Title: Local peer to peer binary cache with NixOS and Peerix | |
Author: Solène | |
Date: 25 August 2022 | |
Tags: nixos nocloud | |
Description: This article explains how to use Peerix on NixOS to | |
download packages from peers on the network. | |
# Introduction | |
There is a cool project related to NixOS, called Peerix. It's a local | |
daemon exposed as a local substituter (a server providing binary | |
packages) that will discover other Peerix daemon on the local network, | |
and use them as a source of binary packages. | |
Peerix is a simple way to reuse package already installed somewhere on | |
the network instead of downloading it again. Packages delivered by | |
Peerix substituters are signed with a private key, so you need to | |
import each computer public key before being able to download/use their | |
packages. While this can be cumbersome, this also mandatory to prevent | |
someone on the network to spoof packages. | |
Perrix should be used wisely, because secrets in your store could be | |
leaked to others. | |
Peerix GitHub page | |
# Generating the keys | |
First step is to generate a pair of keys for each computer using | |
Peerix. | |
In the directory in which you have your configurations files, use the | |
command: | |
``` | |
nix-store --generate-binary-cache-key "peerix-$(hostname -s)" peerix-private pe… | |
``` | |
# Setup | |
I will only cover the flakes installation on NixOS. Add the files | |
peerix-private and peerix-public to git as this is a requirement to | |
flakes. | |
NOTE: if you find a way to not add the private key to the store, I'll | |
be glad to hear about your solution! | |
Add this input in your flake.nix file: | |
```nix | |
peerix = { | |
url = "github:cid-chan/peerix"; | |
inputs.nixpkgs.follows = "nixpkgs"; | |
}; | |
``` | |
Add "peerix" in the outputs parameters lile: | |
```nix | |
outputs = { eslf, nixpkgs, peerix}: { | |
``` | |
And in the modules list of your configuration, add this: | |
``` | |
peerix.nixosModules.peerix | |
{ | |
services.peerix = { | |
enable = true; | |
package = peerix.packages.x86_64-linux.peerix; | |
openFirewall = true; # UDP/12304 | |
privateKeyFile = ./peerix-private; | |
publicKeyFile = ./peerix-public; | |
publicKey = "THE CONTENT OF peerix-public FROM THE OTHER COMPUTER"; | |
# example # publicKey = "peerix-laptop:1ZjzxYFhzeRMni4CyK2uKHjgo6xy0="; | |
}; | |
} | |
``` | |
If you have multiple public keys to use, just add them with a space | |
between each value. | |
Run "nix flake lock --update-input peerix" and you can now reconfigure | |
your system. | |
# How to use | |
There is nothing special to do, when you update your system, or use | |
nix-shell, the nix-daemon will use the local Peerix substituter first | |
which will discover other Peerix instances if any, and will use them | |
when possible. | |
You can check the logs of the peerix daemons using "journalctl -f -u | |
peerix.service" on both systems. | |
# Conclusion | |
While Peerix isn't a big project, it has a lot of potential to help | |
NixOS users with multiple computers to have a more efficient bandwidth | |
usage, but also build time. If you build the same project (with same | |
inputs) on your computers, you can pull the result from the other. |