Changelog: a new command for visualizing active Nix builds and much more

6 min read Original article ↗

Determinate Nix 3.14.0 is here to deliver major quality-of-life improvements just in time for the holiday season. Based on upstream Nix 2.32.4, this release brings:

What is going on?! nix ps to the rescue

Determinate Nix 3.14.0 introduces a nix ps command that summarizes all of Nix’s current active builds and child processes:

Here’s an example visualization:

USER      PID     CPU  DERIVATION/COMMAND
_nixbld1  30167  0.4s  /nix/store/h431bcfml83czhpyzljhp9mw4yrq95vs-determinate-nix-manual-3.14.0.drv (wall=9s)
_nixbld1  30167  0.2s  └───bash -e /nix/store/vj1c3wf9c11a0qs6p3ymfvrnsdgsdcbq-source-stdenv.sh /nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.s
_nixbld1  30278  0.0s      └───ninja -j14
_nixbld1  30279  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30286  0.0s             └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix config show --json
_nixbld1  30280  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30287  0.0s             └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-language
_nixbld1  30281  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30288  0.0s             └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-cli
_nixbld1  30282  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30284  0.0s             └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-xp-features
_nixbld1  30283  0.0s          └───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30285  0.0s              └───/nix/store/5c8hb299k0acbypqw6j9m4znyd6b97cz-bash-5.2p37/bin/bash -euo pipefail -c if type -p build-release-notes > /de
_nixbld1  30289  0.0s                  └───changelog-d ../source/release-notes/../../rl-next

For people who want to integrate it with other tools, nix ps has a --json flag that you can set to get all the raw data in JSON form. Here’s an example:

[
  {
    "cgroup": null,
    "clientPid": null,
    "clientUid": null,
    "derivation": "a1l9brca1wrz7w840jgx0ys3xybxpx1z-apache-kafka-2.13-4.1.0.drv",
    "mainPid": 99530,
    "mainUser": {
      "name": "_nixbld1",
45 collapsed lines
      "uid": 351
    },
    "nixPid": 99528,
    "processes": [
      {
        "argv": [
          "bash",
          "-e",
          "/nix/store/l622p70vy8k5sh7y5wizi5f2mic6ynpg-source-stdenv.sh",
          "/nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.sh"
        ],
        "cstime": null,
        "cutime": null,
        "parentPid": 99528,
        "pid": 99530,
        "stime": 0.07667700201272964,
        "user": {
          "name": "_nixbld1",
          "uid": 351
        },
        "utime": 0.13316699862480164
      },
      {
        "argv": [
          "dirname",
          "/nix/store/0rmw10m3fwqqkgfdsvq2sj0w9nriyqg6-apache-kafka-2.13-4.1.0/bin/kafka-consumer-groups.sh"
        ],
        "cstime": null,
        "cutime": null,
        "parentPid": 99530,
        "pid": 99664,
        "stime": 0.0010509999701753259,
        "user": {
          "name": "_nixbld1",
          "uid": 351
        },
        "utime": 0.0014799999771639705
      }
    ],
    "startTime": 1765379479.0,
    "stime": null,
    "type": "build",
    "utime": null
  }
]

The build, profile, and flake check commands tell you which output failed

In Determinate Nix 3.14.0 nix build, nix profile, and nix flake check now tell you exactly which flake outputs failed to build. Previously, the error would indicate only which derivation failed to build, which can be helpful, but really you want to see the output.

Here’s an example command that builds two failing outputs:

nix build .#oneFakeHash .#badSystem --keep-going

You can clearly see the flake output behind each failure:

 git+file:///Users/grahamc/src/github.com/DeterminateSystems/samples#oneFakeHash
error: hash mismatch in fixed-output derivation '/nix/store/58pp1y74j4f5zxfq50xncv2wvnxf7w3y-one-fake-hash.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-i7j83d71sibS/ssSjLJ5PMKmbhjAM+BHW0aElvkgEwY=
 git+file:///Users/grahamc/src/github.com/DeterminateSystems/samples#badSystem
error: Cannot build '/nix/store/5vsaxi730yl2icngkyvn8wiflik5wfmq-bad-system.drv'.
       Reason: required system or feature not available
       Required system: 'bogus' with features {}
       Current system: 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}

And in a change that we find especially useful in CI, nix flake check now provides greatly improved summaries. So you can now run this…

…and see something colorful and nuanced yet crystal clear:

 checks.aarch64-darwin.twoFakeHashes (cancelled)
 checks.aarch64-darwin.badSystemNested (cancelled)
 checks.aarch64-darwin.oneFakeHash (cancelled)
 checks.aarch64-darwin.failure (cancelled)
 checks.aarch64-darwin.badSystem (cancelled)
 checks.aarch64-darwin.weirdHash (cancelled)
 checks.aarch64-darwin.all (cancelled)
 checks.aarch64-darwin.fakeHashes (cancelled)
 checks.aarch64-darwin.incorrectHashes (cancelled)
 checks.aarch64-darwin.badFeaturesNested (cancelled)
 checks.aarch64-darwin.failureNested (cancelled)
 checks.aarch64-darwin.badFeatures
error: Cannot build '/nix/store/sc1cyhrpsm9yjx55cl2zzyr5lypwigi6-bad-feature.drv'.
       Reason: required system or feature not available
       Required system: 'aarch64-darwin' with features {bogus}
       Current system: 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}

More seamless upgrades from Nix 2.18 and Nix 2.19

We’ve heard from some users who have struggled to upgrade from Nix 2.18. These users are primarily experiencing problems caused by Nix 2.20 switching from git-archive to libgit2 for fetching repositories. This change caused some git-archive filters, like autocrlf, to stop executing. Not running those filters is an improvement because running those filters can cause instability in source hashes. This switch, however, did cause previously valid hashes to become invalid.

Determinate Nix now retries fetching an old archive with git-archive as a fallback when libgit2 fails to provide the correct source.

Further, to support a progressive migration Determinate Nix has a new option: nix-219-compat. You can set nix-219-compat = true to cause Nix to author new flake.nix files with a git-archive-based source hash.

Finally, a user identified that builtins.path had changed since 2.18 and stopped propagating references. We have corrected this regression.

Flake registry mirroring

Determinate Nix now includes a fallback copy of the Nix registry. This change builds on top of Determinate Nix 3.13.2, in which we changed from the upstream Nix registry to a mirrored copy hosted by install.determinate.systems.

Combined, these changes enhance the reliability of Nix in the face of network outages.

Flake registry resolution CLI

We added the new command nix registry resolve to help debug issues with flake registries. This command looks up a flake registry input name and returns the flakeref it resolves to.

For example, looking up Nixpkgs:

nix registry resolve nixpkgs

Example output:

https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1

Or looking up the 25.11 branch of Nixpkgs:

nix registry resolve nixpkgs/release-25.11

Example output:

github:NixOS/nixpkgs/release-25.11

Improved Docker image packaging

Thanks to GitHub user employee-64c7dcd530593118dcccc3fb, you can now further customize the OCI/Docker images built by Determinate Nix’s flake.nix. In particular, you can now specify a base image using the fromImage attribute and additional directories to include at the beginning or end of the PATH variable using the extraPrePaths and extraPostPaths attributes, respectively.

Bug fixes

And as always, we squashed some random bugs:

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.14.0 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can upgrade or migrate to Determinate Nix on macOS using our graphical installer:

Logo for graphical installer

Install Determinate Nix on macOS now 🍎

With support for Apple Silicon (aarch64-darwin)

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO (NixOS installer for x86_64, NixOS installer for ARM) with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v5
      - uses: DeterminateSystems/flake-checker-action@main
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true
  owners      = ["535002876703"]
  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }
  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}