A CAS is a type of storage system that identifies files (or more generally speaking: objects) not by their filename, but rather by their content. In practice, this means they are identified by their hash. This makes file references both immutable and self-authenticating. Files in a CAS can be cached very effectively and tampering or corruption can be detected by simply hashing a file upon receiving it and comparing the resulting hash with the reference (filename).
There are a number of tricks to solve these problems. A fancy one for private repo credentials is
impureEnvVars. This derivation attribute allows you to specify which environment variables should be carried into the builder environment from the environment of the Nix process starting that build. This only applies to FODs, however. Nixpkgs usually adds
$http_proxyand related to the list, enabling operators to configure network proxies for use with Nix builds. The limitation to FODs highlights that this is only meant to deal with differences in networks. Because the state of the network is generally unknown, this can be seen as a valid exception to the general purity rule. One could also employ iptables tricks and perform transparent proxying that way, and Nix would be none the wiser. Integrity and purity is still ultimately enforced by
outputHash. The same goes for providing secrets for downloads. All you need to do is ensure that secrets are configured, otherwise your build will simply fail. Missing secrets effectively becomes equivalent to a network outage. With FODs, the Nix store can be considered a partially Content-addressed storage.
The InterPlanetary Filesystem is a P2P storage system built on libp2p. Files on IPFS are addressed via a content ID (CID), making IPFS a Content-addressed storage system.