From a2d3c0b65ecf498a4cb6b0e18203e9a7592d8246 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rton=20Boros?= Date: Thu, 25 Jun 2026 18:41:57 +0300 Subject: [PATCH 1/2] security: fix insecure nix trusted-users config recommendation --- README.md | 2 + docs/multigres-image.md | 36 +++++-------- nix/docs/nix-cache.md | 52 +++++++++++++++++++ nix/docs/start-here.md | 32 ++++-------- .../darwin-nixostest/darwin-configuration.nix | 3 -- 5 files changed, 77 insertions(+), 48 deletions(-) create mode 100644 nix/docs/nix-cache.md diff --git a/README.md b/README.md index 5adf578078..5a053b1bbe 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,8 @@ The project uses Nix as its build system, which provides: ## Common Tasks +To skip hours of building and download instead, configure the Supabase Postgres Nix binary cache: [nix/docs/nix-cache.md](nix/docs/nix-cache.md). + ### Building Locally To build PostgreSQL with extensions locally: diff --git a/docs/multigres-image.md b/docs/multigres-image.md index dc079cc53c..ac3b6ef211 100644 --- a/docs/multigres-image.md +++ b/docs/multigres-image.md @@ -77,43 +77,33 @@ docker build -f Dockerfile-multigres --target variant-orioledb-17 -t pg-docker-t nix run .#docker-image-test -- --no-build --target variant-orioledb-17 Dockerfile-multigres ``` -### Optional: install nix +### Install nix ## Install Nix (Fresh Installation) We'll use the official Nix installer with a custom configuration that includes our build caches and settings. This works on many platforms, including **aarch64 Linux**, **x86_64 Linux**, and **macOS**. -### Step 1: Create nix.conf +### Step 1: Create nix.conf.extra -First, create a file named `nix.conf` with the following content: +First, create a file named `nix.conf.extra` with the following content: ``` -allowed-users = * -always-allow-substitutes = true -auto-optimise-store = false -build-users-group = nixbld -builders-use-substitutes = true -cores = 0 experimental-features = nix-command flakes -max-jobs = auto -netrc-file = -require-sigs = true -substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com https://postgrest.cachix.org https://cache.nixos.org/ -trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= postgrest.cachix.org-1:icgW4R15fz1+LqvhPjt4EnX/r19AaqxiVV+1olwlZtI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= -trusted-substituters = -trusted-users = YOUR_USERNAME root -extra-sandbox-paths = -extra-substituters = -``` +trusted-substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com https://postgrest.cachix.org https://cache.nixos.org/ +trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= postgrest.cachix.org-1:icgW4R15fz1+LqvhPjt4EnX/r19AaqxiVV+1olwlZtI= + ``` + +> [!CAUTION] +> DO NOT add anyone to `trusted-users` in `/etc/nix/nix.conf` as it [grants root without password](https://nix.dev/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users). Instead, add the binary cache to `trusted-substituters` and `trusted-public-keys` and accept the flake config to use it. -**Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line. +Read about the binary cache in [/nix/docs/nix-cache.md](/nix/docs/nix-cache.md). ### Step 2: Install Nix 2.34.6 Run the following command to install Nix 2.34.6 (the version used in CI) with the custom configuration: ```bash -curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf +curl -L https://releases.nixos.org/nix/nix-2.34.6/install | sh -s -- --daemon --yes --nix-extra-conf-file ./nix.conf.extra ``` This will install Nix with our build caches pre-configured, which should eliminate substituter-related errors. @@ -134,7 +124,7 @@ nix (Nix) 2.34.6 ### Test only (image already built) - +When prompted, accept the `substituters` setting. ```bash nix run .#docker-image-test -- --no-build --target variant-17 Dockerfile-multigres @@ -237,4 +227,4 @@ postgres_release: postgres17: "17.6.1.097" postgres15: "15.14.1.097"     ``` -Then you can push the changes if the images pass those tests \ No newline at end of file +Then you can push the changes if the images pass those tests diff --git a/nix/docs/nix-cache.md b/nix/docs/nix-cache.md new file mode 100644 index 0000000000..a74723e2d6 --- /dev/null +++ b/nix/docs/nix-cache.md @@ -0,0 +1,52 @@ +# Using the Nix binary cache + +If you don't use the binary cache, it might take hours to build stuff you could just download, already built by CI. + +## Nix without NixOS or nix-darwin + +You need to edit this file: + +```text +/etc/nix/nix.conf +``` + +Add or merge this config: + +```conf +trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= +trusted-substituters = https://nix-postgres-artifacts.s3.amazonaws.com https://postgrest.cachix.org +``` + +> [!CAUTION] +> DO NOT add anyone to `trusted-users` in `/etc/nix/nix.conf` as it [grants root without password](https://nix.dev/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users). Instead, add the binary cache to `trusted-substituters` and `trusted-public-keys` and accept the flake config to use the cache. + +Restart the nix daemon to load the new config: + +**On macOS:** +```bash +sudo launchctl stop org.nixos.nix-daemon +sudo launchctl start org.nixos.nix-daemon +``` + +**On Linux (systemd):** +```bash +sudo systemctl restart nix-daemon +``` + +## NixOS or nix-darwin + +Add this to your system configuration: + +```nix +{ + nix.settings.trusted-substituters = [ + "https://nix-postgres-artifacts.s3.amazonaws.com" + "https://postgrest.cachix.org" + ]; + + nix.settings.trusted-public-keys = [ + "nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=" + "postgrest.cachix.org-1:icgW4R15fz1+LqvhPjt4EnX/r19AaqxiVV+1olwlZtI=" + ]; +} +``` diff --git a/nix/docs/start-here.md b/nix/docs/start-here.md index 44c086b3e0..20f51b48a3 100644 --- a/nix/docs/start-here.md +++ b/nix/docs/start-here.md @@ -14,24 +14,18 @@ If you already have the official Nix installer (not Determinate Systems) install ### Step 1: Edit /etc/nix/nix.conf -Add or update the following configuration in `/etc/nix/nix.conf`: +Extend the following configuration in `/etc/nix/nix.conf`: ``` -allowed-users = * -always-allow-substitutes = true -auto-optimise-store = false -build-users-group = nixbld -builders-use-substitutes = true -cores = 0 experimental-features = nix-command flakes -max-jobs = auto -require-sigs = true substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com https://postgrest.cachix.org https://cache.nixos.org/ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= postgrest.cachix.org-1:icgW4R15fz1+LqvhPjt4EnX/r19AaqxiVV+1olwlZtI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= -trusted-users = YOUR_USERNAME root ``` -**Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line. +> [!CAUTION] +> DO NOT add anyone to `trusted-users` in `/etc/nix/nix.conf` as it [grants root without password](https://nix.dev/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users). Instead, add the binary cache to `trusted-substituters` and `trusted-public-keys` and accept the flake config to use the cache. + +Read about the binary cache in [/nix/docs/nix-cache.md](/nix/docs/nix-cache.md). ### Step 2: Restart the Nix Daemon @@ -56,24 +50,18 @@ We'll use the official Nix installer with a custom configuration that includes o ### Step 1: Create nix.conf -First, create a file named `nix.conf` with the following content: +First, create a file named `nix.conf.extra` with the following content: ``` -allowed-users = * -always-allow-substitutes = true -auto-optimise-store = false -build-users-group = nixbld -builders-use-substitutes = true -cores = 0 experimental-features = nix-command flakes -max-jobs = auto -require-sigs = true substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com https://postgrest.cachix.org https://cache.nixos.org/ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= postgrest.cachix.org-1:icgW4R15fz1+LqvhPjt4EnX/r19AaqxiVV+1olwlZtI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= -trusted-users = YOUR_USERNAME root ``` -**Important**: Replace `YOUR_USERNAME` with your actual username in the `trusted-users` line. +> [!CAUTION] +> DO NOT add anyone to `trusted-users` in `/etc/nix/nix.conf` as it [grants root without password](https://nix.dev/manual/nix/stable/command-ref/conf-file.html#conf-trusted-users). Instead, add the binary cache to `trusted-substituters` and `trusted-public-keys` and accept the flake config to use the cache. + +Read about the binary cache in [/nix/docs/nix-cache.md](/nix/docs/nix-cache.md). ### Step 2: Install Nix 2.34.6 diff --git a/nix/hosts/darwin-nixostest/darwin-configuration.nix b/nix/hosts/darwin-nixostest/darwin-configuration.nix index 210880b96f..76fca85ef3 100644 --- a/nix/hosts/darwin-nixostest/darwin-configuration.nix +++ b/nix/hosts/darwin-nixostest/darwin-configuration.nix @@ -73,11 +73,8 @@ in "nix-command" "flakes" ]; - always-allow-substitutes = true; max-jobs = "auto"; - trusted-users = [ "@admin" ]; extra-substituters = [ "https://nix-postgres-artifacts.s3.amazonaws.com" ]; - extra-trusted-substituters = [ "https://nix-postgres-artifacts.s3.amazonaws.com" ]; extra-trusted-public-keys = [ "nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=" ]; From e412e82650e5cca5ff492867e24535ce06999834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rton=20Boros?= Date: Fri, 26 Jun 2026 13:40:57 +0300 Subject: [PATCH 2/2] remove public key from flake.nix --- flake.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/flake.nix b/flake.nix index dbabf994c2..b958eee64d 100644 --- a/flake.nix +++ b/flake.nix @@ -2,9 +2,6 @@ description = "Prototype tooling for deploying PostgreSQL"; nixConfig = { extra-substituters = [ "https://nix-postgres-artifacts.s3.amazonaws.com" ]; - extra-trusted-public-keys = [ - "nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=" - ]; }; inputs = { devshell.url = "github:numtide/devshell";