S3 Binary Cache Store

Store URL format: s3://bucket-name

This store allows reading and writing a binary cache stored in an AWS S3 (or S3-compatible service) bucket. This store shares many idioms with the HTTP Binary Cache Store.

For AWS S3, the binary cache URL for a bucket named example-nix-cache will be exactly s3://example-nix-cache. For S3 compatible binary caches, consult that cache's documentation.

Anonymous reads to your S3-compatible binary cache

If your binary cache is publicly accessible and does not require authentication, it is simplest to use the [HTTP Binary Cache Store] rather than S3 Binary Cache Store with https://example-nix-cache.s3.amazonaws.com instead of s3://example-nix-cache.

Your bucket will need a bucket policy like the following to be accessible:

{
    "Id": "DirectReads",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDirectReads",
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::example-nix-cache",
                "arn:aws:s3:::example-nix-cache/*"
            ],
            "Principal": "*"
        }
    ]
}

Authentication

Nix will use the default credential provider chain for authenticating requests to Amazon S3.

Note that this means Nix will read environment variables and files with different idioms than with Nix's own settings, as implemented by the AWS SDK. Consult the documentation linked above for further details.

Authenticated reads to your S3 binary cache

Your bucket will need a bucket policy allowing the desired users to perform the s3:GetObject and s3:GetBucketLocation action on all objects in the bucket. The anonymous policy given above can be updated to have a restricted Principal to support this.

Authenticated writes to your S3-compatible binary cache

Your account will need an IAM policy to support uploading to the bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "UploadToCache",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-nix-cache",
        "arn:aws:s3:::example-nix-cache/*"
      ]
    }
  ]
}

Examples

With bucket policies and authentication set up as described above, uploading works via nix copy (experimental).

To upload with a specific credential profile for Amazon S3:

$ nix copy nixpkgs.hello \
  --to 's3://example-nix-cache?profile=cache-upload&region=eu-west-2'

To upload to an S3-compatible binary cache:

$ nix copy nixpkgs.hello --to \
  's3://example-nix-cache?profile=cache-upload&scheme=https&endpoint=minio.example.com'

Settings

buffer-size

Size (in bytes) of each part in multi-part uploads.

Default: 5242880
compression

NAR compression method (xz, bzip2, gzip, zstd, or none).

Default: xz
compression-level

The preset level to be used when compressing NARs. The meaning and accepted values depend on the compression method selected. -1 specifies that the default compression level should be used.

Default: -1
endpoint

The URL of the endpoint of an S3-compatible service such as MinIO. Do not specify this setting if you're using Amazon S3.

Note

This endpoint must support HTTPS and will use path-based addressing instead of virtual host based addressing.

Default: empty
index-debug-info

Whether to index DWARF debug info files by build ID. This allows dwarffs to fetch debug info on demand

Default: false
local-nar-cache

Path to a local cache of NARs fetched from this binary cache, used by commands such as nix store cat.

Default: empty
log-compression

Compression method for log/* files. It is recommended to use a compression method supported by most web browsers (e.g. brotli).

Default: empty
ls-compression

Compression method for .ls files.

Default: empty
multipart-upload

Whether to use multi-part uploads.

Default: false
narinfo-compression

Compression method for .narinfo files.

Default: empty
parallel-compression

Enable multi-threaded compression of NARs. This is currently only available for xz and zstd.

Default: false
path-info-cache-size

Size of the in-memory store path metadata cache.

Default: 65536
priority

Priority of this store when used as a substituter. A lower value means a higher priority.

Default: 0
profile

The name of the AWS configuration profile to use. By default Nix will use the default profile.

Default: empty
region

The region of the S3 bucket. If your bucket is not in us–east-1, you should always explicitly specify the region parameter.

Default: us-east-1
scheme

The scheme used for S3 requests, https (default) or http. This option allows you to disable HTTPS for binary caches which don't support it.

Note

HTTPS should be used if the cache might contain sensitive information.

Default: empty
secret-key

Path to the secret key used to sign the binary cache.

Default: empty
store

Logical location of the Nix store, usually /nix/store. Note that you can only copy store paths between stores if they have the same store setting.

Default: /nix/store
system-features

Optional system features available on the system this store uses to build derivations.

Example: "kvm"

Default: machine-specific
trusted

Whether paths from this store can be used as substitutes even if they are not signed by a key listed in the trusted-public-keys setting.

Default: false
want-mass-query

Whether this store can be queried efficiently for path validity when used as a substituter.

Default: false
write-nar-listing

Whether to write a JSON file that lists the files in each NAR.

Default: false

Nix Reference Manual