This will help you boostrap a bare host with the help of the bespoke iso live installer.

Note: nothing prevents you from remotely executing the boostrapping process. See below.

Once your target host has booted into the live iso, you need to partition and format your disk according to the official manual.

Mount partitions

Then properly mount the formatted partitions at /mnt, so that you can install your system to those new partitions.

Mount nixos partition to /mnt and — for UEFI — boot partition to /mnt/boot:

$ mount /dev/disk/by-label/nixos /mnt
$ mkdir -p /mnt/boot && mount /dev/disk/by-label/boot /mnt/boot # UEFI only
$ swapon /dev/disk/by-label/swap

Add some extra space to the store. In the iso, it's running on a tmpfs off your RAM:

$ mkdir -p /mnt/tmpstore/{work,store}
$ mount -t overlay overlay -olowerdir=/nix/store,upperdir=/mnt/tmpstore/store,workdir=/mnt/tmpstore/work /nix/store


Install off of a copy of devos from the time the iso was built:

$ cd /iso/devos
$ nixos-install --flake .#NixOS

Notes of interest

Remote access to the live installer

The iso live installer comes preconfigured with a network configuration which announces it's hostname via MulticastDNS as hostname.local, that is bootstrap.local in the iso example.

In the rare case that MulticastDNS is not availabe or turned off in your network, there is a static link-local IPv6 address configured to fe80::47(mnemonic from the letter's position in the english alphabet: n=14 i=9 x=24; 47 = n+i+x).

Provided that you have added your public key to the authorized keys of the root user (hint: deploy-rs needs passwordless sudo access):

{ ... }:
  users.users.root.openssh.authorizedKeys.keyFiles = [

You can then ssh into the live installer through one of the following options:

ssh [email protected]

ssh [email protected]::47%eno1  # where eno1 is your network interface on which you are linked to the target

Note: the static link-local IPv6 address and MulticastDNS is only configured on the live installer. If you wish to enable MulticastDNS for your environment, you ought to configure that in a regular profile.

EUI-64 LLA & Host Identity

The iso's IPv6 Link Local Address (LLA) is configured with a static 64-bit Extended Unique Identifiers (EUI-64) that is derived from the host interface's Message Authentication Code (MAC) address.

After a little while (a few seconds), you can remotely discover this unique and host specific address over NDP for example with:

ip -6 neigh show # also shows fe80::47

This LLA is stable for the host, unless you need to swap that particular network card. Under this reservation, though, you may use this EUI-64 to wire up a specific (cryptographic) host identity.