nix-cache-login

No description

Find a file

Abel Luck 07bd576628 All checks were successful buildbot/nix-eval Build done. Details buildbot/nix-build gitea:ops/nix-cache-login#checks.x86_64-linux.devShell Build done. Details buildbot/nix-build gitea:ops/nix-cache-login#checks.x86_64-linux.tests Build done. Details buildbot/nix-build Build done. Details buildbot/nix-effects Build done. Details add initial nixos modules		2026-02-26 19:11:53 +01:00
cmd	switch from client_secret to client_secret_file	2026-02-26 11:21:33 +01:00
internal	write and update the netrc with safe perms	2026-02-26 11:25:20 +01:00
.envrc	add direnv	2026-02-26 10:02:57 +01:00
.gitignore	Release v0.1.0	2026-02-26 11:27:37 +01:00
CHANGELOG.md	add CHANGELOG	2026-02-26 11:18:46 +01:00
flake.lock	plain vanilla flakes	2026-02-26 11:07:32 +01:00
flake.nix	add initial nixos modules	2026-02-26 19:11:53 +01:00
go.mod	initial working version	2026-02-26 11:05:16 +01:00
go.sum	initial working version	2026-02-26 11:05:16 +01:00
LICENSE	init	2026-02-26 09:25:58 +01:00
main.go	initial working version	2026-02-26 11:05:16 +01:00
nixos-module-server.nix	add initial nixos modules	2026-02-26 19:11:53 +01:00
nixos-module.nix	add initial nixos modules	2026-02-26 19:11:53 +01:00
package.nix	create a standalone package file	2026-02-26 11:25:04 +01:00
README.md	switch from client_secret to client_secret_file	2026-02-26 11:21:33 +01:00

README.md

CLI tool for authenticating with a Nix binary cache via Keycloak OIDC. Obtains access tokens and writes them to a netrc file so Nix can use them transparently.

Canonical Repository: https://guardianproject.dev/ops/nix-cache-login

Overview

Nix binary caches can be protected with OIDC-based authentication backed by Keycloak. This tool handles the token lifecycle:

Workstation users: authenticate via browser (Authorization Code + PKCE), get a 1-hour access token and a 24-hour refresh token
Servers: authenticate headlessly via client credentials, get a short-lived access token refreshed on a timer

The access token is written to a netrc file, which Nix reads automatically when fetching from the cache.

Installation

# run directly
nix run guardianproject.dev/ops/nix-cache-login

Or add as a flake input:

{
  inputs.nix-cache-login.url = "git+https://guardianproject.dev/ops/nix-cache-login";

  # use the package
  # nix-cache-login.packages.${system}.default
}

Configuration

Create $XDG_CONFIG_HOME/nix-cache-login/config.toml (default ~/.config/nix-cache-login/config.toml):

Workstation:

issuer = "https://id.guardianproject.info/realms/gp"
client_id = "nix-cache"
cache_host = "cache.guardianproject.dev"
netrc_path = "$XDG_CONFIG_HOME/nix/netrc"

Server (service account):

issuer = "https://id.guardianproject.info/realms/gp"
client_id = "nix-cache-server"
client_secret_file = "/run/secrets/nix-cache-client-secret"
cache_host = "cache.guardianproject.dev"
netrc_path = "$XDG_CONFIG_HOME/nix/netrc"

Path values support environment variable expansion ($VAR and ${VAR}).

Usage

nix-cache-login login            # authenticate via browser (default command)
nix-cache-login refresh          # refresh token without browser
nix-cache-login service-account  # headless client credentials flow
nix-cache-login status           # show token expiry info
nix-cache-login logout           # revoke tokens and clean up

Maintenance

This tool is actively maintained by Guardian Project.

Issues

For bug reports and feature requests, please use the Issues page.

Security

For security-related issues, please contact us through our security policy.

License

This project is licensed under the GNU General Public License v3.0 or later - see the LICENSE file for details.