nixbuild.net now supports OpenID Connect (OIDC)!

This means that you can create auth tokens that are only usable if you also can provide an OIDC JWT signed by a specific identity provider. In practice, you can now configure your GitHub Actions workflow with a nixbuild.net auth token that can only be used from within GitHub’s infrastructure. You can even lock it down to specific GitHub repositories. This is a great step forward in securing nixbuild.net’s authentication and authorization.

This new feature is not specific to GitHub, but can be used together with any OIDC provider. Additionally, it is implemented on top of the existing Biscuit support in nixbuild.net. This further validates the usefulness and flexibility that nixbuild.net’s Biscuit policies provide.

Read on to find out exactly how it all fits together!

We have not written about nixbuild.net for over a year now, but that doesn’t mean nothing has happened. Quite the opposite - we’ve been really busy!

This blog post will try to summarize some of what we have been working on behind the scene the last couple of years. Read on to hear about nixbuild.net going enterprise, a brand new web UI and lots of new functionality!

About one year ago, we introduced an HTTP API for nixbuild.net. This API can be used to retrieve information about the builds you’ve run on the service. One place where the API is used is in the GitHub Action nixbuild-action to create detailed build summaries at the end of workflow runs.

When the API was launched, it was using Biscuit auth tokens to handle authentication and authorization. In the initial implementation, we didn’t really take much advantage of Biscuit, and basically used them as plain API keys. This week, however, we’ve finally expanded our Biscuit usage to properly take advantage of the flexibility offered.

Read on to find out how this allows us to now support advanced access policies, token-based SSH auth and signed web links that gives easy access to build logs and fancy build reports.

Less than a year ago, we announced support for ARM (aarch64-linux) builds on nixbuild.net, for users that wanted to evaluate the feature in an Early Access phase. Today, we are thrilled to announce that all nixbuild.net users now can run aarch64-linux builds!

For now, ARM builds are priced in the exact same way as x86-64 builds. This might change in the future.

If you’re already a nixbuild.net user, head over to the documentation to learn about how to configure Nix to run aarch64-linux builds on nixbuild.net. If you’re not a user, register today and get started! Every new account gets free build hours that can be spent on both ARM and x86-64 builds.

Today we are announcing support for remote store builds in nixbuild.net. This is an alternative way of remote building in Nix, which can improve build performance greatly for certain types of environments. The biggest performance impact can be had in CI setups, especially in hosted CI services like GitHub Actions.

By switching over our own CI setup (running on GitHub Actions) to this build mode we reduced the best-case build time of our slowest CI job from 20 minutes down to just 20 seconds, an amazing 60x speedup!

No extra setup is needed, everything is already built into Nix and the feature is available to all nixbuild.net users right now.

Read on to find out how to try this out on your own CI builds!

Less than two weeks ago, we announced support for ARM builds on nixbuild.net. Today we are excited to announce another early access feature — support for builds that use KVM!

KVM support is something that almost no public CI/CD provider offers, so we are very happy to be able to make this available to our users.

For NixOS users and developers, this is especially valuable since it makes it possible to run integration tests based on the powerful testing framework found in nixpkgs/NixOS.

KVM builds are currently in an Early Access phase. If you want to try it out, contact us at [email protected]. Anyone is free to request access, but there might be waiting time depending on interest. During Early Access, KVM builds are priced and handled exactly as standard builds. The final pricing and price model for builds that require KVM has not been settled yet.

So far KVM builds are only supported on x86_64-linux, not on ARM.

As of today, there is support for running aarch64-linux builds in nixbuild.net. This is a feature that has been requested by many of our users, and we are very happy to be able to provide this as part of our service.

For the moment, ARM builds are in an Early Access phase. If you want to try it out, just drop us a line at [email protected]. Anyone is free to request access, but there might be waiting time depending on interest. During Early Access, ARM builds are priced and handled exactly as the standard x86_64-linux builds. The final pricing and price model for ARM builds has not been settled yet.

Parameter sweeping is a technique often utilized in scientific computing and HPC settings. In the mainstream software industry the concept is called a build matrix.

The idea is that you have a task you want to perform with varying input parameters. If the task takes multiple parameters, and you’d like to try it out with multiple values for each parameter, it is easy to end up with a combinatorial explosion.

This blog post gives a practical demonstration showing how Nix is a perfect companion for managing parameter sweeps and build matrices, and how nixbuild.net can be used to supercharge your workflow.

My hope is that this text can interest readers that don’t know anything about Nix as well as experienced Nix users.

During the last decade, many initiatives focussing on making builds reproducible have gained momentum. reproducible-builds.org is a great resource for anyone interested in how the work progresses in multiple software communities. r13y.com tracks the current reproducibility metrics in NixOS.

Nix is particularly suited for working on reproducibility, since it by design isolates builds and comes with tools for finding non-determinism. The Nix community also works on related projects, like Trustix and the content-addressed store.

This blog post summarises how nixbuild.net can be useful for finding non-deterministic builds, and announces a new feature related to reproducibility!

One year ago nixbuild.net was announced to the Nix community for the very first time. The service then ran as a closed beta for 7 months until it was made generally available on the 28th of August 2020.

This blog post will try to summarize how nixbuild.net has evolved since GA four months ago, and give a glimpse of the future for the service.

Today, nixbuild.net is exiting private beta and made generally available! Anyone can now sign up for a nixbuild.net account and immediately start building using the free CPU hours included with every account.

After the free CPU hours have been consumed, the pricing is simple: 0.12 EUR (excl. VAT) per CPU hour consumed, billed monthly.

Performance and cost-effectiveness are core values for nixbuild.net. How do you make a Nix build as performant and cheap as possible? The answer is — by not running it at all!

This post goes into some detail about the different ways nixbuild.net is able to safely reuse build results. The post gets technical, but the main message is that nixbuild.net really tries to avoid building if it can, in order to save time and money for its users.

As of today, nixbuild.net will automatically select resources (CPU count and memory amount) for builds submitted to it. Based on historic build data, nixbuild.net calculates a resource allocation that will make your build as performant as possible, while wasting minimal CPU time. This means nixbuild.net users get faster and cheaper builds, while also taking away the user’s burden of figuring out what resource settings to use for each individual build.

Up until now, nixbuild.net has not supported directly fetching build dependencies from binary caches like cache.nixos.org or Cachix. All build dependencies have instead been uploaded from the user’s local machine to nixbuild.net the first time they’ve been needed.

Today, this bottleneck has been removed, since nixbuild.net now can fetch build dependencies directly from binary caches, without taxing users’ upload bandwidth.

On the support side of the nixbuild.net service, two new resources have been published:

• docs.nixbuild.net, collecting all available documentation for nixbuild.net users.

• The nixbuild.net feedback repository on GitHub, providing a way to report issues or ask questions related to the service.

These resources are mainly useful for nixbuild.net beta users, but they are open to anyone. And anyone is of course welcome to request a free beta account for evaluating nixbuild.net, by just sending me an email.

Exactly one month ago, I announced the nixbuild.net service. Since then, there have been lots of work on functionality, performance and stability of the service. As of today, nixbuild.net is exiting alpha and entering private beta phase. If you want to try it out, just send me an email.

Today, I’m also launching the nixbuild.net blog, which is intended as an outlet for anything related to the nixbuild.net service. Announcements, demos, technical articles and various tips and tricks. We’ll start out with a proper introduction of nixbuild.net; why it was built, what it can help you with and what the long-term goals are.