diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml index 4629e8eae0..932c339ebb 100644 --- a/doc/manual/conf-file.xml +++ b/doc/manual/conf-file.xml @@ -350,13 +350,25 @@ flag, e.g. --option gc-keep-outputs false. whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying --option binary-caches urls on the - command line. Daemon users are only allowed to pass a subset of - the URLs listed in binary-caches and + command line. Unprivileged users are only allowed to pass a + subset of the URLs listed in binary-caches and trusted-binary-caches. + extra-binary-caches + + Additional binary caches appended to those + specified in and + . When used by unprivileged + users, untrusted binary caches (i.e. those not listed in + ) are silently + ignored. + + + + binary-caches-parallel-connections The maximum number of parallel HTTP connections diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index e474575518..a511f65b43 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -208,12 +208,15 @@ sub getAvailableCaches { push @urls, strToList($url); } + push @urls, strToList($Nix::Config::config{"extra-binary-caches"} // ""); + # Allow Nix daemon users to override the binary caches to a subset # of those listed in the config file. Note that ‘untrusted-*’ # denotes options passed by the client. + my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); + if (defined $Nix::Config::config{"untrusted-binary-caches"}) { my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"}; - my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); @urls = (); foreach my $url (@untrustedUrls) { die "binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ [@trustedUrls] in $Nix::Config::confDir/nix.conf)\n" @@ -222,6 +225,12 @@ sub getAvailableCaches { } } + my @untrustedUrls = strToList $Nix::Config::config{"untrusted-extra-binary-caches"}; + foreach my $url (@untrustedUrls) { + next unless scalar(grep { $url eq $_ } @trustedUrls) > 0; + push @urls, $url; + } + foreach my $url (uniq @urls) { # FIXME: not atomic.