ops/nix-cache-login
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add README

Browse source
This commit is contained in:
Abel Luck 2026-02-26 11:18:57 +01:00
parent 879c3fd94b
commit ec2cdb0700
1 changed files with 90 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

90
README.md Normal file
View file

@ -0,0 +1,90 @@
# nix-cache-login
CLI tool for authenticating with a Nix binary cache via Keycloak OIDC. Obtains
access tokens and writes them to a netrc file so Nix can use them
transparently.
Canonical Repository: https://guardianproject.dev/ops/nix-cache-login
## Overview
Nix binary caches can be protected with OIDC-based authentication backed by
Keycloak. This tool handles the token lifecycle:
- Workstation users: authenticate via browser (Authorization Code + PKCE), get a 1-hour access token and a 24-hour refresh token
- Servers: authenticate headlessly via client credentials, get a short-lived access token refreshed on a timer
The access token is written to a netrc file, which Nix reads automatically when
fetching from the cache.
## Installation
```bash
# run directly
nix run guardianproject.dev/ops/nix-cache-login
```
Or add as a flake input:
```nix
{
inputs.nix-cache-login.url = "git+https://guardianproject.dev/ops/nix-cache-login";
# use the package
# nix-cache-login.packages.${system}.default
}
```
## Configuration
Create `$XDG_CONFIG_HOME/nix-cache-login/config.toml` (default `~/.config/nix-cache-login/config.toml`):
**Workstation:**
```toml
issuer = "https://id.guardianproject.info/realms/gp"
client_id = "nix-cache"
cache_host = "cache.guardianproject.info"
netrc_path = "$XDG_CONFIG_HOME/nix/netrc"
```
**Server (service account):**
```toml
issuer = "https://id.guardianproject.info/realms/gp"
client_id = "nix-cache-server"
client_secret = "..."
cache_host = "cache.guardianproject.info"
netrc_path = "$XDG_CONFIG_HOME/nix/netrc"
```
Path values support environment variable expansion (`$VAR` and `${VAR}`).
## Usage
```bash
nix-cache-login login # authenticate via browser (default command)
nix-cache-login refresh # refresh token without browser
nix-cache-login service-account # headless client credentials flow
nix-cache-login status # show token expiry info
nix-cache-login logout # revoke tokens and clean up
```
## Maintenance
This tool is actively maintained by [Guardian Project](https://guardianproject.info).
### Issues
For bug reports and feature requests, please use the [Issues][issues] page.
### Security
For security-related issues, please contact us through our [security policy][sec].
[issues]: https://guardianproject.dev/ops/nix-cache-login/issues
[sec]: https://guardianproject.info/contact/
## License
Copyright (c) 2026 Abel Luck <abel@guardianproject.info>
This project is licensed under the GNU General Public License v3.0 or later - see the [LICENSE](LICENSE) file for details.