NixOS Cheatsheet

Install, update, and manage cli.johlem.net tools on NixOS / Nix

Flake URL

All tools are distributed as a single Nix flake tarball — no GitHub required.

tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz

Available packages: urlrecon, lexharvest, shard, socq, webharvest, payloadforge, vlanrecon, wifiaudit, casper, ubdem, specter, pentree, cidrcalc, b64chain, regexlab, hashcrackref, logtimeline, speedtest-cli, skyrecon, ohm, jcli, mailforge, esptools, phishprobe, openclaw, credsweep, hostwatch, darkrecon, avwatch, stegcrypt, kage, jfind, yttranscript, mediagrab, glasswatch

Quick Install (one tool)

Try without installing

nix run "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz#b64chain" -- --help

Install to user profile

nix profile install "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz#b64chain"

Install multiple tools

nix profile install \
  "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz#jcli" \
  "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz#urlrecon" \
  "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz#hashcrackref"

NixOS System Configuration

Add the flake to your system flake.nix for declarative management.

1. Add input

# /etc/nixos/flake.nix (or wherever your system flake lives)
{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    cli-johlem.url = "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz";
  };

  outputs = { nixpkgs, cli-johlem, ... }: {
    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
        {
          nixpkgs.overlays = [ cli-johlem.overlays.default ];
        }
      ];
    };
  };
}

2. Add tools to system packages

# configuration.nix
{ pkgs, ... }:
{
  environment.systemPackages = with pkgs.cli-johlem; [
    jcli
    urlrecon
    credsweep
    socq
    hashcrackref
    logtimeline
    regexlab
    shard
    # add any tools you need — see Available Tools below
  ];
}

3. Apply

sudo nixos-rebuild switch

Home Manager

For per-user installs via Home Manager.

# home.nix
{ pkgs, ... }:
{
  home.packages = with pkgs.cli-johlem; [
    b64chain
    cidrcalc
    urlrecon
  ];
}

Dev Shell (per-project)

Add tools to a project-specific dev environment without installing globally.

# Any project flake.nix
{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    cli-johlem.url = "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz";
  };

  outputs = { nixpkgs, cli-johlem, ... }:
    let
      pkgs = nixpkgs.legacyPackages.x86_64-linux;
      tools = cli-johlem.packages.x86_64-linux;
    in {
      devShells.x86_64-linux.default = pkgs.mkShell {
        packages = [
          tools.urlrecon
          tools.credsweep
        ];
      };
    };
}
nix develop  # drops you into a shell with those tools on PATH

Updates

MethodCommand
NixOS system nix flake update cli-johlem && sudo nixos-rebuild switch
User profile nix profile upgrade '.*'
Single tool nix profile upgrade cli-johlem
Force refresh (nix run) nix run --refresh "tarball+...#tool"

The flake tarball URL is stable (cli-johlem-net-latest.tar.gz). Running nix flake update fetches the newest version and updates flake.lock.

Uninstall

From profile

# List installed packages
nix profile list

# Remove by index (shown in list output)
nix profile remove <index>

From system config

Remove the tool from environment.systemPackages and run sudo nixos-rebuild switch.

Nix Command Cheatsheet

TaskCommand
Rebuild system sudo nixos-rebuild switch
Rebuild (test, no boot entry) sudo nixos-rebuild test
Update all flake inputs nix flake update
Update one input nix flake update cli-johlem
Show flake info nix flake show "tarball+https://cli.johlem.net/releases/cli-johlem-net-latest.tar.gz"
List available packages nix flake show "tarball+...#" 2>&1 | grep packages
Garbage collect old generations nix-collect-garbage -d
List generations nix profile history
Rollback to previous generation nix profile rollback
Check store integrity nix store verify --all

Enable Flakes (if not already)

Flakes require experimental features. Add this to your NixOS config:

# configuration.nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];

Or pass the flag per-command:

nix --extra-experimental-features 'nix-command flakes' run "tarball+...#b64chain"

Troubleshooting

ProblemFix
error: experimental feature 'flakes' is disabled Add nix.settings.experimental-features = [ "nix-command" "flakes" ]; to configuration.nix and rebuild
Tool not found after nixos-rebuild Verify the overlay is applied and the tool is listed in environment.systemPackages
Old version after flake update Run nix flake update cli-johlem to refresh the lock, then rebuild
Hash mismatch on tarball Clear eval cache: rm -rf ~/.cache/nix/ and retry
Disk space (Nix store full) nix-collect-garbage -d removes old generations

Available Tools

PackageVersionDescription
urlrecon v1.7.0 Async multi-module URL / domain reconnaissance
lexharvest v1.0.1 Ranked wordlist generator with CeWL-style mutations + pentest boost
shard v1.10.0 Storage Health, Audit & Recovery Device
socq v1.3.1 SOC query translator — daily hunting intents to KQL + AQL, with a built-in Windows event-ID catalogue
webharvest v1.0.1 Web asset extractor and link harvester for OSINT and reconnaissance
payloadforge v1.2.1 Obfuscated payload generator for authorized penetration testing
vlanrecon v1.1.1 Layer 2 VLAN security assessment — Cisco IOS / Arista EOS / Juniper Junos
wifiaudit v1.1.1 Wi-Fi audit toolkit — passive scan, authorized pentest, defense
casper v1.0.1 Privacy stack + engagement security CLI with 4 levels, real-time monitor, and hard kill-switch
ubdem v1.0.1 Offline browser fingerprinting analyzer with Ed25519 + HMAC signed evidence
specter v1.0.1 Forensic CLI: parallel hashing + ssdeep, native metadata, signed evidence, cluster + triage
pentree v1.1.1 Walk pentest methodology trees, step by step
cidrcalc v1.0.1 Subnet calculator, IP range expander, and CIDR notation tool
b64chain v1.0.2 Multi-stage encoder/decoder for chained encoding operations
regexlab v2.0.1 CLI regex toolkit: tester, builder, transformer + benchmark/fuzz/diff/audit
hashcrackref v1.0.1 Hash identification and cracking command reference (does NOT crack)
logtimeline v1.0.1 CLI timestamp normaliser, converter, and incident-response timeline builder
speedtest-cli v1.1.1 Multi-stream internet speed test with bufferbloat + watch mode
skyrecon v1.0.1 OSINT CLI for aircraft + vessels — race-not-fallback sources, proximity, geofence, PDF
ohm v1.0.1 Electronics & hardware reference CLI: calc, power, id, pcb, thermal, rf, ref, safe
jcli v1.5.0 cli.johlem.net suite manager — install / remove / list / run / update
mailforge v1.0.2 Red-team mail operations toolkit — pixel beacons, landing pages, delivery testing, SPF/DKIM/DMARC offensive analysis, OSINT email harvesting, template variation
esptools v2.0.2 ESP32 hardware security assessment toolkit — device management, blue-team monitors, red-team audits, forensics, reporting
phishprobe v1.3.2 Phishing detection — URLs, domains, emails, headers
openclaw v1.0.1 Phishing takedown pipeline (detect → abuse mail → approve → send)
credsweep v1.2.2 Credential / secret scanner for files, dirs, stdin, and git history
hostwatch v1.0.2 Continuous host monitoring — availability, TLS expiry, DNS changes
darkrecon v1.2.1 Dark-web / OSINT reconnaissance for threat intelligence
avwatch v1.2.2 File integrity monitoring + YARA-lite scan + event-driven file routing
stegcrypt v1.0.1 Professional steganography with AEAD encryption and K-of-N threshold split
kage v1.0.0 Realtime computer monitoring with live connection watch and one-key block
jfind v1.0.0 Canonical findings + evidence schema — Ed25519-signed, Merkle-rooted, deterministic JSON
yttranscript v1.0.0 Fetch any YouTube video transcript to a .txt file — no API key, no auth, no async runtime
mediagrab v1.0.0 Generic web media downloader — find video/audio on any standards-compliant page, save as open-source container
glasswatch v1.0.0 Passive BLE scanner for smart-glasses manufacturer IDs (Meta, EssilorLuxottica, Snap)

How It Works

# Architecture (prebuilt, signed Rust binaries)
cli.johlem.net/releases/cli-johlem-net-latest.tar.gz   # ~6 KB
  ├── flake.nix              # package set — one derivation per tool
  ├── flake.lock             # pinned nixpkgs for reproducibility
  ├── johlem-release.pub     # signify pubkey (out-of-band audit)
  └── tools/
      ├── jcli/manifest.json       # url + sha256 + size + signature URL
      ├── urlrecon/manifest.json
      ├── shard/manifest.json
      └── ...                      # one per tool, ~500 bytes each

# When you `nix build .#urlrecon`:
# 1. Nix reads tools/urlrecon/manifest.json to learn the binary URL + SHA-256
# 2. fetchurl downloads cli.johlem.net/tools/urlrecon/releases/urlrecon-vX.Y.Z-linux-x86_64-glibc
# 3. Nix verifies the SHA-256 (build fails on mismatch)
# 4. The binary is installed at /nix/store/...-urlrecon-X.Y.Z/bin/urlrecon

No compilation, no Python, no virtualenvs. The flake fetches the same signify-signed binary the curl install.sh path uses, and Nix's fetchurl enforces the SHA-256 pin committed in manifest.json. The pubkey ships alongside so you can run signify -V out of band if you want a second integrity check.

Nix vs curl|bash Install

curl|bashNix flake
Works on Linux x86_64 (glibc) NixOS / Nix on Linux x86_64
Binary source Same signed release Same signed release
Integrity SHA-256 + signify SHA-256 (Nix) + signify (manual)
Reproducible Yes (pinned binary) Yes (pinned binary + pinned nixpkgs)
Rollback Manual (reinstall old version) nix profile rollback
Isolation ~/.local/bin /nix/store (immutable)
Multi-user Per-user only System-wide or per-user
Declarative No Yes (in flake.nix)
Offline rebuild No Yes (from store cache)

Both methods install the same signify-signed Rust binary from cli.johlem.net — no GitHub, no third-party registry.

These tools are provided as-is with no warranty. Use at your own risk. Intended for authorized security testing, research, and educational purposes only.