Feb 24, 2025 by Luc Perkins

Introducing Determinate AMIs for NixOS

announcement aws cache deployment devops ec2 nixos terraform

Today, we’re excited to announce that Determinate Systems now offers Amazon Machine Images (AMIs) for NixOS that include Determinate Nix. Our AMIs are available for both AMD64 Linux (x86_64-linux in Nix terms) and ARM64 Linux (aarch64-linux) and you can see the code behind them in our nixos-amis repo.

What sets these apart from other NixOS AMIs is that they seamlessly interoperate with FlakeHub and thus offer much speedier NixOS deployments, even inside of autoscaling groups. Interoperation with FlakeHub is provided by Determinate Nix and fh:

Determinate Nix, our validated and secure Nix for enterprises. Determinate Nix includes Determinate Nixd, a utility that enables you to log in to FlakeHub using AWS Secure Token Service (STS) using one command:
Log in to FlakeHub from AWS with a single command
```
determinate-nixd login aws
```
fh, the CLI for FlakeHub. You can use fh for things like applying NixOS configurations uploaded to FlakeHub Cache. Here’s an example:
Apply a NixOS configuration to your AMI with two commands
```
determinate-nixd login aws
fh apply nixos \
  "my-org/my-flake/*#nixosConfigurations.my-nixos-configuration"
```
In this case, fh would pull the target NixOS closure from FlakeHub Cache without even needing to evaluate the store path.

We see this as a major upgrade over existing approaches to NixOS deployment, and you can read more about it in a recent blog post.

Would you like access to private flakes and FlakeHub Cache?

Using Terraform or OpenTofu

While there are lots of ways to deploy AMIs to EC2, we suspect that users are likely to gravitate toward Infrastructure as Code (IAC) tools like Terraform and OpenTofu. Here’s an example declaration of an aws_ami data resource that uses our AMD64 Linux AMI:

data "aws_ami" "detsys_nixos" {
  most_recent = true

  # Determinate Systems' AMI owner ID
  owners      = ["535002876703"]

  # Our AMIs are currently under the epoch-1 version
  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  # AMD64 Linux
  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}

With that AMI declared, you can create an EC2 instance that applies a NixOS configuration upon launch:

resource "aws_instance" "ethercalc-server" {
  ami           = data.aws_ami.detsys_nixos.id
  instance_type = "t3.micro"

  user_data = <<EOF
determinate-nixd login aws
fh apply nixos "DeterminateSystems/demo/*#nixosConfigurations.ethercalc-demo"
EOF

  tags = {
    Name = "ethercalc-server-instance"
  }
}

This configuration would deploy an Ethercalc server to EC2. That NixOS configuration is declared in the DeterminateSystems/demo repo and available as a flake on FlakeHub:

nix flake show "https://flakehub.com/f/DeterminateSystems/demo/*"

Implications

While you can use these AMIs however you like, of course, the two-command deployment option you see in the examples here is the use case that we set out to unlock here. If you’d like to unlock this AWS deployment pattern for NixOS in your own org, sign up for a paid plan with FlakeHub, start caching your NixOS configuration closure, deploy one of our AMIs, run a few commands at startup, and you’re good to go.

Written by Luc Perkins

Luc is a technical writer, software engineer, and Nix advocate who's always on the lookout for qualitatively better ways of building software. He originally hails from the Pacific Northwest but has recently taken to living abroad.

Would you like access to private flakes and FlakeHub Cache?