Nix at work: FlakeHub Cache and private flakes

Last year, we here at Determinate Systems announced FlakeHub, a platform for publishing and discovering Nix flakes. From the outset, FlakeHub provided pathbreaking features like semantic versioning (SemVer) for flakes and a variety of ways to discover flakes published to the platform.

In the meantime, numerous Nix users have published hundreds of flakes and used those flakes countless times—for their Home Manager and nix-darwin configurations, to deploy NixOS systems to production, to distribute tools like Tailscale and Colmena, and much more.

Today, we’re delighted to announce a new chapter for FlakeHub with the general availability of two new features: FlakeHub Cache and private flakes. These powerful additions are now open to all FlakeHub organizations, helping you solve a variety of complex challenges that can arise when scaling Nix adoption across teams and projects.

FlakeHub Cache

We announced the private beta of FlakeHub Cache a while back and as of today anyone can sign up and get started.

Traditional Nix binary caches present significant challenges for large teams, often requiring them to manage multiple caches across projects, generate and distribute static credentials, and implement complex access controls on their own. As organizations grow, a number of problems compound:

• Specific team members need access to specific subsets of flake outputs and artifacts
• CI systems require secure, automated authentication
• Security teams need audit trails and compliance controls
• Using multiple caches can fragment build processes and slow down development

FlakeHub transforms this experience by providing a cache designed for teams. Instead of managing multiple caches with static tokens, FlakeHub Cache provides a secure, unified, identity-aware cache with fine-grained access controls that integrates with your existing identity management systems.

Private flakes

We’re also excited to announce that private flakes are now generally available. Private flakes enable teams to securely share and reuse Nix expressions without exposing sensitive code or configurations. As with FlakeHub Cache, private flakes integrate seamlessly with your organization’s existing authentication flows.

Like all flakes on FlakeHub, you can only publish private flakes from trusted CI systems (which means no ad-hoc publishing). That currently includes GitHub Actions and GitLab CI, but we plan to support other providers, like CircleCI and Semaphore CI, in the future.

To publish a private flake on GitHub Actions, for example, you can use the flakehub-push Action, set the visibility to private, and you’re good to go:

- uses: DeterminateSystems/flakehub-push@main
  with:
    visibility: private

You can also use our publishing wizard to set up your Actions workflow.

Federated authentication that makes sense

FlakeHub Cache and private flakes are, naturally, features that require authentication. But rather than relying on brittle auth patterns like long-lived static credentials, FlakeHub uses JSON Web Tokens (JWTs) to dynamically integrate with your existing identity infrastructure:

• GitHub Actions and GitHub Enterprise OIDC
• GitLab CI/CD for both cloud and self-hosted instances
• Microsoft Entra ID SSO (formerly Azure Active Directory)
• Amazon IAM role-based access
• Short-lived JSON Web Tokens (JWTs) for automation

When a machine authenticates using one of these methods, FlakeHub automatically knows to which organization the machine belongs—and to which flakes and cache slices it has access. This approach aligns with zero-trust security principles, significantly reducing the attack surface and lowering the risk of issues like accidental cache poisoning.

Built for teams

We know that different teams need different levels of access, so we’ve built out a robust policy engine undergirding FlakeHub Cache and private flakes. We have built internal features around this policy engine, like IP restrictions and granting individual devices deploy-only access to specific flake outputs.

In the future, users will be able to write their own custom policies that let you:

• Grant precise access to flakes and flake outputs based on team roles
• Control artifact visibility between projects
• Implement geographic access restrictions
• Enforce compliance requirements
• Monitor and audit cache usage

Unlike systems with simplistic, all-or-nothing access controls, FlakeHub’s policy engine provides fine-grained cache access control, enabling organizations to grant scoped access to users, devices, and automated processes. This level of control is desirable—if not make-or-break—in highly regulated environments, supporting cross-team isolation and even geo-embargoes.

Built to integrate

While FlakeHub works with any Nix installation, it truly shines when paired with Determinate Nix as determinate-nixd is designed with FlakeHub Cache and private flakes in mind, creating an experience that just works out of the box.

Team members can authenticate to FlakeHub using the determinate-nixd login command, and CI pipelines and machines can automatically authenticate using their existing identity via determinate-nixd login {aws|github-action|gitlab-pipeline} (depending on the platform).

The thoughtful integration between Determinate Nix and FlakeHub delivers an experience where builds are faster, security is stronger, and developers can focus on their work instead of managing Nix infrastructure. It’s a practical demonstration of our vision for bringing Nix to professional teams, where every component is designed to work together seamlessly.

Lightning-fast deployments

FlakeHub also enables you to rapidly deploy fully evaluated closures. You can quickly deploy NixOS configurations, nix-darwin configurations, and Home Manager environments, without needing Nix to be installed on the target system, using fh, the CLI for FlakeHub.

This command would apply a NixOS configuration to the current machine:

fh apply nixos AmbiguousTechnologies/ethercalc/0.1#nixosConfigurations.ethercalc

And this command would apply a nix-darwin configuration to the current machine:

fh apply nix-darwin AmbiguousTechnologies/ethercalc/0.1#darwinConfigurations.developer-workstation

Finally, this command would apply a Home Manager configuration:

fh apply home-manager AmbiguousTechnologies/profile/0.1#homeConfigurations.developer-environment

In both cases, fh fetches the closure associated with the resolved store path directly from FlakeHub Cache; it does not realise any derivation or even evaluate the referenced expression. That’s because FlakeHub can pre-generate store paths for you and transfer computational responsibility from Nix to FlakeHub, which is particularly useful for deploying to resource-constrained devices. We’ll say much more about this—and provide a powerful demo—in an upcoming post.

And even though the AmbiguousTechnologies/ethercalc flake is private, this all works seamlessly as long as the machine is logged in using determinate-nixd login. The current machine has access to the flake and to the respective cached outputs; non-logged-in machines have access to neither.

Complete package independence

We were recently asked how FlakeHub Cache handles dependencies from Nixpkgs and other sources. FlakeHub maintains complete copies of all packages, including those available from cache.nixos.org. This design choice serves two key purposes:

1. It respects the Nix community’s shared resources. While we could save costs by deferring to cache.nixos.org, the upstream cache is a commons, and it isn’t appropriate or respectful of those commons to save a few pennies in storage and bandwidth at the expense of the community project.

2. It ensures total reliability for your builds. The upstream cache can be garbage collected or potentially tampered with, which could break or compromise your builds. With FlakeHub Cache, your artifacts remain available for as long as you need them, independent of upstream availability.

Available today

FlakeHub Cache and private flakes are available now for all FlakeHub organizations. Pricing is straightforward: $20 per FlakeHub organization member per month. For a limited introductory period, all storage and bandwidth costs are included at no additional charge to help teams get started, and then priced at cost after that.

The road ahead

FlakeHub Cache and private flakes are central to our mission to broaden Nix adoption, and this is just the start. We have more to come in the not-too-distant future, so stay tuned.

We are eager to learn how teams utilize these features to enhance their development workflows while ensuring compliance and adopting a strong security posture.

Sign up now at https://flakehub.com and visit our getting started docs to begin taking advantage of these features in your workflows. And as always, we’d love to hear your feedback on our Discord at https://determinate.systems/discord.