I'm having an issue that in my org, the simple invocation nix build nixpkgs#hello fails. The github API requests fail unless authenticated, since there are a large number of users going through the same IP address. Of course the 'obvious' solution is to get everyone to authenticate, but this creates problems on remote machines of where to store the token.

I'd like instead to point flake:nixpkgs at an internal mirror (via nix registry pin or equivalent), but AFAICT there is no efficient way to do this? The reason it's efficient for github is the existence of the download API which is special cased to github. Is there a way to achieve the same effect?

I've tried for example to point it at a local git repository, but this results in nix trying to clone the nixpkgs git repository, which is incredibly expensive in time, CPU time, disk and bandwidth.

How do others handle this, or does everyone simply supply a github token? I'm just not sure this is a scalable approach, and it would be nice to drop the requirement of github being visible to the machine invoking nix.