d/ -cat << EOF >/run/systemd/system/nix-daemon.service.d/override.conf -[Service] -Environment="http_proxy=socks5h://localhost:7891" -Environment="https_proxy=socks5h://localhost:7891" -Environment="all_proxy=socks5h://localhost:7891" -EOF -sudo systemctl daemon-reload -sudo systemctl restart nix-daemon -``` - -使用此方案,每次重启系统可能都需要重新执行一遍上述命令,因为 `/run` 目录是临时文件系统,重启后会被清空。 - -## 参考 - -- [roaming laptop: network proxy configuration - NixOS/nixpkgs](https://github.com/NixOS/nixpkgs/issues/27535#issuecomment-1178444327)