Determinate Nixd

Determinate Nixd is a daemon for both Linux and macOS that makes your experience of installing and using Nix dramatically more smooth.

Enterprise certificate management (macOS)

Nix relies on TLS certificates to function. On macOS, Determinate Nixd automatically handles enterprise certificates.

On startup, the system’s Keychain certificates are exported for Nix. If the certificate store changes, you need to restart Determinate Nixd.

Managed garbage collection

Determinate Nixd automatically schedules and manages garbage collection for Nix, striving to:

• Retain at least 30GB of disk space free to allow for system updates
• Operate in a steady-state mode with between 5-20% disk space free

If your disk falls below 5% free, Determinate Nixd enters an “urgent” garbage collection mode to immediately free disk space.

Commands

Although Determinate Nixd is mostly meant to run in the background, it also enables you to perform some helpful tasks.

Log in to FlakeHub

To log in to FlakeHub using Determinate Nixd:

determinate-nixd login

By default, this logs in to FlakeHub using token authentication (the determinate-nixd login token command is equivalent). You need to generate a token in the FlakeHub UI to log in this way.

Determinate Nixd also enables you to use federated authentication based on OpenID Connect (OIDC) and JSON Web Tokens (JWTs) to log in to FlakeHub from a variety of platforms:

• Amazon STS
• Google Cloud Platform
• GitHub Actions
• GitLab CI/CD
• Semaphore
• Buildkite

Log in via Amazon STS

To log in via Amazon STS:

determinate-nixd login aws

Log in via Google Cloud Platform

To log in via Google Cloud Platform metadata identity:

determinate-nixd login gcp \
  --frn <full-resource-name>

Log in on GitHub Actions

To log in on GitHub Actions:

determinate-nixd login github-actions

Log in on GitLab CI/CD

To log in on GitLab CI/CD:

determinate-nixd login gitlab-pipeline \
  --jwt-env-var FLAKEHUB_GITLAB_CI_TOKEN

The --jwt-env-var option enables you to specify the environment variable name that you’ve chosen for your GitLab-supplied JSON Web Token (make sure not to prefix the name with a $ as you may be used to doing). The example above would work for an authentication configuration like this:

job_logging_in_to_flakehub:
  id_tokens:
    FLAKEHUB_GITLAB_CI_TOKEN:
      aud: https://my-audience.dev

Check your login status

To show your current FlakeHub login status:

determinate-nixd status

This displays:

• Whether you’re currently logged in
• The FlakeHub user name under which you’re logged in
• The FlakeHub organizations to which you are attached

Log out

To log out of FlakeHub:

determinate-nixd auth logout

Fix incorrect hashes

If Determinate Nix encounters an incorrect hash (such as a cargoHash or vendorSha256) in a derivation, Determinate Nixd can automatically fix the incorrect hashes in the appropriate Nix files:

determinate-nixd fix hashes

The command above goes through all incorrect hashes and prompts you to fix them; if you approve, it changes the files on disk. You can also make it fix hashes without prompting you, which can be useful in automated scenarios:

determinate-nixd fix hashes \
  --auto-apply

Bind your installation

Determinate Nixd allows users or system administrators to bind their installation to a specific FlakeHub customer.

Once this is done, future logins are validated against this binding—the user or one of the user’s organizations must match the bound customer name.

determinate-nixd auth bind my-organization

Once an installation has been bound, only root or an elevated admin may undo the binding.

sudo determinate-nixd auth reset

List device tokens

You can list non-expired device tokens using the determinate-nixd auth token device list command, specifying the organization using the --org / -o option:

determinate-nixd auth token device list \
  --org my-org

You can limit the number of displayed tokens using the --limit / -l option:

determinate-nixd auth token device list \
  --org my-org \
  --limit 10

The output displays this information for each token:

• UUID
• Description
• Expiration date
• Issue date
• Type

Generate device tokens

You can generate device tokens using the determinate-nixd auth token device create command, specifying the organization using the --org / -o option and a description for the token using the --description / -d option:

determinate-nixd auth token device create \
  --org my-org \
  --description "Submarine #137"

This pipes the token to stdout.

Revoke device tokens

You can revoke device tokens using the determinate-nixd auth token device revoke command, specifying the organization using the --org / -o option and the token ID using the --token-id option:

determinate-nixd auth token device revoke \
  --org my-org \
  --token-id "174579a8-b247-4cde-9636-54383015eb3e"

Upgrade Nix

To upgrade Nix to the most recent version of Nix advised by Determinate Systems:

sudo determinate-nixd upgrade

Additionally, you may specify a target version to be installed:

sudo determinate-nixd upgrade --version v3.6.2

You need to run this command with sudo, as in the example above.

At any time, you can run a version check to see if you need to upgrade.

Check your version

You can check which version of Determinate Nix you’re running using the version command:

determinate-nixd version

If you’re not on the latest version, Determinate Nixd provides upgrade instructions.

Initialize

To initialize Determinate Nix after system boot:

determinate-nixd init

To continue running the init command in perpetuity to keep the Nix store mounted:

determinate-nixd init \
  --keep-mounted

File a bug report

To file a bug report for Determinate:

determinate-nixd bug "Some bug title"

Optionally, you can supply a longer description as the second argument:

determinate-nixd bug "Some bug title" "Some longer description"

You can use the --advisory flag to indicate that the bug is meant only as an advisory rather than as a critical:

determinate-nixd bug "Some bug title" "Some longer description" \
  --advisory

You can also attach specific files to the report using the --attach option:

determinate-nixd bug "Some bug title" "Some longer description" \
  --attach ./flake.nix

Shell auto-completion

You can generate auto-completion scripts for various shells using the determinate-nixd completion command. Here’s an example:

eval "$(determinate-nixd completion zsh)"

Scripts are available for these shells:

• bash
• elvish
• fish
• powershell
• zsh

Configuring Determinate Nixd

You can modify the behavior of Determinate Nixd using the JSON configuration file located at /etc/determinate/config.json by default.

These parameters are available:

Here’s an example configuration file:

{
  "garbageCollector": {
    "strategy": "automatic"
  },
  "authentication": {
    "additionalNetrcSources": [
      "/etc/determinate/netrc.custom"
    ]
  },
  "builder": {
    "state": "enabled",
    "memoryBytes": 8589934592,
    "cpuCount": 1
  }
}

additionalNetrcSources

This option enables you to specify additional netrc files for use by Nix. Determinate Nixd combines these into a single effective netrc file after some brief validation:

• Each file must contain only unique netrc entries (no duplicates across any of the files)
• Each file must be a valid netrc file
• Each file must not be accessed through the Nix store

Put another way, you can’t have /nix/store/...-my-netrc as an entry even if that file is a symlink to another path outside of the Nix store.

This configuration shows how you can use Nix to manage additionalNetrcSources:

{
  environment.etc."determinate/config.json".text = ''
    {
      "authentication": {
        "additionalNetrcSources": [
          "/etc/corporate-mdm/provisioned/standard-netrc"
        ]
      }
    }
  '';
}