Nixos is a declarative OS, which means it provides reliable and atomic updates. but nix(os) is more than that, it's also a package manager. and this declarative operation allows identical rebuildability and reproducibility.
Our aim here is not to revolutionize anything, but to be as efficient as possible in order to have a fast and reliable pentesting machine, so to avoid any cumbersome and tedious installation, we've automated everything. This applies to both VM installation and the installation of Nixos configuration files, which have been made modular.
- Native format (just nixos).
- Not provided but prepared for that.
- Already provisioned. (with Offensive tools)
Note
In either case if you modify the vagrantfile in the right way you should be able to either provision yourself with your specific packages, or add packages to the version already provisioned, just modify the configuration files in modules folder.
Caution
For the NixOffsec part, you need at least 40g of available space, the OS alone = 30g, in flexible disk by default I've given it 70g.
Of course, as a prerequisite, you need vagrant and the plugins linked to it.
Vagrant
For Vmware the desktop plugin are necessary
vagrant plugin install vagrant-vmware-desktop
You only need the Vagrantfile and vagrant to install the machines.
and in the folder where you had copied the Vagrantfile you can run one of the following commands, depending on your provider and what you want to do !
vagrant up nixos-vbox
vagrant up nixos-vmware
vagrant up nixos-vbox-offsec
vagrant up nixos-vmware-offsec
vagrant up nixOffsec-vbox
vagrant up nixOffsec-vmware
We've added the possibility of installing the C2 sliver, you just have to uncomment a few lines in the Vagrantfile.
- It will clone this repository
- Overwrite the config files to update the configuration
- Install sliver
You can also find our configuration files for the “native” version in the folder native-nixos-conf.
The manual box-building method here. 
Yes, we know that packer exists and that it allows you to create iso's or provision methods for boxes, but for nixos the methodology is too daunting and cumbersome for nothing.
Knowing that, the updates are without real risk, and that they are atomic you don't need to recreate the whole thing for each update, even major ones.
Note
In fact, you could just do it once and update declaratively, and it would be exactly the same.
That's one of the strength of Nixos: you can now say "it works on my machine" without being insulted.
Inspired by work of fabaff (thank's a lot for his contribution to the nix security packages 🙏)
Also inspired by the nix-community work and in particular the nixbox project