├── .envrc ├── .gitignore ├── .editorconfig ├── modules ├── nix-darwin │ ├── config │ │ ├── LICENSE │ │ └── config.nix │ ├── default.nix │ └── migration.nix └── nixos.nix ├── .github └── workflows │ ├── propose-release.yml │ └── ci.yml ├── tests └── flake.nix ├── flake.nix ├── README.md └── flake.lock /.envrc: -------------------------------------------------------------------------------- 1 | use flake 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result* 2 | .direnv 3 | 4 | # Test artifacts 5 | tests/flake.lock 6 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # https://editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | -------------------------------------------------------------------------------- /modules/nix-darwin/config/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2017 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 8 | -------------------------------------------------------------------------------- /.github/workflows/propose-release.yml: -------------------------------------------------------------------------------- 1 | on: 2 | workflow_dispatch: 3 | inputs: 4 | reference-id: 5 | type: string 6 | required: true 7 | version: 8 | type: string 9 | required: true 10 | determinate-nixd-tag-name: 11 | type: string 12 | required: true 13 | 14 | concurrency: 15 | group: ${{ github.workflow }} 16 | cancel-in-progress: true 17 | 18 | jobs: 19 | propose-release: 20 | uses: DeterminateSystems/propose-release/.github/workflows/workflow.yml@main 21 | permissions: 22 | id-token: "write" 23 | contents: "write" 24 | pull-requests: write 25 | with: 26 | reference-id: ${{ inputs.reference-id }} 27 | version: ${{ inputs.version }} 28 | extra-commands-early: | 29 | sed -i "s#https://install.determinate.systems/determinate-nixd/tag/.*/#https://install.determinate.systems/determinate-nixd/tag/${{ inputs.determinate-nixd-tag-name }}/#" ./flake.nix 30 | git add flake.nix 31 | git commit -m "Update determinate-nixd binaries to ${{ inputs.determinate-nixd-tag-name }}" 32 | -------------------------------------------------------------------------------- /tests/flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs = { 3 | determinate.url = "path:../"; 4 | nixpkgs.follows = "determinate/nix/nixpkgs"; 5 | nix-darwin = { 6 | url = "github:nix-darwin/nix-darwin/nix-darwin-25.05"; 7 | inputs.nixpkgs.follows = "nixpkgs"; 8 | }; 9 | }; 10 | 11 | outputs = 12 | { 13 | nixpkgs, 14 | determinate, 15 | nix-darwin, 16 | ... 17 | }: 18 | { 19 | checks.x86_64-linux.nixos = 20 | (nixpkgs.lib.nixosSystem { 21 | system = "x86_64-linux"; 22 | modules = [ 23 | determinate.nixosModules.default 24 | { 25 | fileSystems."/" = { 26 | device = "/dev/bogus"; 27 | fsType = "ext4"; 28 | }; 29 | boot.loader.grub.devices = [ "/dev/bogus" ]; 30 | system.stateVersion = "24.11"; 31 | } 32 | ]; 33 | }).config.system.build.toplevel; 34 | 35 | checks.aarch64-darwin.nix-darwin = 36 | (nix-darwin.lib.darwinSystem { 37 | system = "aarch64-darwin"; 38 | 39 | modules = [ 40 | determinate.darwinModules.default 41 | { 42 | nix.enable = false; 43 | system.stateVersion = 5; 44 | } 45 | ]; 46 | }).system; 47 | 48 | checks.aarch64-darwin.nix-darwin-custom-config = 49 | (nix-darwin.lib.darwinSystem { 50 | system = "aarch64-darwin"; 51 | 52 | modules = [ 53 | determinate.darwinModules.default 54 | { 55 | nix.enable = false; 56 | system.stateVersion = 5; 57 | determinate-nix.customSettings = { 58 | extra-experimental-features = [ "build-time-fetch-tree" ]; 59 | flake-registry = "/etc/nix/flake-registry.json"; 60 | }; 61 | } 62 | ]; 63 | }).system; 64 | }; 65 | } 66 | -------------------------------------------------------------------------------- /modules/nix-darwin/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | inherit (lib) types; 5 | 6 | inherit (import ./config/config.nix { inherit lib; }) mkCustomConfig; 7 | 8 | semanticConfType = 9 | with types; 10 | let 11 | confAtom = 12 | nullOr (oneOf [ 13 | bool 14 | int 15 | float 16 | str 17 | path 18 | package 19 | ]) 20 | // { 21 | description = "Nix configuration atom (null, Boolean, integer, float, list, derivation, path, attribute set)"; 22 | }; 23 | in 24 | attrsOf (either confAtom (listOf confAtom)); 25 | 26 | # Settings that Determinate Nix handles for you 27 | disallowedOptions = [ 28 | "always-allow-substitutes" 29 | "bash-prompt-prefix" 30 | "netrc-file" 31 | "ssl-cert-file" 32 | "upgrade-nix-store-path-url" 33 | ]; 34 | in 35 | { 36 | options.determinate-nix.customSettings = lib.mkOption { 37 | type = types.submodule { 38 | options = { }; 39 | 40 | # Support "free-form" options 41 | freeformType = semanticConfType; 42 | }; 43 | default = { }; 44 | }; 45 | 46 | config = lib.mkIf (config.determinate-nix.customSettings != { }) { 47 | assertions = [ 48 | { 49 | assertion = lib.all (key: !lib.hasAttr key config.determinate-nix.customSettings) disallowedOptions; 50 | message = '' 51 | These settings are not allowed in `determinate-nix.customSettings`: 52 | ${lib.concatStringsSep ", " disallowedOptions} 53 | ''; 54 | } 55 | ]; 56 | 57 | environment.etc."nix/nix.custom.conf".text = lib.concatStringsSep "\n" ( 58 | [ 59 | "# This custom configuration file for Determinate Nix is generated by the determinate module for nix-darwin." 60 | "# Update your custom settings by changing your nix-darwin configuration, not by modifying this file directly." 61 | "" 62 | ] 63 | ++ mkCustomConfig config.determinate-nix.customSettings 64 | ); 65 | }; 66 | } 67 | -------------------------------------------------------------------------------- /modules/nix-darwin/config/config.nix: -------------------------------------------------------------------------------- 1 | # This method of generating Nix configuration borrows heavily from the nix-darwin project: 2 | # https://github.com/nix-darwin/nix-darwin/blob/e04a388232d9a6ba56967ce5b53a8a6f713cdfcf/modules/nix/default.nix 3 | # We have included the LICENSE file for the nix-darwin project in this directory from the e04a388232d9a6ba56967ce5b53a8a6f713cdfcf revision of the project: 4 | # https://github.com/nix-darwin/nix-darwin/tree/e04a388232d9a6ba56967ce5b53a8a6f713cdfcf 5 | # https://github.com/nix-darwin/nix-darwin/blob/e04a388232d9a6ba56967ce5b53a8a6f713cdfcf/LICENSE 6 | 7 | { lib }: 8 | 9 | let 10 | inherit (lib) types; 11 | 12 | mkValueString = 13 | v: 14 | if v == null then 15 | "" 16 | else if builtins.isBool v then 17 | lib.boolToString v 18 | else if builtins.isInt v then 19 | builtins.toString v 20 | else if builtins.isFloat v then 21 | lib.strings.floatToString v 22 | # Convert lists of strings like `["foo" "bar"]` into space-separated strings like `foo bar` 23 | else if builtins.isList v then 24 | let 25 | ensureStrings = 26 | ls: 27 | lib.forEach ls ( 28 | item: 29 | if builtins.isString item then 30 | item 31 | else 32 | throw "Expected all list items to be strings but got ${builtins.typeOf item} instead" 33 | ); 34 | in 35 | lib.concatStringsSep " " (ensureStrings v) 36 | else if lib.isDerivation v then 37 | builtins.toString v 38 | else if builtins.isPath v then 39 | builtins.toString v 40 | else if builtins.isAttrs v then 41 | builtins.toJSON v 42 | else if builtins.isString v then 43 | v 44 | else if lib.strings.isCoercibleToString v then 45 | builtins.toString v 46 | else 47 | abort "The Nix configuration value ${lib.generators.toPretty { } v} can't be encoded"; 48 | 49 | mkKeyValue = k: v: "${lib.escape [ "=" ] k} = ${mkValueString v}"; 50 | in 51 | { 52 | mkCustomConfig = attrs: lib.mapAttrsToList mkKeyValue attrs; 53 | } 54 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "Determinate"; 3 | 4 | inputs = { 5 | nix.url = "https://flakehub.com/f/DeterminateSystems/nix-src/*"; 6 | nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"; 7 | 8 | determinate-nixd-aarch64-linux = { 9 | url = "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux"; 10 | flake = false; 11 | }; 12 | determinate-nixd-x86_64-linux = { 13 | url = "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux"; 14 | flake = false; 15 | }; 16 | determinate-nixd-aarch64-darwin = { 17 | url = "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS"; 18 | flake = false; 19 | }; 20 | }; 21 | 22 | outputs = 23 | { self, nixpkgs, ... }@inputs: 24 | let 25 | supportedSystems = [ 26 | "x86_64-linux" 27 | "aarch64-linux" 28 | "aarch64-darwin" 29 | ]; 30 | 31 | forEachSupportedSystem = 32 | f: 33 | nixpkgs.lib.genAttrs supportedSystems ( 34 | system: 35 | f { 36 | inherit system; 37 | pkgs = import nixpkgs { 38 | inherit system; 39 | config = { 40 | allowUnfree = true; 41 | }; 42 | }; 43 | } 44 | ); 45 | in 46 | { 47 | packages = forEachSupportedSystem ( 48 | { system, pkgs, ... }: 49 | { 50 | default = pkgs.runCommand "determinate-nixd" { } '' 51 | mkdir -p $out/bin 52 | cp ${inputs."determinate-nixd-${system}"} $out/bin/determinate-nixd 53 | chmod +x $out/bin/determinate-nixd 54 | $out/bin/determinate-nixd --help 55 | ''; 56 | } 57 | ); 58 | 59 | devShells = forEachSupportedSystem ( 60 | { system, pkgs, ... }: 61 | { 62 | default = pkgs.mkShell { 63 | name = "determinate-dev"; 64 | 65 | packages = with pkgs; [ 66 | self.formatter.${system} 67 | ]; 68 | }; 69 | } 70 | ); 71 | 72 | formatter = forEachSupportedSystem ({ pkgs, ... }: pkgs.nixfmt-rfc-style); 73 | 74 | darwinModules = { 75 | default = ./modules/nix-darwin/default.nix; 76 | 77 | # In case we come across anyone who still needs to migrate 78 | migration = ./modules/nix-darwin/migration.nix; 79 | }; 80 | 81 | nixosModules.default = import ./modules/nixos.nix inputs; 82 | }; 83 | } 84 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Build and Publish 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - main 8 | pull_request: 9 | types: 10 | - opened 11 | - reopened 12 | - synchronize 13 | - labeled 14 | release: 15 | types: 16 | - published 17 | 18 | jobs: 19 | checks: 20 | runs-on: ubuntu-latest 21 | permissions: 22 | id-token: write 23 | contents: read 24 | steps: 25 | - uses: actions/checkout@v4 26 | - uses: DeterminateSystems/determinate-nix-action@main 27 | - uses: DeterminateSystems/flakehub-cache-action@main 28 | 29 | - name: Check Nix formatting 30 | run: git ls-files '*.nix' | nix develop --command xargs nixfmt --check 31 | 32 | verify-outputs: 33 | strategy: 34 | matrix: 35 | runners: 36 | - { system: aarch64-darwin, runner: macos-latest-xlarge } 37 | - { system: aarch64-linux, runner: UbuntuLatest32Cores128GArm } 38 | - { system: x86_64-linux, runner: UbuntuLatest32Cores128G } 39 | 40 | runs-on: ${{ matrix.runners.runner }} 41 | 42 | permissions: 43 | id-token: write 44 | contents: read 45 | steps: 46 | - uses: actions/checkout@v4 47 | - uses: DeterminateSystems/determinate-nix-action@main 48 | - uses: DeterminateSystems/flakehub-cache-action@main 49 | - run: nix build .#packages."$SYSTEM".default 50 | env: 51 | SYSTEM: ${{ matrix.runners.system }} 52 | 53 | test-modules: 54 | strategy: 55 | matrix: 56 | os: [ubuntu-latest, macos-latest] 57 | runs-on: ${{ matrix.os }} 58 | permissions: 59 | contents: read 60 | id-token: write 61 | steps: 62 | - uses: actions/checkout@v4 63 | - uses: DeterminateSystems/determinate-nix-action@main 64 | - uses: DeterminateSystems/flakehub-cache-action@main 65 | - run: | 66 | set -eux 67 | 68 | cd tests 69 | rm -f flake.lock 70 | nix flake lock 71 | nix flake check 72 | - run: | 73 | set -eux 74 | 75 | nix flake lock 76 | git diff --exit-code 77 | 78 | success: 79 | needs: [checks, verify-outputs, test-modules] 80 | runs-on: ubuntu-latest 81 | steps: 82 | - run: true 83 | 84 | publish: 85 | if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/'))) 86 | environment: ${{ github.event_name == 'release' && 'production' || '' }} 87 | needs: [success] 88 | runs-on: ubuntu-latest 89 | permissions: 90 | contents: read 91 | id-token: write 92 | steps: 93 | - uses: actions/checkout@v4 94 | - uses: DeterminateSystems/determinate-nix-action@main 95 | - uses: DeterminateSystems/flakehub-push@main 96 | with: 97 | rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} 98 | visibility: unlisted 99 | tag: ${{ github.ref_name }} 100 | -------------------------------------------------------------------------------- /modules/nixos.nix: -------------------------------------------------------------------------------- 1 | inputs: 2 | 3 | { 4 | lib, 5 | pkgs, 6 | config, 7 | ... 8 | }: 9 | 10 | let 11 | cfg = config.determinate; 12 | 13 | # Stronger than mkDefault (1000), weaker than mkForce (50) and the "default override priority" 14 | # (100). 15 | mkPreferable = lib.mkOverride 750; 16 | 17 | # Stronger than the "default override priority", as the upstream module uses that, and weaker than mkForce (50). 18 | mkMorePreferable = lib.mkOverride 75; 19 | 20 | # The settings configured in this module must be generally settable by users both trusted and 21 | # untrusted by the Nix daemon. Settings that require being a trusted user belong in the 22 | # `restrictedSettingsModule` below. 23 | commonNixSettingsModule = 24 | { 25 | config, 26 | pkgs, 27 | lib, 28 | ... 29 | }: 30 | lib.mkIf cfg.enable { 31 | nix.package = inputs.nix.packages."${pkgs.stdenv.system}".default; 32 | 33 | nix.registry.nixpkgs = { 34 | exact = true; 35 | 36 | from = { 37 | type = "indirect"; 38 | id = "nixpkgs"; 39 | }; 40 | 41 | # NOTE(cole-h): The NixOS module exposes a `flake` option that is a fancy wrapper around 42 | # setting `to` -- we don't want to clobber this if users have set it on their own 43 | to = lib.mkIf (config.nix.registry.nixpkgs.flake or null == null) (mkPreferable { 44 | type = "tarball"; 45 | url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"; 46 | }); 47 | }; 48 | }; 49 | in 50 | { 51 | imports = [ 52 | commonNixSettingsModule 53 | ]; 54 | 55 | options.determinate = { 56 | enable = lib.mkEnableOption "Determinate Nix" // { 57 | default = true; 58 | }; 59 | }; 60 | 61 | config = lib.mkIf cfg.enable { 62 | environment.systemPackages = [ 63 | inputs.self.packages.${pkgs.stdenv.system}.default 64 | ]; 65 | 66 | # NOTE(cole-h): Move the generated nix.conf to /etc/nix/nix.custom.conf, which is included from 67 | # the Determinate Nixd-managed /etc/nix/nix.conf. 68 | environment.etc."nix/nix.conf".target = "nix/nix.custom.conf"; 69 | 70 | systemd.services.nix-daemon.serviceConfig = { 71 | ExecStart = [ 72 | "" 73 | "@${ 74 | inputs.self.packages.${pkgs.stdenv.system}.default 75 | }/bin/determinate-nixd determinate-nixd --nix-bin ${config.nix.package}/bin daemon" 76 | ]; 77 | KillMode = mkPreferable "process"; 78 | LimitNOFILE = mkMorePreferable 1048576; 79 | LimitSTACK = mkPreferable "64M"; 80 | TasksMax = mkPreferable 1048576; 81 | }; 82 | 83 | systemd.sockets.nix-daemon.socketConfig.FileDescriptorName = "nix-daemon.socket"; 84 | systemd.sockets.determinate-nixd = { 85 | description = "Determinate Nixd Daemon Socket"; 86 | wantedBy = [ "sockets.target" ]; 87 | before = [ "multi-user.target" ]; 88 | 89 | unitConfig = { 90 | RequiresMountsFor = [ 91 | "/nix/store" 92 | "/nix/var/determinate" 93 | ]; 94 | }; 95 | 96 | socketConfig = { 97 | Service = "nix-daemon.service"; 98 | FileDescriptorName = "determinate-nixd.socket"; 99 | ListenStream = "/nix/var/determinate/determinate-nixd.socket"; 100 | DirectoryMode = "0755"; 101 | }; 102 | }; 103 | }; 104 | } 105 | -------------------------------------------------------------------------------- /modules/nix-darwin/migration.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | options, 4 | config, 5 | ... 6 | }: 7 | 8 | let 9 | cfg = config.determinate; 10 | 11 | postMigrationInstructions = '' 12 | You have successfully migrated your Determinate installation. 13 | Please remove `determinate.darwinModules.default` from your 14 | nix-darwin configuration, and ensure that you have nix-darwin's own 15 | Nix installation management disabled by setting: 16 | 17 | nix.enable = false; 18 | 19 | Then run `darwin-rebuild switch` again. 20 | ''; 21 | in 22 | { 23 | options.determinate = { 24 | enable = lib.mkEnableOption "Determinate Nix" // { 25 | default = true; 26 | }; 27 | }; 28 | 29 | config = lib.mkIf cfg.enable ( 30 | # Check if nix-darwin is new enough for the `nix.enable` option. 31 | if options.nix.enable.visible or true then 32 | { 33 | nix.enable = false; 34 | 35 | system.activationScripts.checks.text = lib.mkBefore '' 36 | if [[ ! -e /usr/local/bin/determinate-nixd ]]; then 37 | printf >&2 '\e[1;31merror: Determinate not installed, aborting activation\e[0m\n' 38 | printf >&2 'The Determinate nix-darwin module is no longer necessary. To install\n' 39 | printf >&2 'Determinate, remove `determinate.darwinModules.default` from your\n' 40 | printf >&2 'configuration and follow the installation installations at\n' 41 | printf >&2 '.\n' 42 | exit 2 43 | fi 44 | 45 | # Hack: Detect the version of the `.plist` set up by the old 46 | # version of the module. 47 | if grep -- '--nix-bin' /Library/LaunchDaemons/systems.determinate.nix-daemon.plist >/dev/null; then 48 | printf >&2 '\e[1;31merror: Determinate needs migration, aborting activation\e[0m\n' 49 | printf >&2 'Determinate now manages the Nix installation independently of the\n' 50 | printf >&2 'nix-darwin module.\n' 51 | printf >&2 '\n' 52 | printf >&2 'Please download and run the macOS installer from\n' 53 | printf >&2 ' and then\n' 54 | printf >&2 'run `darwin-rebuild switch` again to migrate your installation.\n' 55 | exit 2 56 | fi 57 | 58 | if [[ ! -e /run/current-system/Library/LaunchDaemons/systems.determinate.nix-daemon.plist ]]; then 59 | printf >&2 '\e[1;31merror: deprecated Determinate module present, aborting activation\e[0m\n' 60 | printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions} 61 | exit 2 62 | fi 63 | ''; 64 | 65 | system.activationScripts.extraActivation.text = lib.mkBefore '' 66 | # Hack: Make sure nix-darwin doesn't clobber the Determinate 67 | # launchd daemons after they become unmanaged. 68 | 69 | determinateDaemonsStash=$(mktemp -d --suffix=determinate-daemons) 70 | cp -a /Library/LaunchDaemons/systems.determinate.{nix-daemon,nix-store}.plist "$determinateDaemonsStash" 71 | 72 | # shellcheck disable=SC2317 73 | restoreDeterminateDaemons() { 74 | printf >&2 'restoring Determinate daemons...\n' 75 | mv "$determinateDaemonsStash"/*.plist /Library/LaunchDaemons 76 | rmdir "$determinateDaemonsStash" 77 | launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-daemon.plist 78 | launchctl load -w /Library/LaunchDaemons/systems.determinate.nix-store.plist 79 | printf >&2 '\n' 80 | printf >&2 '%s' ${lib.escapeShellArg postMigrationInstructions} 81 | } 82 | 83 | trap restoreDeterminateDaemons EXIT 84 | ''; 85 | } 86 | else 87 | { 88 | assertions = [ 89 | { 90 | assertion = false; 91 | message = '' 92 | Determinate now manages the Nix installation independently of 93 | the nix-darwin module. 94 | 95 | Please download and run the macOS installer from 96 | , 97 | update nix-darwin, and then run `darwin-rebuild switch` 98 | again to migrate your installation. 99 | ''; 100 | } 101 | ]; 102 | } 103 | ); 104 | } 105 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Determinate 2 | 3 | **Determinate** is [Nix] for the enterprise. 4 | It provides an end-to-end experience around using Nix, from installation to collaboration to deployment. 5 | Determinate has two core components: 6 | 7 | - [Determinate Nix][det-nix] is [Determinate Systems][detsys]' validated and secure downstream [Nix] distribution. 8 | It comes bundled with [Determinate Nixd][dnixd], a helpful daemon that automates some otherwise-unpleasant aspects of using Nix, such as garbage collection and providing Nix with [Keychain]-provided certificates on macOS. 9 | - [FlakeHub] is a platform for publishing and discovering Nix flakes, providing [semantic versioning][semver] (SemVer) for flakes and automated flake publishing from [GitHub Actions][actions] and [GitLab CI][gitlab-ci]. 10 | 11 | You can get started with Determinate in one of two ways: 12 | 13 | | Situation | How to install | 14 | | :------------------------------ | :--------------------------------------------------------------------------- | 15 | | **Linux** but not using [NixOS] | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) | 16 | | **macOS** | [Determinate Nix Installer](#installing-using-the-determinate-nix-installer) | 17 | | **Linux** and using [NixOS] | The [NixOS module](#installing-using-our-nix-flake) provided by this flake | 18 | 19 | ## Installing using the Determinate Nix Installer 20 | 21 | **macOS** users, including [nix-darwin] users, should install Determinate using [Determinate.pkg][pkg], our graphical installer. 22 | 23 | **Linux** users who are *not* on [NixOS] should use the [Determinate Nix Installer][installer] with the `--determinate` flag: 24 | 25 | ```shell 26 | curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ 27 | sh -s -- install --determinate 28 | ``` 29 | 30 | Linux users who *are* on NixOS should follow the instructions [below](#installing-using-our-nix-flake). 31 | 32 | ## Installing using our Nix flake 33 | 34 | If you use [NixOS] you can install Determinate using this [Nix flake][flakes]. 35 | To add the `determinate` flake as a [flake input][flake-inputs]: 36 | 37 | ```nix 38 | { 39 | inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; 40 | } 41 | ``` 42 | 43 | > We recommend not using a [`follows`][follows] directive for [Nixpkgs] (`inputs.nixpkgs.follows = "nixpkgs"`) in conjunction with the Determinate flake, as it leads to cache misses for artifacts otherwise available from [FlakeHub Cache][cache]. 44 | 45 | You can quickly set up Determinate using the `nixosModules.default` module output from this flake. 46 | Here's an example NixOS configuration for the current stable NixOS: 47 | 48 | ```nix 49 | { 50 | inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; 51 | inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; 52 | 53 | outputs = { determinate, nixpkgs, ... }: { 54 | nixosConfigurations.my-workstation = nixpkgs.lib.nixosSystem { 55 | system = "x86_64-linux"; 56 | modules = [ 57 | # Load the Determinate module 58 | determinate.nixosModules.default 59 | ]; 60 | }; 61 | }; 62 | } 63 | ``` 64 | 65 | ## nix-darwin 66 | 67 | If you use [nix-darwin] to provide Nix-based configuration for your macOS system, you need to disable nix-darwin's built-in Nix configuration mechanisms by setting `nix.enable = false`; if not, Determinate Nix **does not work properly**. 68 | Here's an example nix-darwin configuration that would be compatible with Determinate Nix: 69 | 70 | ```nix 71 | { 72 | inputs.nix-darwin = { 73 | url = "https://flakehub.com/f/nix-darwin/nix-darwin/0"; 74 | inputs.nixpkgs.follows = "nixpkgs"; 75 | }; 76 | inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; 77 | 78 | outputs = { nixpkgs, ... }: { 79 | darwinConfigurations."my-username-aarch64-darwin" = inputs.nix-darwin.lib.darwinSystem { 80 | inherit system; 81 | modules = [ 82 | ({ ... }: { 83 | # Let Determinate Nix handle Nix configuration rather than nix-darwin 84 | nix.enable = false; 85 | 86 | # Other nix-darwin settings 87 | }) 88 | ]; 89 | }; 90 | }; 91 | } 92 | ``` 93 | 94 | While Determinate Nix creates and manages the standard `nix.conf` file for you, you can set custom configuration in the `/etc/nix/nix.custom.conf` file, which is explained in more detail [in our documentation][configuring-determinate-nix]. 95 | If you'd like to set that custom configuration using nix-darwin, you can use this `determinate` flake for that. 96 | Here's an example nix-darwin configuration that writes custom settings: 97 | 98 | ```nix 99 | { 100 | inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/0"; 101 | inputs.nix-darwin = { 102 | url = "https://flakehub.com/f/nix-darwin/nix-darwin/0"; 103 | inputs.nixpkgs.follows = "nixpkgs"; 104 | }; 105 | inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; 106 | 107 | outputs = { determinate, nixpkgs, ... }: { 108 | darwinConfigurations."my-username-aarch64-darwin" = inputs.nix-darwin.lib.darwinSystem { 109 | inherit system; 110 | modules = [ 111 | # Add the determinate nix-darwin module 112 | inputs.determinate.darwinModules.default 113 | ({ ... }: { 114 | # Let Determinate Nix handle Nix configuration rather than nix-darwin 115 | nix.enable = false; 116 | 117 | # Custom settings written to /etc/nix/nix.custom.conf 118 | determinate-nix.customSettings = { 119 | flake-registry = "/etc/nix/flake-registry.json"; 120 | }; 121 | }) 122 | ]; 123 | }; 124 | }; 125 | } 126 | ``` 127 | 128 | [actions]: https://github.com/features/actions 129 | [cache]: https://determinate.systems/posts/flakehub-cache-beta 130 | [configuring-determinate-nix]: https://docs.determinate.systems/determinate-nix#determinate-nix-configuration 131 | [det-nix]: https://determinate.systems/nix 132 | [detsys]: https://determinate.systems 133 | [dnixd]: https://docs.determinate.systems/determinate-nix#determinate-nixd 134 | [fh]: https://github.com/DeterminateSystems/fh 135 | [flakehub]: https://flakehub.com 136 | [flake-inputs]: https://zero-to-nix.com/concepts/flakes#inputs 137 | [flakes]: https://zero-to-nix.com/concepts/flakes 138 | [follows]: https://zero-to-nix.com/concepts/flakes#inputs 139 | [gitlab-ci]: https://docs.gitlab.com/ee/ci 140 | [installer]: https://github.com/DeterminateSystems/nix-installer 141 | [keychain]: https://developer.apple.com/documentation/security/keychain-services 142 | [netrc]: https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html 143 | [nix]: https://zero-to-nix.com/concepts/nix 144 | [nix-conf]: https://nix.dev/manual/nix/latest/command-ref/conf-file 145 | [nix-darwin]: https://github.com/nix-darwin/nix-darwin 146 | [nixos]: https://zero-to-nix.com/concepts/nixos 147 | [nixpkgs]: https://zero-to-nix.com/concepts/nixpkgs 148 | [pkg]: https://install.determinate.systems/determinate-pkg/stable/Universal 149 | [semver]: https://docs.determinate.systems/flakehub/concepts/semver 150 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "determinate-nixd-aarch64-darwin": { 4 | "flake": false, 5 | "locked": { 6 | "narHash": "sha256-6PWoqx52nvlWzlElTjcn7KAPKitfcKZYEFSsC3PoEoE=", 7 | "type": "file", 8 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS" 9 | }, 10 | "original": { 11 | "type": "file", 12 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS" 13 | } 14 | }, 15 | "determinate-nixd-aarch64-linux": { 16 | "flake": false, 17 | "locked": { 18 | "narHash": "sha256-b1e25BUPL7Qf0QVbYlfZ/+QiClrP/SHIjMPtA47aOLc=", 19 | "type": "file", 20 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux" 21 | }, 22 | "original": { 23 | "type": "file", 24 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux" 25 | } 26 | }, 27 | "determinate-nixd-x86_64-linux": { 28 | "flake": false, 29 | "locked": { 30 | "narHash": "sha256-8EI2f8IftPcRFlR6K4+cpIEAVf5UIeMCjHysEtVqDw0=", 31 | "type": "file", 32 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux" 33 | }, 34 | "original": { 35 | "type": "file", 36 | "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux" 37 | } 38 | }, 39 | "flake-compat": { 40 | "flake": false, 41 | "locked": { 42 | "lastModified": 1696426674, 43 | "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", 44 | "owner": "edolstra", 45 | "repo": "flake-compat", 46 | "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", 47 | "type": "github" 48 | }, 49 | "original": { 50 | "owner": "edolstra", 51 | "repo": "flake-compat", 52 | "type": "github" 53 | } 54 | }, 55 | "flake-parts": { 56 | "inputs": { 57 | "nixpkgs-lib": [ 58 | "nix", 59 | "nixpkgs" 60 | ] 61 | }, 62 | "locked": { 63 | "lastModified": 1748821116, 64 | "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", 65 | "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", 66 | "revCount": 377, 67 | "type": "tarball", 68 | "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" 69 | }, 70 | "original": { 71 | "type": "tarball", 72 | "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" 73 | } 74 | }, 75 | "git-hooks-nix": { 76 | "inputs": { 77 | "flake-compat": "flake-compat", 78 | "gitignore": [ 79 | "nix" 80 | ], 81 | "nixpkgs": [ 82 | "nix", 83 | "nixpkgs" 84 | ] 85 | }, 86 | "locked": { 87 | "lastModified": 1747372754, 88 | "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", 89 | "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", 90 | "revCount": 1026, 91 | "type": "tarball", 92 | "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz" 93 | }, 94 | "original": { 95 | "type": "tarball", 96 | "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941" 97 | } 98 | }, 99 | "nix": { 100 | "inputs": { 101 | "flake-parts": "flake-parts", 102 | "git-hooks-nix": "git-hooks-nix", 103 | "nixpkgs": "nixpkgs", 104 | "nixpkgs-23-11": "nixpkgs-23-11", 105 | "nixpkgs-regression": "nixpkgs-regression" 106 | }, 107 | "locked": { 108 | "lastModified": 1765252170, 109 | "narHash": "sha256-p98D44tYJMgB5Qet5S8cTQFdffk/GmoaGkpQtZ3hqJU=", 110 | "rev": "1ddd28880651054346c34009d7bb9de36f1db2c1", 111 | "revCount": 23362, 112 | "type": "tarball", 113 | "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.14.0/019b0159-8907-7fab-a120-9d287c7e6d2e/source.tar.gz" 114 | }, 115 | "original": { 116 | "type": "tarball", 117 | "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" 118 | } 119 | }, 120 | "nixpkgs": { 121 | "locked": { 122 | "lastModified": 1761597516, 123 | "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", 124 | "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", 125 | "revCount": 811874, 126 | "type": "tarball", 127 | "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" 128 | }, 129 | "original": { 130 | "type": "tarball", 131 | "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" 132 | } 133 | }, 134 | "nixpkgs-23-11": { 135 | "locked": { 136 | "lastModified": 1717159533, 137 | "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", 138 | "owner": "NixOS", 139 | "repo": "nixpkgs", 140 | "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", 141 | "type": "github" 142 | }, 143 | "original": { 144 | "owner": "NixOS", 145 | "repo": "nixpkgs", 146 | "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", 147 | "type": "github" 148 | } 149 | }, 150 | "nixpkgs-regression": { 151 | "locked": { 152 | "lastModified": 1643052045, 153 | "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", 154 | "owner": "NixOS", 155 | "repo": "nixpkgs", 156 | "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", 157 | "type": "github" 158 | }, 159 | "original": { 160 | "owner": "NixOS", 161 | "repo": "nixpkgs", 162 | "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", 163 | "type": "github" 164 | } 165 | }, 166 | "nixpkgs_2": { 167 | "locked": { 168 | "lastModified": 1764611609, 169 | "narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=", 170 | "rev": "8c29968b3a942f2903f90797f9623737c215737c", 171 | "revCount": 905078, 172 | "type": "tarball", 173 | "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.905078%2Brev-8c29968b3a942f2903f90797f9623737c215737c/019add91-3add-7a0d-8a25-9569cbe01efe/source.tar.gz" 174 | }, 175 | "original": { 176 | "type": "tarball", 177 | "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" 178 | } 179 | }, 180 | "root": { 181 | "inputs": { 182 | "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", 183 | "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", 184 | "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", 185 | "nix": "nix", 186 | "nixpkgs": "nixpkgs_2" 187 | } 188 | } 189 | }, 190 | "root": "root", 191 | "version": 7 192 | } 193 | --------------------------------------------------------------------------------