Today, we’re excited to announce FlakeHub Cache, a powerful new caching concept from us at Determinate Systems that offers robust per-flake access control. FlakeHub Cache is currently in private beta and we’re actively iterating on the implementation and seeking design partners to try it out. You can sign up for the beta right here and we’ll let you know next steps soon:
Register for the FlakeHub Cache private beta
The core feature: granular access control
Nix’s official binary cache server, nix-serve, has some major gaps that make it unsuitable for secure, production use cases.
Most importantly, nix-serve serves up a
With FlakeHub Cache’s access control model, however, you can grant or deny read and write access at the
Reading from FlakeHub Cache
Let’s start with read access to pull from a flake’s cache.
If your org has a flake called security-mega-important, for example, you can provide read access only to a small set of trusted users—or automated agents—in your org.
If, on the other hand, you have a flake called shared that’s meant to be used by everyone, you can provide read access to everyone in your org.
Writing to FlakeHub Cache
In terms of write access to push to a flake’s cache, we’ve opted for a model centered around controlled, authenticated build environments. FlakeHub Cache currently allows pushing to the cache solely as part of GitHub Actions runs (with GitLab support on the way). This means that there is no ad-hoc push access whatsoever, so you can’t accidentally push to a cache in a shell script or CLI command.
The granular and controlled nature of this model is far more suited for organizations with demanding security and other requirements, and a significant leap beyond existing solutions.
Authentication model
In order to grant or deny access, of course, FlakeHub Cache needs to figure out who—or what—is making a request. Authentication for FlakeHub Cache is based on JSON Web Tokens (JWTs). We currently use GitHub as our JWT authentication provider but will be adding GitLab support soon. In the future, this flexible model will enable us to support a wide variety of authentication solutions, including SAML and various Single Sign-on (SSO) providers.
Static tokens are great for some use cases—and FlakeHub enables you to create such tokens in the UI—but we’re opting to go beyond this model.
How the cache itself works
FlakeHub Cache is able to provide granular access control because of instead of serving an entire
When a user has authenticated with FlakeHub Cache, it determines which slices you’re allowed to access and combines those slices into a single view of the cache. With this view abstraction, FlakeHub Cache can make decisions like these:
- User
devops_aficionado_123from theWidgetsDotComorg may pull from the cache for theWidgetsDotCom/devopsflake. - User
AnaBooperfrom theWidgetsDotComorg may not pull fromWidgetsDotCom/super-secureflake.
Although these users are in the same organization, WidgetsDotCom can make access decisions on a per-flake basis and thus choose whichever access patterns and collaboration models they wish. This model is certainly more robust from a security standpoint but it also:
- Is much simpler. When using Nix, you only need to configure FlakeHub Cache; there’s no need to distribute public keys for a multitude of them.
- Offers better performance. Using only one platform for caching means fewer network round trips and fewer authentication handshakes. In addition, we run FlakeHub Cache in a variety of regions with CDN-backed storage. This results in a clear speed-up in your Nix builds.
In addition to access control, things like garbage collection are also configurable at the flake level.
A new caching model
Two core aspects of using FlakeHub Cache make it a significant departure from other available cache systems:
-
No public caches. That’s right: FlakeHub Cache doesn’t allow you to expose public caches like cache.nixos.org. You can pull from the cache for a specific flake only if you’re (a) authenticated and (b) have permission. That means that you can’t even accidentally make caches for specific flakes truly public. We’re open to exploring public caches in the future but would only do so with due care.
-
Push only from CI. At the moment, when you create FlakeHub Cache authentication tokens, those only apply to pulling from the cache. You can’t push to the cache in an ad-hoc way using a CLI or other tool; you can only push from GitHub Actions, particularly the Magic Nix Cache Action (with GitLab support coming soon). If you enroll in the beta, you can enable pushing with this one-liner in your Actions configuration:
permissions:contents: readid-token: writesteps:- uses: actions/checkout@v3- uses: DeterminateSystems/nix-installer-action@main- uses: DeterminateSystems/magic-nix-cache-action@main- run: nix flake check
With that in place, anything that you nix build is automatically pushed to the cache—if authorized to!—without any need for separate push commands.
A bold step forward
We firmly believe that FlakeHub Cache is the first enterprise-ready cache in the Nix ecosystem. Public caches and caches without granular access control are not suited for a broad range of use cases and even whole industries, particularly those subject to exacting compliance standards, regulatory regimes, and security requirements. If you’re compelled by the power of Nix but have concerns about existing solutions, this might be precisely the sea change you’ve been waiting for.
On top of that, Determinate Systems is the only SOC2-compliant vendor in the Nix ecosystem, which should make otherwise-difficult discussions with the higher-ups go much more smoothly.
You can try out FlakeHub Cache for yourself soon. Sign up below, configure one of your GitHub Actions runs to use the Magic Nix Cache Action, make a small update to your Nix configuration, and you’ll experience this sea change first hand.
Register for the FlakeHub Cache private beta
