Image for post changelog-determinate-nix-390

Aug 27, 2025 by Graham Christensen

Changelog: build-time flake inputs and unauthenticated upgrades

Determinate Nix 3.9.0 brings an important optimization to flakes: build-time flake inputs. These inputs are sources that have no Nix expressions of their own and aren’t required at evaluation time, such as some non-Nix Git repos. When you mark a flake input as a build-time input, Nix downloads the source only when it’s needed, at build time, and never before, which in turn provides generally much speedier and cleaner evaluation. This is an exciting improvement because it provides the most benefit to precisely those folks who use flakes most intensively.

The other major change in 3.9.0 is that upgrading Determinate no longer requires you to be logged into FlakeHub. A nice quality-of-life boost to accompany build-time inputs.

Determinate Nix's native Linux builder for macOS

As a reminder: the native Linux builder in Determinate Nix enables macOS users to build for both ARM and x86 Linux with zero configuration. The native Linux builders are currently in developer preview mode and will slowly be rolled out to Determinate Nix users over the coming weeks. But if you’re eager to try it out now, reach out to us at support@determinate.systems and include your FlakeHub username.

As always, don’t hesitate to reach out to us with questions or feedback on Discord or via email at hello@determinate-systems.

Build-time flake inputs

Some of our users have flakes with hundreds or even thousands of flake inputs. In those cases, it can be painfully slow for Nix to fetch all the inputs during evaluation of the flake.

Determinate Nix now offers an experimental feature that, when enabled, makes Nix defer fetching those inputs until dependent derivations are actually built.

This feature is currently in developer preview. If you’d like to try it, add this experimental feature to your custom Determinate Nix configuration at /etc/nix/nix.custom.conf:

extra-experimental-features = build-time-fetch-tree

Then, change one of your inputs to be fetched at build time:

{
  inputs.nonNixInput = {
    type = "github";
    owner = "my-org";
    repo = "non-nix-repo";
    flake = false; # currently required
    buildTime = true;
  };
}

It’s important to note that build-time fetching is performed by the Nix daemon and not by the Nix client. This means that authenticated fetches only succeed if the daemon has access to any required credentials, such as GitHub access tokens. Fetching Git repositories over SSH is currently not supported.

Potential semantic changes ahead

We may change the semantics of this feature at any time during its developer preview. We don’t plan to open pull request to the upstream Nix repo until we’re confident in its semantics and implementation. That means that flakes that take advantage of this feature won’t yet be compatible with upstream Nix and users should carefully consider flake compatibility before publishing any flakes that use this feature.

Let us know what you think on Discord or via email at hello@determinate-systems.

Relevant pull request

DeterminateSystems/nix-src#49

Corrected inconsistent behavior of `nix flake check`

Users reported that the nix flake check command wouldn’t consistently validate the entire flake. We’ve fixed this issue and improved our testing around nix flake check.

Relevant pull request

DeterminateSystems/nix-src#182

Say goodbye to slow Determinate Nix Installer downloads

The Determinate Nix Installer now cancels and restarts downloads if the connection appears stalled. Specifically, the connection is restarted if the connection is unable to transfer at least 250kb/sec over a 15-second period.

This is designed to avoid stalled and stuck connections and resume with a healthier backend. Previously, users would occasionally see a stalled download take ten minutes or more.

We picked this threshold as it’s approximately 20% of a typical and modern DSL connection. If your network connection is normally below this rate, please get in touch and we’ll tune it.

Relevant pull request

DeterminateSystems/nix-installer#1637

Upgrade without logging in

Previously, running determinate-nixd upgrade required you to be logged into FlakeHub. With version 3.9.0, this is no longer necessary, which should streamline keeping up to date with the latest and greatest Determinate Nix.

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.9.0 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can upgrade or migrate to Determinate Nix on macOS using our graphical installer:

Install Determinate Nix on macOS now

Apple Silicon and Intel

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO (NixOS installer for x86_64, NixOS installer for ARM) with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - uses: DeterminateSystems/nix-flake-checker-action@main
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true
  owners      = ["535002876703"]

  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}

Written by Graham Christensen

Graham is a Nix and Rust developer, with a passion and focus on reliability in the lower levels of the stack. He founded Determinate Systems, Inc to support Nix adoption at your workplace.

Would you like access to private flakes and FlakeHub Cache?