Determinate Nix

Determinate Nix is Determinate Systems’ validated and secure Nix for enterprises. It has two core components:

• Our downstream distribution of Nix.
• Determinate Nixd, a daemon that makes your experience of installing and using Nix dramatically more smooth.

Getting started

Determinate Nix is part of the broader Determinate suite. To get started with Determinate Nix, see the main Getting started guide.

Determinate Nixd

Determinate Nixd is a daemon for both Linux and macOS that makes your experience of installing and using Nix dramatically more smooth. It’s automatically installed on your system when you install Determinate Nix.

Enterprise certificate management (macOS)

Nix relies on TLS certificates to function. On macOS, Determinate Nixd automatically handles enterprise certificates.

On startup, the system’s Keychain certificates are exported for Nix. If the certificate store changes, you need to restart Determinate Nixd.

Managed garbage collection

Determinate Nixd automatically schedules and manages garbage collection for Nix, striving to:

• Retain at least 30GB of disk space free to allow for system updates
• Operate in a steady-state mode with between 5-20% disk space free

If your disk falls below 5% free, Determinate Nixd enters an “urgent” garbage collection mode to immediately free disk space.

Commands

Although Determinate Nixd is mostly meant to run in the background, it also enables you to perform some helpful tasks.

Log in to FlakeHub

To log in to FlakeHub using Determinate Nixd:

determinate-nixd login

By default, this logs in to FlakeHub using token authentication (the determinate-nixd login token command is equivalent). You will need to generate a token in the FlakeHub UI to log in this way.

Determinate Nixd also enables you use federated authentication based on OpenID Connect (OIDC) and JSON Web Tokens (JWTs) to log in to FlakeHub from a variety of platforms:

• Amazon STS
• GitHub Actions
• GitLab CI/CD

Log in via Amazon STS

To log in via Amazon STS:

determinate-nixd login aws

Log in on GitHub Actions

To log in on GitHub Actions:

determinate-nixd login github-actions

Log in on GitLab CI/CD

To log in on GitLab CI/CD:

determinate-nixd login gitlab-pipeline \
  --jwt-env-var FLAKEHUB_GITLAB_CI_TOKEN

The --jwt-env-var option enables you to specify the environment variable name that you’ve chosed for your GitLab-supplied JSON Web Token. The example above would work for an authentication configuration like this:

job_logging_in_to_flakehub:
  id_tokens:
    FLAKEHUB_GITLAB_CI_TOKEN:
      aud: https://my-audience.dev

Check your login status

To show your current FlakeHub login status:

determinate-nixd status

This displays:

• Whether you’re currently logged in
• The FlakeHub user name under which you’re logged in
• The FlakeHub organizations to which you are attached

Upgrade Nix

To upgrade Nix to the most recent version of Nix advised by Determinate Systems:

sudo determinate-nixd upgrade

You need to run this command with sudo, as in the example above.

Initialize

To initialize Determinate Nix after system boot:

determinate-nixd init

To continue running the init command in perpetuity to keep the Nix store mounted:

determinate-nixd init \
  --keep-mounted

File a bug report

To file a bug report for Determinate:

determinate-nixd bug "Some bug title"

Optionally, you can can supply a longer description as the second argument:

determinate-nixd bug "Some bug title" "Some longer description"

You can the --advisory flag to indicate that the bug is meant only as an advisory rather than as a critical:

determinate-nixd bug "Some bug title" "Some longer description" \
  --advisory

You can also attach specific files to the report using the --attach option:

determinate-nixd bug "Some bug title" "Some longer description" \
  --attach ./flake.nix