nix-agent is a local MCP server for trusted NixOS automation.
It works alongside mcp-nixos:
nix-agenthandles local inspection, patching, validation, and switchingmcp-nixoshandles package and option discovery
- a runnable stdio MCP server
- a Nix flake package and app
- a NixOS module at
nixosModules.default - a companion agent skill in
skills/nix-agent/ - example MCP host configs in
examples/
Paste this to a coding agent (Claude Code, opencode, etc.) and it will do the install for you:
Read https://raw.githubusercontent.com/JEFF7712/nix-agent/main/docs/agent-install.md and follow every step to install nix-agent on this NixOS system, install the companion skill, and register nix-agent in my MCP settings for this machine.
Add this flake input and module to your NixOS config:
{
inputs.nix-agent.url = "github:JEFF7712/nix-agent";
outputs = { nixpkgs, nix-agent, ... }: {
nixosConfigurations.my-host = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
nix-agent.nixosModules.default
({ ... }: {
programs.nix-agent.enable = true;
})
];
};
};
}Then rebuild:
sudo nixos-rebuild switch --flake .#my-hostThat installs the nix-agent binary.
Point your MCP host at:
{
"mcpServers": {
"nix-agent": {
"command": "nix-agent",
"args": []
}
}
}See examples/claude-code-mcp.json and examples/opencode-mcp.json.
Install or copy skills/nix-agent/ into your agent's skill directory.
Quick install:
./install-skill.sh opencodeThe MCP exposes the tools. The skill teaches the correct workflow.
nix-agent exposes two tools:
inspect_state(path)— read a local file.apply_patch_set(patch_set, flake_uri=None, mode="nixos")— write eachPatch(path, content), format any.nixfiles, and (whenflake_uriis given) validate then switch.mode="nixos"(default) runssudo nixos-rebuild dry-activatethenswitch.mode="home-manager"runshome-manager buildthenhome-manager switch(no sudo).- Returns
changed_files,rollback_generation,current_generation, command outputs, and astatus.
mcp-nixos handles package and option discovery.
- If you need package or option info, query
mcp-nixosfirst. - Build a
PatchSetofPatch(path, content)entries. - Call
apply_patch_set(patch_set, flake_uri="/etc/nixos#hostname")for NixOS, orapply_patch_set(patch_set, flake_uri="/path/to/flake#user@host", mode="home-manager")for Home Manager. - If anything looks wrong, recover via
sudo nixos-rebuild switch --rollback(NixOS) or by activating a previous Home Manager generation. The response includesrollback_generationfor reference.
You can also call apply_patch_set(PatchSet(patches=[]), flake_uri=...) with no patches to validate and switch the current flake state — useful after manual edits or to re-run a rebuild without writing any files.
On validation or switch failure the response includes a first_error field with the first error: line extracted from Nix's output, alongside the full log.
nix-agentdeliberately does not ship an in-MCP approval gate. Path restrictions belong in the host's permission system (e.g. Claude Code's allow/deny lists), and rollback safety belongs to Nix generations. Re-implementing either inside the MCP just adds friction without improving safety.- Do not write secret payloads through patches — reference secrets via
sops-nixoragenix. - v1 assumes a trusted local environment.
- Fully non-interactive apply requires privileged automation; see
docs/privileged-automation.md.
- release notes:
docs/releases/v0.1.0.md - skill docs:
skills/nix-agent/SKILL.md - examples:
examples/