Changelog: docs, diagnostics, and resilience improvements

Determinate Nix version 3.6.2, based on version 2.29.0 of upstream Nix, includes a variety of small but substantial ergonomic improvements across a variety of domains.

Migrate to or upgrade Determinate Nix without building it on NixOS

NixOS users can now migrate to and upgrade Determinate Nix by fetching it from a cache rather than needing to build it from source. When initially installing Determinate Nix 3.6.2 using the determinate flake, make sure to pass a few extra flags to nixos-rebuild:

sudo nixos-rebuild \
  --option extra-substituters https://install.determinate.systems \
  --option extra-trusted-public-keys cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= \
  --flake ... \
  switch

This uses install.determinate.systems, our artifact server, as a binary cache for fetching Determinate Nix. After the upgrade, users who are logged in to FlakeHub have FlakeHub Cache in their substituters list. If you are not logged in, you have install.determinate.systems in your substituters list.

This has been an annoying problem for quite some time because FlakeHub Cache requires authentication and offers no public, authentication-free caching. We solved this problem by teaching install.determinate.systems how to be an authenticated proxy to FlakeHub Cache.

This public cache shows FlakeHub Cache’s access control rules in action.

Autocompletion for Determinate Nixd

You can enable auto-completion for Determinate Nixd using the new determinate-nixd completion subcommand. Pass your preferred shell—one of bash, elvish, fish, powershell, or zsh—and evaluate the result.

Here’s an example for zsh:

eval "$(determinate-nixd completion zsh)"

Now when you run determinate-nixd and type in, say, “a” and hit Tab, it helpfully completes to determinate-nixd auth.

Track down and fix “inefficient double copy” causes

When we recently released lazy trees in feature preview, we added a warning for when a Nix expression forces Determinate Nix to copy the flake’s source to the store unnecessarily. Unfortunately, that warning was pretty useless because it didn’t tell you where that happened.

Determinate Nix now identifies where in the source code the extra file copying happens. So a command like nix build .#extraCopy would now produce a log message like this:

warning: Copying '/Users/grahamc/src/github.com/DeterminateSystems/samples/' to the store again
You can make Nix evaluate faster and copy fewer files by replacing `./.` with the `self` flake input, or `builtins.path { path = ./.; name = "source"; }`

Location: /Users/grahamc/src/github.com/DeterminateSystems/samples/extra-copy.nix:12:11

error: Cannot build '/nix/store/2hh3855rfsabcj4gm2nl65a9la7xbcih-extra-copy.drv'.

Eradicated symbols from nix profile

Historically, nix profile commands like nix profile history would print out symbols like ε and ∅ from set theory. While these symbols are precisely defined, we don’t want our users to need to brush up on mathematical logic to understand what is happening. So nix profile history now prints a much more understandable summary.

Here’s an example output for nix profile history with the current Determinate Nix:

Version 1 (2024-12-06):
  home-manager-path: (no version) added

Version 2 (2025-02-25) <- 1:
  bar: (no version) added
  foo: (no version) added
  home-manager-path: (no version) removed

Now let’s take a look at an older version of Nix. This command…

nix run github:NixOS/nix/2.18.0 -- profile history

…would produce output like this:

Version 1 (2024-12-06):
  home-manager-path: ∅ -> ε

Version 2 (2025-02-25) <- 1:
  bar: ∅ -> ε
  foo: ∅ -> ε
  home-manager-path: ε -> ∅

We think the former is much more readily comprehensible to users.

Clarify what --keep-failed plus remote building does

When you run nix build --keep-failed, the build directory won’t be deleted from the system. This is helpful for digging into the issue and solving the build problem. Unfortunately, users are surprised to find that the directory doesn’t exist if the build was run remotely. The build directory was kept but it was kept on the remote.

We updated the build failure message to help the user out:

copying path '/nix/store/cryiszlhhss2h40r3f9m60l92i88m2xd-builder-failing.sh' to 'ssh://localhost'...

note: keeping build directory '/tmp/nix-shell.8G497s/nix-build-failing.drv-16/build'

warning: `--keep-failed` will keep the failed build directory on the remote builder.
If the build's architecture matches your host, you can re-run the command with `--builders ''` to disable remote building for this invocation.

Better diagnostics when trying to build a derivation on the wrong system type

Sometimes a Nix expression inadvertently depends on a derivation that needs to build on a different system. When this happens, Determinate Nix now prints an error that includes the chain of derivations pulling in the mismatching build:

% nix build .#badSystemNested
error: Cannot build '/nix/store/5vsaxi730yl2icngkyvn8wiflik5wfmq-bad-system.drv'.
       Reason: required system or feature not available
       Required system: 'bogus' with features {}
       Current system: 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}
error: Cannot build '/nix/store/2gh9xc4bcq11vjxc80lw5hs3y4vnfvqy-nested-bad-system-bottom.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/5kzq0mlvxhll9vayw22a5dy8j259vpp4-nested-bad-system-bottom
error: Cannot build '/nix/store/4lxwf00yrxnsraq00ga4dz4v5fxpk8pw-nested-bad-system-top.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/glb9vi6zp3j0dlc3j1g1i46pkwbq7gx0-nested-bad-system-top

This error clearly indicates that the bad-system derivation was pulled in by bad-system-top via bat-system-bottom.

This is a dramatic improvement over the previous behavior, which excluded any context that would help identify the cause of the issue:

$ nix run github:NixOS/nix/2.18.0 -- build .#badSystemNested
error: a 'bogus' with features {} is required to build '/nix/store/5vsaxi730yl2icngkyvn8wiflik5wfmq-bad-system.drv', but I am a 'aarch64-darwin' with features {benchmark, big-parallel, nixos-test}

Easily find where import-from-derivation is used

Import from derivation (“IFD”) means using Nix to build a Nix expression that you then import. A common example of this is Haskell.nix.

IFD is a convenient “escape hatch” when packaging some language ecosystems, but comes at a serious cost of performance when using Nix. Because of the severe performance impact, we strongly discourage IFD and even prohibit its use on packages published on FlakeHub.

One of our customers noted they are trying to cut back on how often they use IFD, but could not find where they used it.

We have introduced a new flag to Determinate Nix, --trace-import-from-derivation which makes it easier to find:

$ nix build --trace-import-from-derivation .#packages.aarch64-darwin.example

warning: built '/nix/store/8r2a9yk318q9nv8j3aqbd86r73j183fn-generated-nix-expression.drv^out' during evaluation due to an import from derivation

From here we can inspect the derivation to find what caused IFD to take place.

Dramatically improved performance with nix store copy-sigs

We have increased the concurrency of nix store copy-sigs. Copying signatures is not a CPU-heavy task but it was previously running one copy operation per core. It now uses the http-connections setting to limit the concurrency, which is typically much higher, and defaults to 25.

We also updated the documentation to include a description and examples.

Improved robustness while collecting garbage

The garbage collector would occasionally fail in the middle of cleaning up when encountering files that can not be deleted. While Determinate Nix users are less likely to experience this problem due to managed garbage collection, it now identifies and logs the issue, and continues with garbage collection as normal.

Configurable max-jobs

You can now change the max-jobs setting in /etc/nix/nix.custom.conf. Previously, this value was forced to auto. Now it defaults to auto, but you can update it to your own preference.

Documented the nix-command replacement for nix-store --query --deriver

The documentation for nix-store --query --deriver now mentions this nix-command based alternative:

nix path-info --json ... | jq -r '.[].deriver'

No more “unauthenticated” errors with FlakeHub Cache

The flake no longer unconditionally includes FlakeHub Cache in your list of active substituters. That means you won’t see 403 errors whenever you build something.

We fixed this issue a long time ago for macOS and Linux users, but forgot to delete it from the module for NixOS users. Fixed now!

determinate.enable for easy migrations

You can now add the Determinate module to your global NixOS configuration and disable it on specific hosts. This is useful while migrating to Determinate across a large fleet.

Thank you to GitHub user getchoo for their PR.

nix.settings works again on NixOS

Determinate Nix manages its own nix.conf configuration, which can cause issues when trying to use nix.settings options on NixOS. The Determinate module now configures NixOS to write out your extra settings to /etc/nix/nix.custom.conf instead.

Now you can use nix.settings and its structured configuration on NixOS without needing to adjust the module internals yourself.

Determinate Nix Installer self-test

Determinate Nix Installer performs a self-test at the end to measure how well it did. Thanks to Josh Heinrichs from Shopify, the zsh self-test no longer takes over /dev/tty.

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.6.2 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can install it on macOS using our graphical installer:

Install Determinate Nix on macOS now

Apple Silicon and Intel

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - uses: DeterminateSystems/nix-flake-checker-action@main
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true

  owners      = ["535002876703"]

  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}