Srid (Feb 13 2024 at 14:57): Srid (Feb 13 2024 at 14:57):This convo with @Andreas began as a way to provide project-specific caches to users who are installing these Nix packages outside of nixpkgs.
One way to automate that providing of cache is to add the cache to flake.nix (see example), and then ask the user to use --accept-flake-config to automatically use that cache when doing nix run or nix profile install, eg.:
nix --accept-flake-config run github:juspay/nix-browser#nix-health
If you run this command on macOS or Linux, it should just get binaries from the cache without building any of the Rust packages.
Andreas (Feb 13 2024 at 15:07):I get the error warning: ignoring untrusted substituter 'https://cache.garnix.io', you are not a trusted user.
Which apparently has been an issue: https://discourse.nixos.org/t/ux-problems-with-flakes-and-custom-caches-substituters/23691
So it appears I have to configure this cache as a trusted substituter before using this?
Srid (Feb 13 2024 at 15:10):You need to make yourself a trusted user.
srid on appreciate ~
❯ nix show-config | grep trusted-users
trusted-users = root srid
srid on appreciate ~
❯ grep trusted-users /etc/nix/nix.conf
trusted-users = root srid
I'll set this in my system flake nix.settings.trusted-users and check later
Srid (Feb 13 2024 at 15:20):It is one of the defaults we recommend to all, https://github.com/juspay/nix-dev-home?tab=readme-ov-file#cannot-use-cache--cachix
Andreas (Feb 13 2024 at 15:21):Very wise suggestion I'd say. Also explains why I had trouble using other people's caches in the past when I didn't care to investigate.
Tim DeHerrera (Feb 13 2024 at 15:31):you can also set a group to the trusted users by prepending with @. I usually just drop @wheel as a trusted user since they also have sudo access.
Also, even if you don't pass the --accept-flake-config flag, you will still be interactively prompted if you want to accept the cache config or not by default.
Andreas (Feb 13 2024 at 16:04):I just found this comment https://github.com/NixOS/nix/issues/6672#issuecomment-1920721589
Suggesting to use the trusted-public-keys and substituters or trusted-substituters setting instead because just adding your user is a bit of a security issue. What do you guys say to that?
Srid (Feb 13 2024 at 16:16):Depends on how you want to balance security vs usability.
Tim DeHerrera (Feb 13 2024 at 16:28):Sure it is important to be aware that a trusted-user is essentially as powerful as root. Same issue as adding your user to the docker group as well. But multi-user systems are pretty rare these days. If you have one then sure, maybe you care more, but I am the admin in all my systems, and I get sudo based on the presence or absence of my yubikey where possible.
What I would really like is some sort of remote protocol for sending my yubikey creds over an ssh connection. For Nix, it might be interesting if someone could be a "trusted-user" based on the presence or absence of a yubikey OTP. That would really be an "improvement" in my view, but on single user systems where you are basically the only user and admin, the point is kinda moot.
Not being a trusted user just makes things more of a pain in the same way not having root on a smartphone can be a pain :sweat_smile:
Srid (Feb 13 2024 at 17:34):Tim DeHerrera said:
What I would really like is some sort of remote protocol for sending my yubikey creds over an ssh connection. [..]
I enjoy a similar UX for ssh-based auths (like git pull in a ssh session, which uses local Touch ID for 1Password key access):
Last updated: Nov 15 2024 at 12:33 UTC