Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

NixOS Command Cheatsheet

A collection of useful Nix and NixOS commands for system management.

System & Store Maintenance

  • Verify & Repair Store: Checks the integrity of the Nix store and repairs any issues. Use this if you suspect corruption.

    sudo nix-store --repair --verify --check-contents

  • Garbage Collection: Removes all unused packages from the Nix store to free up space.

    sudo nix-collect-garbage -d
sudo nix-collect-garbage --delete-older-than 7d
sudo nix store gc

Generation Management

  • List System Generations: Shows all past system configurations (generations).

    sudo nix-env --list-generations --profile /nix/var/nix/profiles/system

  • Switch Generation (No Reboot): Allows you to roll back to a previous system configuration without restarting.

    1. List generations:

      nix-env --list-generations -p /nix/var/nix/profiles/system

    2. Switch to generation:

      sudo nix-env --switch-generation <number> -p /nix/var/nix/profiles/system

    3. Activate configuration:

      sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch

    4. Set Booted Generation as Default: If you boot into an older generation, run this to make it the default.

      /run/current-system/bin/switch-to-configuration boot

System Rebuilding

  • Rebuild without Cache: Forces a rebuild without using cached tarballs. 
    sudo nixos-rebuild switch --flake .#host --option tarball-ttl 0
  • Rebuild on a Remote Machine: Uses sudo on a remote machine during activation. 
    nixos-rebuild --use-remote-sudo switch --flake .#host

Flake Management

  • Update Flake Inputs: Updates flake dependencies and commits to flake.lock.

    nix flake update --commit-lock-file --accept-flake-config

  • Update Flake Inputs: Provide the git auth token to Updates flake dependencies and commits to flake.lock. (fix api rate limit)

    nix flake update --option access-tokens "github.com=$(gh auth token)"

  • Inspect Flake Metadata: Shows flake metadata in JSON format.

    nix flake metadata --json | nix run nixpkgs#jq

Development & Packaging

  • Prefetch URL: Downloads a file and prints its hash. Essential for packaging.

    nix-prefetch-url "https://discord.com/api/download?platform=linux&format=tar.gz"

  • Evaluate a Nix File: Tests a Nix expression from a file.

    nix-eval --file default.nix

Nixpkgs Legacy: Using Old OpenSSH with DSS

Sometimes you need to connect to legacy SSH servers that only support ssh-dss (DSA) keys. Modern Nixpkgs disables DSS by default, but you can pin an older package.

1. Create a Nix file for legacy OpenSSH

legacy-ssh.nix:

{ pkgs ? import <nixpkgs> {} }:

let
  # Pin an older nixpkgs commit with DSS support
  legacyPkgs = import (builtins.fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/2f6ef9aa6a7eecea9ff7e185ca40855f36597327.tar.gz";
    sha256 = "0jcs9r4q57xgnbrc76davqy10b1xph15qlkvyw1y0vk5xw5vmxfz";
  }) {};
in
  legacyPkgs.openssh

Browse older package versions: Nix Versions

2. Build the package

nix build -f legacy-ssh.nix

3. Use the legacy ssh binary

./result/bin/ssh -F /dev/null \
  -o HostKeyAlgorithms=ssh-dss \
  -o KexAlgorithms=diffie-hellman-group1-sha1 \
  -o PreferredAuthentications=password,keyboard-interactive \
  admin@192.168.0.1 -vvv

Explanation of key options:

  • -F /dev/null → Ignore default SSH config.
  • HostKeyAlgorithms=ssh-dss → Allow DSS host keys.
  • KexAlgorithms=diffie-hellman-group1-sha1 → Use legacy key exchange.
  • PreferredAuthentications=password,keyboard-interactive → Only use password or interactive login.