FlakeHub Cache docs

.prettierignore

@@ -1,5 +1,5 @@
 .direnv/
 pnpm-lock.yaml
-*.mdx
+**/*.mdx
 .next/
 .vscode/

components/SignupForm.tsx

@@ -0,0 +1,45 @@
+const SignupForm = () => {
+  return (
+    <div
+      className="not-prose my-6 rounded-lg border-2 border-ds-magenta bg-gray-900 p-4 md:p-5 lg:p-6"
+      id="signup"
+    >
+      <div className="space-y-4 md:space-y-6">
+        <p className="text-ds-white text-xl font-semibold">
+          Register for the FlakeHub Cache private beta
+        </p>
+
+        <form
+          action="https://systems.us21.list-manage.com/subscribe/post?u=219191dcbd71bd0a5da006aed&amp;id=da3f9b6422&amp;f_id=00a5e7e1f0"
+          method="POST"
+          className="relative flex"
+          x-ph-capture-trigger="submit"
+          x-ph-capture-event="subscribe-private-beta"
+        >
+          <input type="hidden" name="FHBETA" value="yes" />
+
+          <div className="flex flex-col gap-4 md:flex-row md:gap-0">
+            <div className="flex border border-ds-violet">
+              <input
+                placeholder="Email address"
+                type="email"
+                name="EMAIL"
+                className="placeholder-font-semibold focus:bg-ds-white bg-transparent px-4 py-2 placeholder-white focus:text-ds-sky-blue md:px-5 md:py-3"
+              />
+            </div>
+            <div className="self-star flex md:border md:border-ds-violet">
+              <button
+                type="submit"
+                className="duration-hover bg-ds-violet px-4 py-2 text-center font-extrabold transition-colors hover:text-ds-gray-lightest md:px-5 md:py-3"
+              >
+                Register
+              </button>
+            </div>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+};
+
+export default SignupForm;

flake.nix

@@ -2,25 +2,24 @@
   description = "The FlakeHub documentation";
 
   inputs = {
-    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/*.tar.gz";
-    flake-schemas.url = "https://flakehub.com/f/DeterminateSystems/flake-schemas/*.tar.gz";
+    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/*";
   };
 
-  outputs = { self, nixpkgs, flake-schemas }:
+  outputs = { self, ... }@inputs:
     let
       supportedSystems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" "aarch64-linux" ];
-      forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
-        pkgs = import nixpkgs { inherit system; };
+      forEachSupportedSystem = f: inputs.nixpkgs.lib.genAttrs supportedSystems (system: f {
+        pkgs = import inputs.nixpkgs { inherit system; };
       });
     in
     {
-      schemas = flake-schemas.schemas;
-
       devShells = forEachSupportedSystem ({ pkgs }:
         let
+          content = "./pages";
+
           scripts = with pkgs; [
             (writeScriptBin "lint-style" ''
-              vale pages
+              vale ${content}
             '')
 
             (writeScriptBin "preview" ''
@@ -29,7 +28,7 @@
             '')
 
             (writeScriptBin "check-sensitivity" ''
-              alex --quiet pages
+              alex --quiet ${content}
             '')
 
             (writeScriptBin "checks" ''

package.json

@@ -8,23 +8,23 @@
   },
   "dependencies": {
     "@heroicons/react": "^2.1.5",
-    "@tailwindcss/typography": "^0.5.13",
+    "@tailwindcss/typography": "^0.5.14",
     "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-    "@types/node": "^20.12.12",
-    "autoprefixer": "^10.4.19",
+    "@types/node": "^20.14.15",
+    "autoprefixer": "^10.4.20",
     "clsx": "^2.1.1",
     "isomorphic-dompurify": "^1.13.0",
     "marked": "^5.1.2",
-    "next": "^14.2.3",
+    "next": "^14.2.5",
     "nextra": "^2.13.4",
     "nextra-theme-docs": "^2.13.4",
-    "postcss": "^8.4.38",
-    "prettier": "^3.2.5",
+    "postcss": "^8.4.41",
+    "prettier": "^3.3.3",
     "prettier-plugin-tailwindcss": "^0.5.14",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-icons": "^4.12.0",
-    "tailwindcss": "^3.4.3",
+    "tailwindcss": "^3.4.9",
     "typescript": "5.2.2"
   }
 }

pages/_app.mdx

@@ -1,4 +1,4 @@
-import '../style.css'
+import "../style.css";
 
 export default function App({ Component, pageProps }) {
   return <Component {...pageProps} />

pages/features/_meta.json

@@ -1,4 +1,5 @@
 {
+  "cache": "FlakeHub Cache",
   "semver": "Semantic versioning",
   "discovery": "Flake discovery",
   "webhooks": "Webhooks"

pages/features/cache.mdx

@@ -0,0 +1,110 @@
+# FlakeHub Cache
+
+*FlakeHub Cache* is a [Nix binary cache][cache] that works in conjunction with [FlakeHub][home].
+It has two main features that distinguish it from other Nix caching services:
+
+1. It enables you to [control access](#access-control) at the [flake][flakes] level.
+1. It uses a flexible and convenient [authentication](#authentication) model that doesn't require juggling access keys.
+
+FlakeHub Cache is currently in **private beta** but you can sign up for the beta here and we'll add you as soon as we're ready:
+
+<SignupForm />
+
+## Access control
+
+Nix caching solutions based on [nix-serve] serve an entire [Nix store][store] as a single monolithic cache and make all store paths in that cache available to anyone with a public key.
+With FlakeHub Cache, on the contrary, you can grant or deny read access to specific users **at the [flake][flakes] level**, which affords substantially more granular access control.
+
+Let's say that you're an admin for the org `omnicorp`.
+You could manage access to your org's flakes in such a way that, for example:
+
+* Only some trusted users would be allowed to pull store paths associated with the flake `super-duper-secure`.
+* Anyone in your org can pull store paths associated with the `dev-environments` flake.
+
+## Authentication model
+
+FlakeHub Cache authentication is based on [JSON Web Tokens][jwt] (JWTs or "jots").
+We currently use [GitHub] as our JWT authentication provider but will be adding support for [GitLab] in the near future.
+Down the road, the flexibility of JWTs will enable us to support a wide range of additional authentication solutions, including [SAML] and [Single sign-on][sso] (SSO) providers.
+
+In contrast, existing Nix caching services use static tokens for authentication.
+This model places all of the operational burden of authentication on users; with FlakeHub Cache, however, we've opted to shift that burden to trusted authentication providers.
+
+## Pushing to the cache
+
+FlakeHub Cache differs from existing Nix caching solutions because it forbids pushing to the cache in an ad-hoc way.
+Thus, you can't push to the cache from your laptop or from one of your servers.
+Instead, only *trusted builders* are allowed to push to the cache.
+At the moment, this includes only [GitHub Actions runners][actions] but other options will be available in the future.
+
+In order to push to FlakeHub Cache from GitHub Actions, your GitHub organization needs to be [registered for the beta](#signup).
+Once you've been added&mdash;you'll be notified via email&mdash;you can configure your org's GitHub Actions workflows to use the cache.
+Here's an example:
+
+```yaml {4-6,9-10} showLineNumbers filename=".github/workflows/nix.yml"
+jobs:
+  build-nix-package:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      # Build default package
+      - run: nix build
+```
+
+In this configuration:
+
+* The `permissions` section enables you to authenticate to FlakeHub Cache.
+  No other authentication method, like public keys, is necessary.
+* The [Magic Nix Cache Action][mnca] sets up authentication for FlakeHub Cache.
+
+<Callout type="info">
+You can push all of your flake outputs to FlakeHub Cache in [GitHub Actions][actions] using the [Determinate CI Action][ci]:
+
+```yaml filename=".github/workflows/ci.yml"
+jobs:
+  DeterminateCI:
+    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
+    permissions:
+      id-token: "write"
+      contents: "read"
+```
+
+This Action automatically:
+
+* Discovers all Nix derivation outputs&mdash;`packages`, `devShells`, and more&mdash;on all architectures your flake supports using [Flake Schemas][schemas].
+* Builds all derivation outputs on appropriate Actions runners and uses the [Magic Nix Cache][mnca] to push to FlakeHub Cache.
+* Publishes your flake releases to FlakeHub.
+</Callout>
+
+## Pulling from the cache
+
+In order to pull from the cache, you need to be properly authenticated in one of two ways:
+
+1. On GitHub Actions runners, authentication happens automatically.
+1. As an ordinary user on a laptop or workstation, you need to authenticate using [`fh login`][fh-login].
+
+<SignupForm />
+
+[actions]: https://docs.github.com/actions
+[cache]: https://zero-to-nix.com/concepts/caching
+[ci]: https://github.com/DeterminateSystems/ci
+[determinate]: https://github.com/determinateSystems/determinate
+[fh-login]: https://github.com/determinateSystems/fh?tab=readme-ov-file#log-into-flakehub
+[flakes]: https://zero-to-nix.com/concepts/flakes
+[github]: https://github.com
+[gitlab]: https://gitlab.com
+[home]: /
+[jwt]: https://jwt.io
+[login]: /login
+[mnca]: https://github.com/determinateSystems/magic-nix-cache-action
+[nix-serve]: https://nixos.org/manual/nix/stable/package-management/binary-cache-substituter
+[saml]: https://en.wikipedia.org/wiki/SAML_2.0
+[schemas]: https://github.com/DeterminateSystems/flake-schemas
+[sso]: https://en.wikipedia.org/wiki/Single_sign-on
+[store]: https://zero-to-nix.com/concepts/store
+[wizard]: https://flakehub.com/up