diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml
index 4629e8eae0..932c339ebb 100644
--- a/doc/manual/conf-file.xml
+++ b/doc/manual/conf-file.xml
@@ -350,13 +350,25 @@ flag, e.g. --option gc-keep-outputs false.
whitespace. These are not used by default, but can be enabled by
users of the Nix daemon by specifying --option
binary-caches urls on the
- command line. Daemon users are only allowed to pass a subset of
- the URLs listed in binary-caches and
+ command line. Unprivileged users are only allowed to pass a
+ subset of the URLs listed in binary-caches and
trusted-binary-caches.
+ extra-binary-caches
+
+ Additional binary caches appended to those
+ specified in and
+ . When used by unprivileged
+ users, untrusted binary caches (i.e. those not listed in
+ ) are silently
+ ignored.
+
+
+
+
binary-caches-parallel-connectionsThe maximum number of parallel HTTP connections
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index e474575518..a511f65b43 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -208,12 +208,15 @@ sub getAvailableCaches {
push @urls, strToList($url);
}
+ push @urls, strToList($Nix::Config::config{"extra-binary-caches"} // "");
+
# Allow Nix daemon users to override the binary caches to a subset
# of those listed in the config file. Note that ‘untrusted-*’
# denotes options passed by the client.
+ my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // ""));
+
if (defined $Nix::Config::config{"untrusted-binary-caches"}) {
my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"};
- my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // ""));
@urls = ();
foreach my $url (@untrustedUrls) {
die "binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ [@trustedUrls] in $Nix::Config::confDir/nix.conf)\n"
@@ -222,6 +225,12 @@ sub getAvailableCaches {
}
}
+ my @untrustedUrls = strToList $Nix::Config::config{"untrusted-extra-binary-caches"};
+ foreach my $url (@untrustedUrls) {
+ next unless scalar(grep { $url eq $_ } @trustedUrls) > 0;
+ push @urls, $url;
+ }
+
foreach my $url (uniq @urls) {
# FIXME: not atomic.