lix/perl/lib/Nix/Config.pm.in

package Nix::Config;

use MIME::Base64;

$version = "@PACKAGE_VERSION@";

$binDir = $ENV{"NIX_BIN_DIR"} || "@bindir@";
$libexecDir = $ENV{"NIX_LIBEXEC_DIR"} || "@libexecdir@";
$stateDir = $ENV{"NIX_STATE_DIR"} || "@localstatedir@/nix";
$manifestDir = $ENV{"NIX_MANIFESTS_DIR"} || "@localstatedir@/nix/manifests";
$logDir = $ENV{"NIX_LOG_DIR"} || "@localstatedir@/log/nix";
$confDir = $ENV{"NIX_CONF_DIR"} || "@sysconfdir@/nix";
$storeDir = $ENV{"NIX_STORE_DIR"} || "@storedir@";

$bzip2 = "@bzip2@";
$xz = "@xz@";
$curl = "@curl@";
$openssl = "@openssl@";

$useBindings = "@perlbindings@" eq "yes";

%config = ();

%binaryCachePublicKeys = ();

sub readConfig {
    if (defined $ENV{'_NIX_OPTIONS'}) {
        foreach my $s (split '\n', $ENV{'_NIX_OPTIONS'}) {
            my ($n, $v) = split '=', $s, 2;
            $config{$n} = $v;
        }
    } else {
        my $config = "$confDir/nix.conf";
        return unless -f $config;

        open CONFIG, "<$config" or die "cannot open ‘$config’";
        while (<CONFIG>) {
            /^\s*([\w\-\.]+)\s*=\s*(.*)$/ or next;
            $config{$1} = $2;
        }
        close CONFIG;
    }

    foreach my $s (split(/ /, $config{"binary-cache-public-keys"} // "")) {
        my ($keyName, $publicKey) = split ":", $s;
        next unless defined $keyName && defined $publicKey;
        $binaryCachePublicKeys{$keyName} = decode_base64($publicKey);
    }
}

return 1;
-												* Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm under
  the Nix:: namespace.


											
										
										
											2011-10-10 21:11:08 +00:00
+								package Nix::Config;
-												Use libsodium instead of OpenSSL for binary cache signing

Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.

											
										
										
											2015-02-04 15:43:32 +00:00
+								use MIME::Base64;
-												Add a Makefile for the Perl stuff

											
										
										
											2013-11-25 16:38:33 +00:00
+								$version = "@PACKAGE_VERSION@";
-												Set the User-Agent header to "Nix/<version>"

											
										
										
											2012-07-11 22:05:30 +00:00
-												* Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm under
  the Nix:: namespace.


											
										
										
											2011-10-10 21:11:08 +00:00
+								$binDir = $ENV{"NIX_BIN_DIR"} || "@bindir@";
 								$libexecDir = $ENV{"NIX_LIBEXEC_DIR"} || "@libexecdir@";
-												* Add a test for nix-channel.
* Refactor the nix-channel unpacker a bit.


											
										
										
											2012-01-03 01:51:38 +00:00
+								$stateDir = $ENV{"NIX_STATE_DIR"} || "@localstatedir@/nix";
-												* Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm under
  the Nix:: namespace.


											
										
										
											2011-10-10 21:11:08 +00:00
+								$manifestDir = $ENV{"NIX_MANIFESTS_DIR"} || "@localstatedir@/nix/manifests";
 								$logDir = $ENV{"NIX_LOG_DIR"} || "@localstatedir@/log/nix";
-												* build-remote.pl: drop a hard-coded reference to /nix/etc/nix.


											
										
										
											2011-11-23 12:21:35 +00:00
+								$confDir = $ENV{"NIX_CONF_DIR"} || "@sysconfdir@/nix";
-												First attempt at the manifest-less substituter

											
										
										
											2012-06-29 22:28:52 +00:00
+								$storeDir = $ENV{"NIX_STORE_DIR"} || "@storedir@";
-												* Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm under
  the Nix:: namespace.


											
										
										
											2011-10-10 21:11:08 +00:00
-												Use XZ compression in binary caches

XZ compresses significantly better than bzip2.  Here are the
compression ratios and execution times (using 4 cores in parallel) on
my /var/run/current-system (3.1 GiB):

  bzip2: total compressed size 849.56 MiB, 30.8% [2m08]
  xz -6: total compressed size 641.84 MiB, 23.4% [6m53]
  xz -7: total compressed size 621.82 MiB, 22.6% [7m19]
  xz -8: total compressed size 599.33 MiB, 21.8% [7m18]
  xz -9: total compressed size 588.18 MiB, 21.4% [7m40]

Note that compression takes much longer.  More importantly, however,
decompression is much faster:

  bzip2: 1m47.274s
  xz -6: 0m55.446s
  xz -7: 0m54.119s
  xz -8: 0m52.388s
  xz -9: 0m51.842s

The only downside to using -9 is that decompression takes a fair
amount (~65 MB) of memory.

											
										
										
											2012-06-29 18:26:31 +00:00
+								$bzip2 = "@bzip2@";
 								$xz = "@xz@";
-												* Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm under
  the Nix:: namespace.


											
										
										
											2011-10-10 21:11:08 +00:00
+								$curl = "@curl@";
-												Support cryptographically signed binary caches

NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.

To create a private/public key pair for signing and verifying a binary
cache, do:

  $ openssl genrsa -out ./cache-key.sec 2048
  $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub

You should also come up with a symbolic name for the key, such as
"cache.example.org-1".  This will be used by clients to look up the
public key.  (It's a good idea to number keys, in case you ever need
to revoke/replace one.)

To create a binary cache signed with the private key:

  $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1

The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:

  signed-binary-caches = *
  binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub

If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:

  *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...

On the other hand, if the signature is wrong, you get a message like

  NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring

Signatures are implemented as a single line appended to the NAR info
file, which looks like this:

  Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==

Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.

Issue #75.

											
										
										
											2014-01-08 14:23:41 +00:00
+								$openssl = "@openssl@";
-												* This may be useful in the future.


											
										
										
											2006-05-31 09:24:54 +00:00
-												Support building with the Perl XS bindings disabled

Since the Perl bindings require shared libraries, this is required on
platforms such as Cygwin where we do a static build.

											
										
										
											2012-05-10 23:03:23 +00:00
+								$useBindings = "@perlbindings@" eq "yes";
-												download-from-binary-cache: add nix.conf options

											
										
										
											2012-07-09 14:57:28 +00:00
+								%config = ();
-												Use libsodium instead of OpenSSL for binary cache signing

Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.

											
										
										
											2015-02-04 15:43:32 +00:00
+								%binaryCachePublicKeys = ();
-												* This may be useful in the future.


											
										
										
											2006-05-31 09:24:54 +00:00
+								sub readConfig {
-												Pass configuration settings to the substituters

Previously substituters could read nix.conf themselves, but this
didn't take --option flags into account.

											
										
										
											2012-07-30 20:09:54 +00:00
+								    if (defined $ENV{'_NIX_OPTIONS'}) {
 								        foreach my $s (split '\n', $ENV{'_NIX_OPTIONS'}) {
 								            my ($n, $v) = split '=', $s, 2;
 								            $config{$n} = $v;
 								        }
-												Use libsodium instead of OpenSSL for binary cache signing

Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.

											
										
										
											2015-02-04 15:43:32 +00:00
+								    } else {
 								        my $config = "$confDir/nix.conf";
 								        return unless -f $config;
 								        open CONFIG, "<$config" or die "cannot open ‘$config’";
 								        while (<CONFIG>) {
 								            /^\s*([\w\-\.]+)\s*=\s*(.*)$/ or next;
 								            $config{$1} = $2;
 								        }
 								        close CONFIG;
-												Pass configuration settings to the substituters

Previously substituters could read nix.conf themselves, but this
didn't take --option flags into account.

											
										
										
											2012-07-30 20:09:54 +00:00
+								    }
-												Use libsodium instead of OpenSSL for binary cache signing

Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.

											
										
										
											2015-02-04 15:43:32 +00:00
+								    foreach my $s (split(/ /, $config{"binary-cache-public-keys"} // "")) {
 								        my ($keyName, $publicKey) = split ":", $s;
 								        next unless defined $keyName && defined $publicKey;
 								        $binaryCachePublicKeys{$keyName} = decode_base64($publicKey);
-												* This may be useful in the future.


											
										
										
											2006-05-31 09:24:54 +00:00
+								    }
 								}
 								return 1;