Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



50 Commits

Repository files navigation


A proxy that acts as binary cache for Nix

  • Signs Narinfo in flight with own private key
  • Authenticates with S3 to forward NARs for long-term storage
  • Keeps a local cache on disk for faster responses.
  • Provides a minimal Docker registry


Start spongix:

nix key generate-secret --key-name foo > skey
nix build
./result/bin/spongix \
  --substituters "" "" \
  --secret-key-files ./skey \
  --trusted-public-keys "" "" \
  --listen :7745 \
  --dir /tmp/spongix

To add store paths to the cache, you can use nix copy:

nix copy --to '' github:nixos/nix

To use this as your binary cache, specify it as a substituter:

nix build github:nixos/nix \
  --option substituters \
  --option trusted-public-keys "$(< pkey)"

Signatures are checked against the the trusted-public-keys of your configuration.

Upload after every build

Set a post-build-hook in your nix configuration to a script like this:

set -euf
export IFS=' '
if [[ -n "$OUT_PATHS" ]]; then
  echo "Uploading to cache: $OUT_PATHS"
  exec nix copy --to '' $OUT_PATHS


  • Write better integration tests (with cicero)
  • Healthchecks
  • A way to horizontally scale (probably by just locking via consul, s3, raft, postgres, rqlite, dqlite, ...)
  • Proper CLI usage
  • Benchmark of desync index vs db lookup performance
  • Additional signing for a set of allowed public keys
  • Disk cache size limits and LRU eviction
  • Forward lookups across multiple upstream caches
  • Identify and solve concurrency issues
  • Prometheus metrics
  • Store narinfo in a database
  • Upload to S3 as well as the local store
  • Verify existing signatures


No releases published


No packages published