additionalNetrcSources silently ignored without FlakeHub auth

[schickling-assistant]

Problem

On self-hosted CI runners using determinate-nix-action, custom additionalNetrcSources entries in /etc/determinate/config.json are silently dropped when the host is not authenticated to FlakeHub.

The binary contains the string auth: no flakehub token to augment user provided netrc sources, suggesting the code path that merges additional netrc sources is gated behind FlakeHub authentication. This means additionalNetrcSources — the official mechanism for adding private cache credentials — only works if the host happens to also be logged into FlakeHub.

Reproduction

1. Install Determinate Nix 3.17.0 on a NixOS host (no FlakeHub login)
2. Create /etc/determinate/config.json:

   {"additionalNetrcSources": ["/etc/nix/cachix-netrc"]}

3. Restart nix-daemon / determinate-nixd
4. Observe that /nix/var/determinate/netrc does NOT include entries from /etc/nix/cachix-netrc
5. The log shows config_file: None at startup

Expected behavior

additionalNetrcSources should work independently of FlakeHub authentication status. Users should be able to add private Cachix (or other) cache credentials without requiring a FlakeHub login.

Workaround

We currently use a systemd PathModified unit that watches /nix/var/determinate/netrc and re-appends cached entries from a durable source whenever determinate-nix-action (or the daemon) resets the file.

Related

• additionalNetrcSources doesn't work on 3.9.0+? #135 — additionalNetrcSources not working on 3.9.0+
• NixOS module netrc-file setting conflicts with custom settings #90 — NixOS module netrc-file conflicts

---

🤖 Filed with Claude Code on behalf of @schickling

[grahamc]

What version of determinate-nixd are you running? This should be solved.

[abeluck]

I think your json is incorrect.. according to the docs the additionalNetrcSources should be wrapped in an authentication object