Welcome to the new unified Determinate docs experience!
Determinate Nix

Determinate Nix

Determinate Nix is Determinate Systems’ validated and secure Nix for enterprises. It has two core components:

  • Our downstream distribution of Nix.
  • Determinate Nixd, a daemon that makes your experience of installing and using Nix dramatically more smooth.

At the moment, the Nix in Determinate Nix matches the upstream version. In the future, however, Determinate Nix will include patches that have not yet been released by the upstream project.

Getting started

Determinate Nix is part of the broader Determinate suite. To get started with Determinate Nix, see the main Getting started guide.

Determinate Nixd

Determinate Nixd is a daemon for both Linux and macOS that makes your experience of installing and using Nix dramatically more smooth. It’s automatically installed on your system when you install Determinate Nix.

Determinate Nixd comes bundled with Determinate and doesn’t require any special setup beyond what’s covered in Getting started.

Enterprise certificate management (macOS)

Nix relies on TLS certificates to function. On macOS, Determinate Nixd automatically handles enterprise certificates.

On startup, the system’s Keychain certificates are exported for Nix. If the certificate store changes, you need to restart Determinate Nixd.

Managed garbage collection

Determinate Nixd automatically schedules and manages garbage collection for Nix, striving to:

  • Retain at least 30GB of disk space free to allow for system updates
  • Operate in a steady-state mode with between 5-20% disk space free

If your disk falls below 5% free, Determinate Nixd enters an “urgent” garbage collection mode to immediately free disk space.

Commands

Although Determinate Nixd is mostly meant to run in the background, it also enables you to perform some helpful tasks.

Log in to FlakeHub

To log in to FlakeHub using Determinate Nixd:

Log in to FlakeHub using Determinate Nixd
determinate-nixd login

By default, this logs in to FlakeHub using token authentication (the determinate-nixd login token command is equivalent). You need to generate a token in the FlakeHub UI to log in this way.

Determinate Nixd also enables you use federated authentication based on OpenID Connect (OIDC) and JSON Web Tokens (JWTs) to log in to FlakeHub from a variety of platforms:

Log in via Amazon STS

To log in via Amazon STS:

Log in to FlakeHub on AWS
determinate-nixd login aws
Log in on GitHub Actions

To log in on GitHub Actions:

Log in to FlakeHub on GitHub Actions
determinate-nixd login github-actions
Log in on GitLab CI/CD

To log in on GitLab CI/CD:

Log in to FlakeHub on GitLab CI/CD
determinate-nixd login gitlab-pipeline \
  --jwt-env-var FLAKEHUB_GITLAB_CI_TOKEN

The --jwt-env-var option enables you to specify the environment variable name that you’ve chosen for your GitLab-supplied JSON Web Token (make sure not to prefix the name with a $ as you may be used to doing). The example above would work for an authentication configuration like this:

job_logging_in_to_flakehub:
  id_tokens:
    FLAKEHUB_GITLAB_CI_TOKEN:
      aud: https://my-audience.dev

Check your login status

To show your current FlakeHub login status:

Display current authentication status
determinate-nixd status

This displays:

  • Whether you’re currently logged in
  • The FlakeHub user name under which you’re logged in
  • The FlakeHub organizations to which you are attached

Logout

Logout of current session
determinate-nixd auth logout

Bind your installation

Determinate Nixd allows users or system administrators to bind their installation to a specific FlakeHub customer.

Once this is done, future logins are validated against this binding — the user or one of the user’s organization must match the bound customer name.

Bind Determinate Nixd installation
determinate-nixd auth bind my-organization

Once an installation has been bound, only root or an elevated admin may undo the binding.

Reset Determinate Nixd binding and authentication
sudo determinate-nixd auth reset

Upgrade Nix

To upgrade Nix to the most recent version of Nix advised by Determinate Systems:

Upgrade to the most recent version of Determinate Nix
sudo determinate-nixd upgrade

You need to run this command with sudo, as in the example above.

Initialize

To initialize Determinate Nix after system boot:

Initialize Determinate Nix after system boot
determinate-nixd init

To continue running the init command in perpetuity to keep the Nix store mounted:

Keep the Nix store mounted
determinate-nixd init \
  --keep-mounted

File a bug report

To file a bug report for Determinate:

File a bug report
determinate-nixd bug "Some bug title"

Optionally, you can can supply a longer description as the second argument:

Supply a description when filing a bug report
determinate-nixd bug "Some bug title" "Some longer description"

You can the --advisory flag to indicate that the bug is meant only as an advisory rather than as a critical:

Label a bug report as an advisory
determinate-nixd bug "Some bug title" "Some longer description" \
  --advisory

You can also attach specific files to the report using the --attach option:

Attach files to a bug report
determinate-nixd bug "Some bug title" "Some longer description" \
  --attach ./flake.nix

Configuration

You can modify the behavior of Determinate Nixd using the JSON configuration file located at /etc/determinate/config.json by default.

These parameters are available:

ParameterDescriptionOptions
garbageCollector.strategyThe garbage collection strategy used by Determinate Nixdautomatic (Determinate Nixd automatically collects garbage in the background)

disabled (no automatic garbage collection)
authentication.additionalNetrcSourcesA list of paths to netrc files that will be combined by Determinate Nixd and used by Nix. These files must exist and not be in /nix/store or the daemon will refuse to start.[ list of strings (paths) ]

Here’s an example configuration file:

/etc/determinate/config.json
{
  "garbageCollector": {
    "strategy": "automatic"
  },
  "authentication": {
    "additionalNetrcSources": [
      "/etc/determinate/netrc.custom"
    ]
  }
}

additionalNetrcSources

This option allows you to specify additional netrc files for use by Nix. Determinate Nixd will combine these into a single effective netrc file after some brief validation:

  • each file must only contain unique netrc entries (no duplicates across any of the files)
  • each file must be a valid netrc file
  • each file must not be accessed through the Nix store

Put another way, you can not have /nix/store/...-my-netrc as an entry, even if that file is a symlink to another path outside of the Nix store.

⚠️

The netrc file created and managed by Determinate Nixd will be world-readable.

The following is an example of how you can use Nix to manage additionalNetrcSources while conforming to this restriction:

⚠️

Storing any credentials in the Nix Store is insecure and not recommended. Store paths are world-readable.

{
  environment.etc."determinate/corporate-netrc" = {
    text = ''
      machine nixcache.example.com
      login user
      password mypassword
    '';
    # this forces the file to be copied, rather than be a symlink to store path
    mode = "0400";
  };
 
  environment.etc."determinate/config.json".text = ''
    {
      "authentication": {
        "additionalNetrcSources": [
          "/etc/determinate/corporate-netrc"
        ]
      }
    }
  '';
}
Deploy Determinate with MDMIntroduction