nova-cache: Pure-first Nix binary cache protocol library

[ bsd3, distribution, library, nix ] [ Propose Tags ] [ Report a vulnerability ]

A pure-first library implementing the Nix binary cache protocol — nix-base32, NAR serialization, narinfo parsing, Ed25519 signing, store path handling, and content validation — with an optional WAI server.

[Skip to Readme]

Modules

[Index] [Quick Jump]

NovaCache

Flags

Manual Flags

Name	Description	Default
server	Build the cache server executable (pulls in warp/wai)	Disabled
compression	Enable LZMA/XZ compression (requires system liblzma)	Enabled

Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info

Downloads

nova-cache-0.4.0.0.tar.gz [browse] (Cabal source package)
Package description (as included in the package)

Maintainer's Corner

Package maintainers

aoinoikaz

For package maintainers and hackage trustees

edit package information

Candidates

No Candidates

Versions [RSS]	0.1.0.0, 0.2.0.0, 0.2.1.0, 0.2.2.0, 0.2.3.0, 0.2.4.0, 0.2.4.1, 0.3.0.0, 0.3.1.0, 0.3.2.0, 0.3.2.1, 0.4.0.0
Change log	CHANGELOG.md
Dependencies	base (>=4.16 && <5), base64-bytestring (>=1.2 && <1.3), bytestring (>=0.11 && <0.13), containers (>=0.6 && <0.8), crypton (>=1.1 && <2), directory (>=1.3 && <1.4), filepath (>=1.4 && <1.6), http-types (>=0.12 && <0.13), lzma (>=0.0.1 && <0.1), nova-cache, ram (>=0.20 && <1), text (>=2.0 && <2.2), vector (>=0.12 && <0.14), wai (>=3.2 && <3.3), wai-extra (>=3.1 && <3.2), warp (>=3.3 && <3.5) [details]
Tested with	ghc ==9.8.4
License	BSD-3-Clause
Author	Devon Tomlin
Maintainer	devon.tomlin@novavero.ai
Uploaded	by aoinoikaz at 2026-06-08T17:44:16Z
Category	Nix, Distribution
Home page	https://github.com/Novavero-AI/nova-cache
Bug tracker	https://github.com/Novavero-AI/nova-cache/issues
Source repo	head: git clone https://github.com/Novavero-AI/nova-cache -b main
Distributions
Reverse Dependencies	1 direct, 0 indirect [details]
Executables	nova-cache-server
Downloads	121 total (38 in the last 30 days)
Rating	(no votes yet) [estimated by Bayesian average]
Your Rating	λ λ λ
Status	Docs available [build log] Last success reported on 2026-06-08 [all 1 reports]

Readme for nova-cache-0.4.0.0

[back to package description]

nova-cache

The Nix binary cache protocol, in Haskell.

nix-base32, NAR archives, narinfo, store paths, and Ed25519 signing — with an optional WAI cache server. A pure core; IO is confined to the compression, storage, and server boundaries.

Installation

build-depends: nova-cache

The compression flag (on by default) requires the system liblzma. Build with -f-compression if you only need hashing, NAR, or narinfo.

Usage

import NovaCache.Hash (hashBytes, formatNixHash)
import qualified Data.ByteString as BS

-- Hash file contents into sha256:<nix-base32>
hash <- formatNixHash . hashBytes <$> BS.readFile path

import NovaCache.NarInfo (parseNarInfo)
import NovaCache.Signing (parseSecretKey, sign)

-- Parse a narinfo and sign it
case (parseNarInfo raw, parseSecretKey "mykey:base64...") of
  (Right ni, Right sk) -> print (sign sk ni)  -- Right "mykey:<base64 sig>"
  _                    -> error "parse failed"

import NovaCache.Validate (validateFull)

-- Validate an upload: fields + NAR hash + file hash + signatures.
-- Pure, and every error is collected rather than failing on the first.
case validateFull publicKey ni narBytes fileBytes of
  Right ()  -> accept
  Left errs -> reject errs

Server

cabal run --flag server nova-cache-server -- --port 5000 --store ./nix-cache

Configuration

Variable	Description
`PORT`	Listen port (default: 5000)
`NIX_CACHE_DIR`	Store directory (default: `./nix-cache`)
`CACHE_API_KEY`	Bearer token required for `PUT`. The server refuses to start without it unless `--allow-open-writes` is passed.
`SIGNING_KEY_FILE`	Ed25519 secret key file for server-side narinfo signing
`LOG_REQUESTS`	Set to `0` to disable request logging

Endpoints

Method	Path	Description
`GET`	`/nix-cache-info`	Cache metadata
`GET`	`/narinfo-hashes`	All cached narinfo hashes, newline-delimited
`GET`	`/<hash>.narinfo`	Fetch a narinfo
`GET`	`/nar/<file>`	Fetch a NAR
`PUT`	`/<hash>.narinfo`	Upload a narinfo (authenticated, validated)
`PUT`	`/nar/<file>`	Upload a NAR (authenticated)

Public cache

A public instance runs at cache.novavero.ai:

extra-substituters = https://cache.novavero.ai
extra-trusted-public-keys = cache.novavero.ai-1:2yJK0UZWlDDTpThzEdqfGWaj+j3ljOCGoA50Ims47dM=

CI cache seeding

A composite action pushes store paths to a nova-cache server from CI. It resolves runtime paths via nix-build, diffs against the server's /narinfo-hashes, and uploads only what is missing.

- uses: Novavero-AI/nova-cache/.github/actions/seed@main
  with:
    cache-url: https://cache.example.com
    api-key: ${{ secrets.CACHE_API_KEY }}

Inputs: cache-url and api-key (required); paths and parallel (optional).

Build & test

cabal build
cabal test

Optional flags: -f-compression skips the liblzma dependency, and --flag server builds the cache server. Requires GHC 9.8+ and cabal-install 3.10+.

_{BSD-3-Clause · Novavero AI}