Nix Flakes | Stack | Fluid Attacks Help

Nix Flakes

Rationale


We use Nix Flakes to build, develop and distribute software in a fast, secure and reproducible way. Nix Flakes:
  1. Allows us to create modular and reproducible packages or environments for any programming language and system architecture.
  2. Does not do anything else besides providing building blocks for fulfilling the above purpose.
  3. Provides standard interfaces for declaring inputs and outputs for a given piece of software.
  4. Embraces pure Nix, meaning that modularity and overall flexibility are greater, but learning curve is also higher.
  5. Has first-class-level support implementations for all our current programming languages.
  6. Supports declarative configurations for language-specific package managers like uv and npm.
  7. Does not provide out-of-the-box declarative support for external services.
  8. Supports fully cryptographically-signed environments for security and reproducibility.
  9. Can be easily integrated into Cachix for performance.
  10. Provides garbage collection support for easily cleaning up disk space.
  11. Supports automatic shell activation via nix-direnv for development experience.
  12. Has a big community and excellent support.

Alternatives

Below are alternatives to Nix Flakes considered or used in the past.

Makes

  1. Makes, developed by Fluid Attacks in 2021, was an entry-level framework designed to help developers new to Nix. It was deprecated in 2025 in favor of Nix Flakes. It is a Nix wrapper for creating reproducible tasks.
  2. It only provide a way to run tasks in any linux-based machine, meaning that development environments and modularity are considerably affected.
  3. It provides standard interfaces for declaring inputs and outputs for a given piece of software.
  4. Its interfaces are designed to abstract those of Nix, aiming to make the system more accessible and easier to use for developers.
  5. It requires us to support the programming languages we need, increasing maintenance burden.
  6. It supports declarative configurations for language-specific package managers like uv and npm.
  7. It requires us to support the external services we need, increasing maintenance burden.
  8. It supports fully cryptographically-signed environments for security and reproducibility.
  9. It has its own Cachix integration for performance.
  10. Although it does not provide garbage collection, Nix's native one can be used.
  11. Its shell activation support is pretty limited, considerably affecting development experience.
  12. It is maintained solely by us and receives virtually no support beyond what we provide ourselves.
Makes was last reviewed on May 26, 2025.

devenv

  1. devenv provides a Nix wrapper for creating reproducible environments for any programming language and system architecture.
  2. It only provides development environments, meaning that reproducibility and modularity are highly affected.
  3. It does not provide standard interfaces for declaring inputs and outputs for a given piece of software.
  4. Its interfaces are similar to Makes's, considerably decreasing its learning curve for us.
  5. It has out-of-the-box declarative support for all our current programming languages.
  6. It supports declarative configurations for language-specific package managers like Poetry and npm.
  7. It provides out-of-the-box declarative support for a considerable list of services like DynamoDB, OpenSearch, Nginx, among others.
  8. It supports fully cryptographically-signed environments for security and reproducibility.
  9. It has Cachix support for performance.
  10. It provides garbage collection support for easily cleaning up disk space.
  11. It supports automatic shell activation for development experience.
  12. Being a Nix wrapper, its community is smaller and support not as good.
devenv was last reviewed on Jan 27, 2025.

Devbox

  1. Devbox provides a Nix wrapper for creating reproducible tasks for any programming language and system architecture.
  2. It does not do anything else besides providing building blocks for fulfilling the above purpose. It is less flexible compared to Nix Flakes, Makes, and devenv.
  3. It does not provide standard interfaces for declaring inputs and outputs for a given piece of software.
  4. Its interfaces try to fully abstract Nix with JSON, making it less flexible but also making it way simpler.
  5. It has out-of-the-box declarative support for all our current programming languages.
  6. It supports declarative configurations for language-specific package managers like Poetry and npm.
  7. It provides out-of-the-box declarative support for a small list of services, although most of them are currently not relevant to our needs.
  8. It supports fully cryptographically-signed environments for security and reproducibility.
  9. It provides its own cache for performance. This would increase the learning curve for us, as we already know Cachix.
  10. It does not provide any information regarding garbage collection.
  11. It supports automatic shell activation for development experience.
  12. Being a Nix wrapper, its community is smaller and support not as good.
Devbox was last reviewed on Jan 27, 2025.

Flox

  1. Flox provides a Nix wrapper for creating reproducible tasks for any programming language and system architecture.
  2. It does not do anything else besides providing building blocks for fulfilling the above purpose. It is less flexible compared to Nix Flakes, Makes, and devenv.
  3. It does not provide standard interfaces for declaring inputs and outputs for a given piece of software.
  4. Its interfaces try to fully abstract Nix with a self-made approach, making it less flexible and increasing its learning curve for us.
  5. It does not have support for any programming language, forcing users to approach configurations in a procedural way.
  6. It does not support any language-specific package managers, forcing users to approach configurations in a procedural way.
  7. It does not provide support for any services, forcing users to approach configurations in a procedural way.
  8. It does not seem to provide a way for pinning environments, making them unstable.
  9. It does not support Cachix but instead uses FloxHub, increasing the learning curve for us.
  10. It does not provide any information regarding garbage collection.
  11. It does not provide any information regarding automatic shell activation.
  12. Being a Nix wrapper, its community is smaller and support not as good.
Flox was last reviewed on Jan 27, 2025.

Usage

We use Nix Flakes to manage and serve all of Fluid Attacks' software. However, the migration to Nix Flakes is still in progress, so some components may still rely on Makes.

Guidelines

Installing Nix Flakes

You only need to install Determinate Nix.

Using Nix Flakes

You can run components of your choice, for example:

nix run "gitlab:fluidattacks/universe?dir=forces" -- --help
nix run "gitlab:fluidattacks/universe?dir=melts" -- --help
nix run "gitlab:fluidattacks/universe?dir=skims" -- --help

Installing Makes

  1. Make sure that Nix is installed on your system.

  2. Follow the steps at the official Makes documentation.

Using Makes

You can build and run the components of your choice, for example:

m gitlab:fluidattacks/universe@trunk /forces --help
m gitlab:fluidattacks/universe@trunk /melts --help
m gitlab:fluidattacks/universe@trunk /skims --help

Troubleshooting
General considerations
  • A stable internet connection is required
  • A stable DNS resolver is required. Please consider using the following:
    • IPv4: 1.1.1.18.8.8.88.8.4.4
    • IPv6: 2001:4860:4860::88882001:4860:4860::884
  • If the problem persists, please let us know at help@fluidattacks.com
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.