flake: add nix-community cachix as substituters

[0xda157]

This allows people interacting with our flake to benefit more from caching (mostly testbeds). On the first interaction with out flake the user will be prompted with the below messages, which is slightly annoying but worth it imo because people directly interacting with the flake probably care about better caching of the testbeds.

do you want to allow configuration setting 'extra-substituters' to be set to 'https://nix-community.cachix.org' (y/N)?
do you want to permanently mark this value as trusted (y/N)?
do you want to allow configuration setting 'extra-trusted-public-keys' to be set to ' nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=' (y/N)?
do you want to permanently mark this value as trusted (y/N)?

cc @MattSturgeon @trueNAHO @danth

Submission Checklist

• [x] I certify that I have the right to submit this contribution under the MIT license
• [x] Commit messages adhere to Stylix commit conventions
• [ ] Theming changes adhere to the Stylix style guide
• [x] Changes have been tested locally
• [ ] Changes have been tested in testbeds
• [x] Each commit in this PR is suitable for backport to the current stable branch

Notify Maintainers

[0xda157]

#1797 should be merged first

[MattSturgeon]

How to trust https://nix-community.cachix.org without setting nix.settings.trusted-users:

The following NixOS declaration does not resolve the issue:

nix.settings = {
  substituters = [ "https://nix-community.cachix.org" ];

  trusted-public-keys = [
    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
  ];
};

I used to define trusted-substituters:

https://github.com/MattSturgeon/nix-config/blob/2544e5126be716c00400b15229bfd371945e813d/modules/common/nix.nix#L41-L47

See https://nix.dev/manual/nix/2.24/command-ref/conf-file.html#conf-trusted-substituters

I recently refactored to just explicitly add all the substituters I need to my nixos config, but if you want to trust a substituter without always using it, the settings is trusted-substituters.

[trueNAHO]

How to trust https://nix-community.cachix.org without setting nix.settings.trusted-users:

The following NixOS declaration does not resolve the issue:

nix.settings = {
  substituters = [ "https://nix-community.cachix.org" ];

  trusted-public-keys = [
    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
  ];
};

I used to define trusted-substituters:

https://github.com/MattSturgeon/nix-config/blob/2544e5126be716c00400b15229bfd371945e813d/modules/common/nix.nix#L41-L47

See https://nix.dev/manual/nix/2.24/command-ref/conf-file.html#conf-trusted-substituters

I recently refactored to just explicitly add all the substituters I need to my nixos config, but if you want to trust a substituter without always using it, the settings is trusted-substituters.

I am still getting the same error:

$ sudo nixos-rebuild switch
$ reboot
$ cd "$STYLIX"
$ direnv block
$ cd -
$ cd -
$ rm ~/.local/share/nix/trusted-settings.json
$ nix develop
do you want to allow configuration setting 'extra-substituters' to be set to 'https://nix-community.cachix.org' (y/N)? y
do you want to permanently mark this value as trusted (y/N)? y
do you want to allow configuration setting 'extra-trusted-public-keys' to be set to 'nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=' (y/N)? y
do you want to permanently mark this value as trusted (y/N)? y
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user

Here is more context:

• NixOS configuration:

  nix.settings = {
    substituters = [ "https://nix-community.cachix.org" ];
  
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
  
    trusted-substituters = [ "https://nix-community.cachix.org" ];
  };
  

• ~/.local/share/nix/trusted-settings.json:

  • {
      "extra-substituters": {
        "https://nix-community.cachix.org": true
      },
      "extra-trusted-public-keys": {
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=": true
      }
    }
    

• /etc/nix/nix.conf:

  • allowed-users = *
    auto-optimise-store = true
    builders =
    cores = 0
    experimental-features = ca-derivations flakes impure-derivations nix-command
    max-jobs = auto
    require-sigs = true
    sandbox = true
    sandbox-fallback = false
    substituters = https://nix-community.cachix.org https://cache.nixos.org/
    system-features = nixos-test benchmark big-parallel kvm
    trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
    trusted-substituters = https://nix-community.cachix.org
    trusted-users = root
    extra-sandbox-paths =
    

Sorry for not figuring this out. I hope not having updated my NixOS config in half a year has nothing to do with it...

[MattSturgeon]

Firstly, you have nix-comnunity in both substituters and trusted-substituters. That should be unnecessary.

Your actual error is:

warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user

And your nix.conf shows:

trusted-users = root

So the issue here is that you are not marking your user as a "trusted" user that is allowed to modify restricted settings.

You can either hard-code adding the extra trusted public key in your NixOS config, or add your user to nix.settings.trusted-users (maybe there's an option to trust admin users by default?)

[stylix-automation[bot]]

Successfully created backport PR for release-25.05:

• #2103

[stylix-automation[bot]]

Successfully created backport PR for release-25.11:

• #2104