Determinate Nix Installer
Determinate Nix Installer is the easiest and most reliable way to install Determinate Nix.1 The installer works across a wide range of environments, including macOS, Linux, Windows Subsystem for Linux (WSL), SELinux, the Valve Steam Deck, and more, it offers support for seamlessly uninstalling Nix, it enables Nix to survive macOS upgrades, and offers a range of features that make it the industry standard for installing Nix.
By default, it installs Determinate Nix, which enables flakes and offers a variety of industry-leading features and improvements.
[!NOTE] You can also use Determinate Nix Installer to install upstream Nix if you wish. This option will be available, however, until January 1, 2026.
Install Determinate Nix
This one-liner installs Determinate Nix on just about any supported system:
curl -fsSL https://install.determinate.systems/nix | sh -s -- install
[!TIP] The best way to get started with Determinate Nix on macOS is to use our macOS package, which uses Determinate Nix Installer behind the scenes but provides a highly intuitive graphical UI.
Determinate Nix Installer successfully completes tens of thousands of installs every day in a number of environments, including Github Actions and GitLab:
| Platform | Multi user? | root only | Maturity |
|---|---|---|---|
Linux (x86_64 and aarch64) | ✓ (via systemd) | ✓ | Stable |
macOS (Apple Silicon / aarch64) | ✓ | Stable (see note) | |
| Valve Steam Deck (SteamOS) | ✓ | Stable | |
Windows Subsystem for Linux 2 (WSL2) (x86_64 and aarch64) | ✓ (via systemd) | ✓ | Stable |
| Podman Linux containers | ✓ (via systemd) | ✓ | Stable |
| Docker containers | ✓ | Stable |
As a Github Action
You can install Determinate Nix on GitHub Actions using determinate-nix-action.
Here's an example configuration:
on: pull_request: push: branches: [main] jobs: build: name: Build runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/determinate-nix-action@v3 - name: Run `nix build` run: nix build .
Pinning the GitHub Action
The determinate-nix-action is updated and tagged for every Determinate release.
For example, DeterminateSystems/determinate-nix-action@v3.5.2 will always install Determinate Nix v3.5.2.
Additionally, an extra tag on the major version is kept up to date with the current release.
The DeterminateSystems/determinate-nix-action@v3 reference, for example, installs the most recent release in the v3.x.y series.
Planners
Determinate Nix Installer installs Nix by following a plan made by a planner. To review the available planners:
/nix/nix-installer install --help
Planners have their own options and defaults, sharing most of them in common. To see the options for Linux, for example:
/nix/nix-installer install linux --help
You can configure planners using environment variables or command arguments:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ NIX_BUILD_GROUP_NAME=nixbuilder sh -s -- install --nix-build-group-id 4000 # Alternatively: NIX_BUILD_GROUP_NAME=nixbuilder ./nix-installer install --nix-build-group-id 4000
See Installer settings below for a full list of options.
Troubleshooting
Having problems with the installer? Consult our troubleshooting guide to see if your problem is covered.
Upgrading Determinate Nix
If you've installed Determinate Nix, you can upgrade it using Determinate Nixd:
sudo determinate-nixd upgrade
Alternatively, you can uninstall and reinstall with a different version of Determinate Nix Installer.
Uninstalling
You can remove Nix installed by Determinate Nix Installer by running:
/nix/nix-installer uninstall
On GitLab
GitLab CI runners are typically Docker based and run as the root user.
This means that systemd is not present, so you need to pass the --init none option to the Linux planner.
On the default GitLab runners, you can install Nix using this configuration:
test: script: - curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none - . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh - nix run nixpkgs#hello - nix profile add nixpkgs#hello - hello
If you are using different runners, the above example may need to be adjusted.
Without systemd (Linux only)
[!WARNING] When
--init noneis used, onlyrootor users who can elevate torootprivileges can run Nix:sudo -i nix run nixpkgs#hello
If you don't use systemd, you can still install Nix by explicitly specifying the linux plan and --init none:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ sh -s -- install linux --init none
In a container
In Docker/Podman containers or WSL2 instances where an init (like systemd) is not present, pass --init none.
For containers (without an init):
[!WARNING] When
--init noneis used, onlyrootor users who can elevate torootprivileges can run Nix:sudo -i nix run nixpkgs#hello
[!WARNING] If you want to add a
flake.nix, first declare a working directory (such as/src) in yourDockerfile. You cannot lock a flake placed at the docker image root (/) (see details). You would get afile '/dev/full' has an unsupported typeduring the docker build.# append this to the below dockerfiles WORKDIR /src # now flakes will work RUN nix flake init RUN nix flake lock
# Dockerfile FROM ubuntu:latest RUN apt update -y RUN apt install curl -y RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \ --extra-conf "sandbox = false" \ --init none \ --no-confirm ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin" RUN nix run nixpkgs#hello
docker build -t ubuntu-with-nix . docker run --rm -ti ubuntu-with-nix docker rmi ubuntu-with-nix # or podman build -t ubuntu-with-nix . podman run --rm -ti ubuntu-with-nix podman rmi ubuntu-with-nix
For containers with a systemd init:
# Dockerfile FROM ubuntu:latest RUN apt update -y RUN apt install curl systemd -y RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \ --extra-conf "sandbox = false" \ --no-start-daemon \ --no-confirm ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin" RUN nix run nixpkgs#hello CMD [ "/bin/systemd" ]
podman build -t ubuntu-systemd-with-nix . IMAGE=$(podman create ubuntu-systemd-with-nix) CONTAINER=$(podman start $IMAGE) podman exec -ti $CONTAINER /bin/bash podman rm -f $CONTAINER podman rmi $IMAGE
With some container tools, such as Docker, you can omit sandbox = false.
Omitting this will negatively impact compatibility with container tools like Podman.
In WSL2
We strongly recommend first enabling systemd and then installing Nix as normal:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ sh -s -- install
If WSLg is enabled, you can do things like open a Linux Firefox from Windows on Powershell:
wsl nix run nixpkgs#firefox
To use some OpenGL applications, you can use nixGL (note that some applications, such as blender, may not work):
wsl nix run --impure github:guibou/nixGL nix run nixpkgs#obs-studio
If enabling systemd is not an option, pass --init none at the end of the command:
[!WARNING] When
--init noneis used, onlyrootor users who can elevate torootprivileges can run Nix:sudo -i nix run nixpkgs#hello
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ sh -s -- install linux --init none
Skip confirmation
If you'd like to bypass the confirmation step, you can apply the --no-confirm flag:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ sh -s -- install --no-confirm
This is especially useful when using the installer in non-interactive scripts.
Features
Existing Nix installation scripts do a good job but they are difficult to maintain.
Subtle differences in the shell implementations and tool used in the scripts make it difficult to make meaningful changes to the installer.
Determinate Nix installer has numerous advantages over these options:
- It installs Nix with flakes enabled by default
- It enables Nix to survive macOS upgrades
- It keeps an installation receipt for easy uninstallation
- It uses planners to create appropriate install plans for complicated targets—plans that you can review prior to installation
- It enables you to perform a best-effort reversion in the facing of a failed install
- It improves installation performance by maximizing parallel operations
- It supports an expanded test suite including "curing" cases (compatibility with Nix already on the system)
- It supports SELinux and OSTree-based distributions without asking users to make compromises
- It operates as a single, static binary with external dependencies such as OpenSSL, only calling existing system tools (like
useradd) when necessary - As a macOS remote build target, it ensures that Nix is present on the
PATH
Nix community involvement
It has been wonderful to collaborate with other participants in the Nix Installer Working Group and members of the broader community. The working group maintains a foundation-owned fork of the installer.
Quirks
While Determinate Nix Installer tries to provide a comprehensive and unquirky experience, there are unfortunately some issues that may require manual intervention or operator choices. See this document for information on resolving these issues:
Building a binary
See this guide for instructions on building and distributing the installer yourself.
As a Rust library
The Determinate Nix Installer is available as a standard Rust library. See this guide for instructions on using the library in your own Rust code.
Accessing other versions
You can pin to a specific version of Determinate Nix Installer by modifying the download URL. Here's an example:
VERSION="v0.6.0" curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/${VERSION} | \ sh -s -- install
To discover which versions are available, or download the binaries for any release, check the Github Releases.
Each installer version has an associated supported nix version—if you pin the installer version, you'll also indirectly pin to the associated nix version.
You can also override the Nix version using --nix-package-url or NIX_INSTALLER_NIX_PACKAGE_URL= but doing this is not recommended since we haven't tested that combination.
Here are some example Nix package URLs, including the Nix version, OS, and architecture:
- https://releases.nixos.org/nix/nix-2.18.1/nix-2.18.1-x86_64-linux.tar.xz
- https://releases.nixos.org/nix/nix-2.18.1/nix-2.18.1-aarch64-darwin.tar.xz
Installation differences
Differing from the upstream Nix installer scripts:
- In
nix.conf:- the
nix-commandandflakesfeatures are enabled bash-prompt-prefixis setauto-optimise-storeis set totrue(On Linux only)always-allow-substitutesis set totrueextra-nix-pathis set tonixpkgs=flake:nixpkgsmax-jobsis set toautoupgrade-nix-store-path-urlis set tohttps://install.determinate.systems/nix-upgrade/stable/universal, to prevent unintentional downgrades.
- the
- an installation receipt (for uninstalling) is stored at
/nix/receipt.jsonas well as a copy of the install binary at/nix/nix-installer nix-channel --updateis not run,~/.nix-channelsis not provisionedssl-cert-fileis set in/etc/nix/nix.confif thessl-cert-fileargument is used.
Installer settings
Determinate Nix Installer provides a variety of configuration settings, some general and some on a per-command basis.
All settings are available via flags or via NIX_INSTALLER_* environment variables.
General settings
These settings are available for all commands.
| Flag(s) | Description | Default (if any) | Environment variable |
|---|---|---|---|
--log-directives | Tracing directives delimited by comma | NIX_INSTALLER_LOG_DIRECTIVES | |
--logger | Which logger to use (options are compact, full, pretty, and json) | compact | NIX_INSTALLER_LOGGER |
--verbose | Enable debug logs, (-vv for trace) | false | NIX_INSTALLER_VERBOSITY |
Installation (nix-installer install)
| Flag(s) | Description | Default (if any) | Environment variable |
|---|---|---|---|
--diagnostic-attribution | Relate the install diagnostic to a specific distinct user ID | NIX_INSTALLER_DIAGNOSTIC_ATTRIBUTION | |
--diagnostic-endpoint | The URL or file path for an installation diagnostic to be sent | NIX_INSTALLER_DIAGNOSTIC_ENDPOINT | |
--explain | Provide an explanation of the changes the installation process will make to your system | false | NIX_INSTALLER_EXPLAIN |
--extra-conf | Extra configuration lines for /etc/nix.conf | NIX_INSTALLER_EXTRA_CONF | |
--force | Whether the installer should forcibly recreate files it finds existing | false | NIX_INSTALLER_FORCE |
--init | Which init system to configure (if --init none Nix will be root-only) | launchd (macOS), systemd (Linux) | NIX_INSTALLER_INIT |
--nix-build-group-id | The Nix build group GID | 350 (macOS), 30000 (Linux) | NIX_INSTALLER_NIX_BUILD_GROUP_ID |
--nix-build-group-name | The Nix build group name | nixbld | NIX_INSTALLER_NIX_BUILD_GROUP_NAME |
--nix-build-user-count | The number of build users to create | 32 | NIX_INSTALLER_NIX_BUILD_USER_COUNT |
--nix-build-user-id-base | The Nix build user base UID (ascending) (NOTE: the first UID will be this base + 1) | 350 (macOS), 30000 (Linux) | NIX_INSTALLER_NIX_BUILD_USER_ID_BASE |
--nix-build-user-prefix | The Nix build user prefix (user numbers will be postfixed) | _nixbld (macOS), nixbld (Linux) | NIX_INSTALLER_NIX_BUILD_USER_PREFIX |
--nix-package-url | The Nix package URL | NIX_INSTALLER_NIX_PACKAGE_URL | |
--no-confirm | Run installation without requiring explicit user confirmation | false | NIX_INSTALLER_NO_CONFIRM |
--no-modify-profile | Modify the user profile to automatically load Nix. | true | NIX_INSTALLER_MODIFY_PROFILE |
--prefer-upstream-nix | Specify that you want the installer to install upstream Nix rather than Determinate Nix. Available until January 1, 2026. | false | NIX_INSTALLER_PREFER_UPSTREAM_NIX |
--proxy | The proxy to use (if any); valid proxy bases are https://$URL, http://$URL and socks5://$URL | NIX_INSTALLER_PROXY | |
--ssl-cert-file | An SSL cert to use (if any); used for fetching Nix and sets ssl-cert-file in /etc/nix/nix.conf | NIX_INSTALLER_SSL_CERT_FILE | |
--no-start-daemon | Start the daemon (if not --init none) | true | NIX_INSTALLER_START_DAEMON |
You can also specify a planner with the first argument:
nix-installer install <plan>
Alternatively, you can use the NIX_INSTALLER_PLAN environment variable:
NIX_INSTALLER_PLAN=<plan> nix-installer install
Uninstalling (nix-installer uninstall)
| Flag(s) | Description | Default (if any) | Environment variable |
|---|---|---|---|
--explain | Provide an explanation of the changes the installation process will make to your system | false | NIX_INSTALLER_EXPLAIN |
--no-confirm | Run installation without requiring explicit user confirmation | false | NIX_INSTALLER_NO_CONFIRM |
You can also specify an installation receipt as the first argument (the default is /nix/receipt.json):
nix-installer uninstall /path/to/receipt.json
Planning (nix-installer plan)
| Flag(s) | Description | Default (if any) | Environment variable |
|---|---|---|---|
--out-file | Where to write the generated plan (in JSON format) | /dev/stdout | NIX_INSTALLER_PLAN_OUT_FILE |
Repairing (nix-installer repair)
| Flag(s) | Description | Default (if any) | Environment variable |
|---|---|---|---|
--no-confirm | Run installation without requiring explicit user confirmation | false | NIX_INSTALLER_NO_CONFIRM |
Self-test (nix-installer self-test)
nix-installer self-test only takes general settings.
Installing upstream Nix
You can install upstream Nix by applying the --prefer-upstream-nix flag:
nix-installer install --prefer-upstream-nix
In GitHub Actions, you can install upstream Nix by using our nix-installer-action and setting determinate: false in your configuration:
- name: Install upstream Nix uses: DeterminateSystems/nix-installer-action@main with: determinate: false
Diagnostics
The goal of Determinate Nix Installer is to successfully and correctly install Nix.
The curl | sh pipeline and the installer collects a little bit of anonymous diagnostic information to help us make that true.
The anonymous diagnostics we collect to help us improve the installer includes:
- The installer version
- Which planner is used (
linux,macos,steam-deck) - What action was taken (install, uninstall)
- The result (
Success,Failure,Pending, orCancelled) - The customized planner setting names (not the values)
- Information about your host, like the OS and version, architecture, binary format, etc.
- Whether you're in CI or not
- A high level description of what the failure was, like if a specific command failed.
To disable diagnostic reporting, set the diagnostics URL to an empty string by passing --diagnostic-endpoint="" or setting NIX_INSTALLER_DIAGNOSTIC_ENDPOINT="".
You can read the full privacy policy for Determinate Systems, the creators of Determinate Nix Installer, here.
Footnotes
-
A bit of history: Determinate Nix Installer is Determinate Systems' longest-running project as a company. We've gone on to build many other things, like FlakeHub, FlakeHub Cache, and Determinate Secure Packages, but this is where it all started! ↩