When activating two peerix instances, one local, and one on another machine in the same network, nixos-rebuild fails with the following: error: store path 'nfc84fq55dbzxa6f6wsc67ib9ggm5yfn-nixos-manual-html.drv ' contains illegal character ' '. Unfortunately, the error is transient, and I cannot reproduce it reliably. Every time I rerun nixos-rebuild, a different store path is emitted along with the error. Maybe something wrong with Narinfo parsing?

This make mach-nix use the same nixpkgs and flake-utils than the peerix flake.

You can see with nix flake info.

This PR should be merged (and rebased first) after #7.

Some options changed

trace: warning: The option `nix.binaryCaches' defined in `/nix/store/r2bbhmlfvfpir9hp8fjs31kj13kwgwyl-source/flake.nix' has been renamed to `nix.settings.substituters'.
trace: warning: The option `nix.binaryCachePublicKeys' defined in `/nix/store/r2bbhmlfvfpir9hp8fjs31kj13kwgwyl-source/flake.nix' has been renamed to `nix.settings.trusted-public-keys'.

I'm currently writing a guide explaining how to setup peerix, but I first need to get it working for me :sweat_smile:

I have peerix correctly installed on two nixos, service are running, I generated the keys on both using nix-store --generate-binary-cache-key $machine_name peerix-private peerix-public.

On computer B, I added computer A public key as services.peerix.publicKey. I switched to the new configuration, the key is definitely in /etc/nix/nix.conf.

When on B I tried to use packages found in A, I have this error:

warning: ignoring substitute for '/nix/store/qh84nk49gxhmf0gr5g5rjpxvn9li1ic5-libiec61883-1.2.0' from 'http://127.0.0.1:12304', as it's not signed by any of the keys in 'trusted-public-keys'

Everything looks fine to me :thinking:

Here is my flake.nix file enabling peerix

            peerix.nixosModules.peerix
            {
              services.peerix = {
                package = peerix.packages.x86_64-linux.peerix;
                enable = true;
                openFirewall = true;
                privateKeyFile = ./peerix-private;
                publicKeyFile =  ./peerix-public;
                publicKey = "t470:uMRQTGoQNSnGOmok7OKPEgliBlut6lQaBVT2NUIzEi0=";
              };
            }

On second thought, maybe we should add .editorconfig?

Originally posted by @danielphan2003 in https://github.com/cid-chan/peerix/pull/2#discussion_r741449910

Hello!

The nix module options have changed (mostly stuff is now located at nix.settings):

trace: warning: The option `nix.binaryCaches' defined in `/nix/store/mwckgsmvqily7njdxqqbl647fdsp0wna-source/hosts/common/global/peerix.nix' has been renamed to `nix.settings.substituters'.
trace: warning: The option `nix.binaryCachePublicKeys' defined in `/nix/store/mwckgsmvqily7njdxqqbl647fdsp0wna-source/hosts/common/global/peerix.nix' has been renamed to `nix.settings.trusted-public-keys'.

Here's a quick patch updating them to the newer versions.

Thanks!

Add overlay and services.peerix.package

Other fixes include

• changing type of services.peerix.publicKey to string,
• use pname for mach-nix, remove newline in VERSION.

All in all, this should not affect non-flake users.

Following options are added

• extraHosts enables the specification of hostnames/ips to specifically contact
• disableBroadcast would avoid to use the broadcast addresses from the interfaces by default

Those options are added using two env variables:

• comma-separated PEERIX_EXTRA_HOSTS
• boolean PEERIX_DISABLE_BROADCAST (true or false in string)

Also puts a small example in the README.MD.

Use case:

1. Use a VPN such as tailscale, aka a mesh vpn to connect multiple computers together, independantly of the network
2. Broadcast interfaces are not a feature of any VPN
3. Peerix can still be used accross networks thanks to a module defined such as:

    _: {
      services.peerix = {
        enable = true;
        openFirewall = true; # UDP/12304
   
        privateKeyFile = ../secrets/peerix-private;
        publicKeyFile = ../secrets/peerix-public;
   
        user = "peerix";
        group = "peerix";
   
        disableBroadcast = true;
        extraHosts = [ "my-nixos-computer-hostname" "42.42.42.1" ];
      };
      users.users.peerix = {
        isSystemUser = true;
        group = "peerix";
      };
      users.groups.peerix = { };
    }
   

I think these options should be called services.peerix.publicKeys and services.peerix.publicKeyFiles, since multiple public keys should usually be accepted, and it should be easy to change (I can try to make a PR in the future).

nix-serve-ng is a drop-in replacement for nix-serve that is advertised as a lot faster

I think this could be an interesting option for peerix, and may solve the issues with timeout. I expect most users to run it on workstations that may not be super fast, improving the efficiency is important.

If you run 3 peerix on your network and only have trusted keys on computer A to use peerix from computer B, if computer C is responding faster than B, peerix on A will report the key is untrusted and not try B.

Basically, just add a new fast peerix service on your network and you will certainly have lot of issues about untrusted keys even if you don't want to use it.

I'm using peerix on a laptop that I often connect/disconnect from ethernet, so sometimes it uses its Wi-Fi IP address, sometimes the ethernet address. However, it seems remote peerix keep the first IP seen, and if they see the ethernet, they will continue to use it, this leads to timeout from nix.

I'm seeing a problem between my computers using peerix, files in the store are not always found

For example, peerix reported INFO:root:Requesting kdyfy1hx3n95vifdi79zparg53r01ah3 from direct local network. when looking for kdyfy1hx3n95vifdi79zparg53r01ah3 and it didn't retrieve it from my computer 10.42.42.102 which is sometimes serving files through peerix (so peerix is working fine). On the peerix NixOS which has the file, peerix reported INFO:peerix.remote:Got request from 10.42.42.150:12304 for kdyfy1hx3n95vifdi79zparg53r01ah3

However, I've been able to manually import it from the remote store using nix-copy-closure --from [email protected] /nix/store/kdyfy1hx3n95vifdi79zparg53r01ah3-rust-1.62.1-x86_64-unknown-linux-gnu.tar.gz to confirm the file was available in the remote store served by peerix.

I can't find a pattern about this issue, using nix build nixpkgs#foobar.inputDerivation to pull dependencies on a system, and running it on with the same nixpkgs on another peerix computer will only download 1/5 of inputs from the peerix node. There are no specific errors in the service logs.