Fetch artifacts directly from FlakeHub Cache using fh fetch

Building stuff with Nix is extremely cool but do you know what’s even cooler? Letting another machine build it so that all you have to do is fetch the result. If that sounds appealing then you’re in luck because we recently added a fetch command to fh, the CLI for FlakeHub, that enables you to fetch closures directly from FlakeHub Cache.

Here’s an example fetch command that should work on your system if you have fh 0.1.22 or later installed:

NIX_SYSTEM=$(nix eval --impure --expr 'builtins.currentSystem' --raw)
fh fetch "DeterminateSystems/flake-iter/*#packages.${NIX_SYSTEM}.default" ./flake-iter

This pulls a CLI tool called flake-iter directly from FlakeHub Cache, puts it in the Nix store, and writes a symlink to the ./flake-iter path. With the flake-iter package fetched, you can run the CLI:

./flake-iter/bin/flake-iter --help

No nix build command, no store path evaluation, just a flake output reference and you’re all set.

How to use it

In order to use the fh fetch command, you need to do a few things:

1. Get started with Determinate following the onboarding guide for either organizations or individuals. This includes signing up for a paid plan with FlakeHub, which provides access to FlakeHub Cache.

2. Install fh version 0.1.22 or later.

3. Start pushing things to FlakeHub Cache.

4. Log in to FlakeHub.

Example use case: fetching OCI images

Up at the top, we saw an example of using fh fetch to pull a CLI tool from FlakeHub Cache. Another great use case is pulling Open Container Initiative (OCI) container images, such as Docker or Podman images.

I’m a macOS-only dev, which means that working with containers in Nix can be challenging because I can’t actually build Linux containers locally without resorting to a remote builder. I know how to set up a remote builder because I’m a long-time Nix user, but if you’re in an organization with many macOS folks, it may be much more straightforward to build images in CI and have people fetch them.

Here’s an example command that does just that:

fh fetch \
  "DeterminateSystems/fh-fetch-example/*#dockerImages.x86_64-linux.server" ./oci-image

Since FlakeHub Caches are private, this command will fail for anyone outside of the DeterminateSystems org. Fetching only pulls from FlakeHub Cache—it never builds or even evaluates the store path—and without access to that specific flake, you’re out of luck. And so even though both the repo and the flake on FlakeHub are public, the fetchable output is not (it would also be inaccessible, of course, if the repo or flake were private).

But since I am allowed to fetch, the command worked and I can now load the image into Docker:

docker load < ./oci-image

That provides this output:

Loaded image: web-server:5mll9s6m7m7pjha0k2krzq8kvjn111i3

And now I can run the image:

docker run \
  --publish 8080:8080  \
  web-server:lpr4bbf6v5yfzn1v1cfvlr69vbcr0iqh

Success! Now I as a macOS user have a brand new option for working with Nix-built OCI images. This is one use case among many for fh fetch, so be on the lookout for Nix-build things that you may need to securely distribute inside your own org.

The FlakeHub platform branches out

With fh fetch, FlakeHub is beginning to transform into a powerful platform not just for secure access to flakes and secure binary caching but also as a distribution mechanism for things that you’ve built using Nix. The ability to build and cache in CI—potentially from private flakes—and then provide your teams with secure access to built closures is genuinely novel in the Nix ecosystem. How you use these distribution channels as a building block inside your organization is up to you, of course, but we’re excited to see the directions that you take these novel capabilities.