system/machine/Darwin/configuration.nix

# Default nix-darwin host. Minimal macOS baseline; the user environment
# (shell, git, editor) is carried by the shared ./lyrathorpe/home modules,
# the same ones used by the Linux hosts. nixpkgs.hostPlatform is set by
# mkDarwinHost in flake.nix.
{ pkgs, username, ... }:
{
  programs.zsh.enable = true;

  # Install the Nerd Font into /Library/Fonts so iTerm2 can use it (set it in
  # iTerm2 -> Settings -> Profiles -> Text -> Font: "JetBrainsMono Nerd Font").
  # Provides the powerline/Nerd glyphs the tmux statusline draws.
  fonts.packages = [ pkgs.nerd-fonts.jetbrains-mono ];

  # CLI tooling sourced from nixpkgs instead of Homebrew formulae. Pure library
  # dependencies are omitted; nix pulls them into closures automatically.
  environment.systemPackages = with pkgs; [
    # Build & toolchain
    autoconf
    automake
    cmake
    coreutils
    gcc
    gettext
    gnumake
    pkgconf
    ruby
    zig
    # Version control & dev workflow
    pre-commit
    deno
    opentofu
    # Compression
    lz4
    p7zip
    xz
    zstd
    # Crypto & networking
    gnupg
    gnutls
    openssl
    pinentry_mac
    unbound
    wget
    # Media
    ffmpeg
    svt-av1
    yt-dlp
    # Graphics / Vulkan / SDL
    glslang
    moltenvk
    spirv-tools
    vulkan-loader
    vulkan-tools
    SDL2
    sdl3
    # Embedded
    esptool
    picotool
    # Misc utilities
    f3
    gnused
    lua5_4
    magic-wormhole
    ncurses
    mas
    sqlite
  ];

  # Account that runs user-level activation and Homebrew.
  system.primaryUser = username;

  # nix-homebrew owns and installs the Homebrew prefix declaratively, so brew
  # itself no longer needs a manual bootstrap. enableRosetta permits x86_64
  # formulae via Rosetta 2 on Apple Silicon.
  nix-homebrew = {
    autoMigrate = true;
    enable = true;
    enableRosetta = true;
    user = username;
  };

  # Declarative Homebrew for packages with no nixpkgs equivalent or that must be
  # the vendor build (GUI casks, Mac App Store apps).
  homebrew = {
    enable = true;
    onActivation = {
      autoUpdate = true;
      upgrade = true;
      # Lists below are authoritative: anything not declared is uninstalled.
      cleanup = "zap";
    };
    taps = [ ];
    # Formulae kept on brew: vendor PWA host and version-pinned toolchains that
    # are simpler to track via brew than to match exactly in nixpkgs.
    brews = [
      "firefoxpwa"
      "llvm@21"
      "lld@21"
      "python@3.14"
    ];
    # GUI applications. macOS app bundles are managed as casks; nixpkgs darwin
    # GUI support is unreliable, so these stay on brew for continuity.
    casks = [
      "alfred"
      "android-platform-tools"
      "angry-ip-scanner"
      "arduino-ide"
      "autodesk-fusion"
      "bambu-studio"
      "bitwarden"
      "citrix-workspace"
      "curseforge"
      "discord"
      "firefox"
      "freecad"
      "gcc-arm-embedded"
      "google-chrome"
      "istat-menus"
      "iterm2"
      "macfuse"
      "microsoft-teams"
      "nextcloud"
      "obs"
      "omnidisksweeper"
      "openscad@snapshot"
      "orcaslicer"
      "plex"
      "plexamp"
      "postman"
      "signal"
      "steam"
      "thunderbird"
      "virtualbox"
      "visual-studio-code"
      "vnc-viewer"
      "vscodium"
      "winbox"
    ];
    masApps = {
      Amphetamine = 937984704;
      "Apple Configurator" = 1037126344;
      "Game Controller Tester" = 1500593102;
      "Home Assistant" = 1099568401;
      Infuse = 1136220934;
      Keynote = 409183694;
      Numbers = 409203825;
      Pages = 409201541;
      PDFgear = 6469021132;
      PL2303Serial = 1624835354;
      WireGuard = 1451685025;
    };
  };

  # Touch ID authorises sudo (and darwin-rebuild's sudo prompt) instead of a
  # typed password. sudo_local keeps the change in /etc/pam.d/sudo_local so it
  # survives macOS updates.
  security.pam.services.sudo_local.touchIdAuth = true;

  # Declarative macOS UI defaults -- the main reason to run nix-darwin beyond
  # package management. Applied on activation; all reversible.
  system.defaults = {
    dock = {
      autohide = true;
      show-recents = false;
      mru-spaces = false; # don't reorder spaces by use
      tilesize = 48;
    };
    finder = {
      AppleShowAllExtensions = true;
      ShowPathbar = true;
      FXPreferredViewStyle = "Nlsv"; # list view
      _FXShowPosixPathInTitle = true;
    };
    NSGlobalDomain = {
      AppleInterfaceStyle = "Dark";
      ApplePressAndHoldEnabled = false; # key-repeat instead of the accent popup
      InitialKeyRepeat = 15;
      KeyRepeat = 2;
    };
    trackpad = {
      Clicking = true; # tap to click
      TrackpadThreeFingerDrag = true;
    };
  };

  # Used for backwards compatibility; read `darwin-rebuild changelog` before changing.
  system.stateVersion = 5;
}
feat(darwin): add nix-darwin support with a default macOS host 2026-06-02 15:46:19 +00:00			`# Default nix-darwin host. Minimal macOS baseline; the user environment`
			`# (shell, git, editor) is carried by the shared ./lyrathorpe/home modules,`
			`# the same ones used by the Linux hosts. nixpkgs.hostPlatform is set by`
			`# mkDarwinHost in flake.nix.`
feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`{ pkgs, username, ... }:`
feat(darwin): add nix-darwin support with a default macOS host 2026-06-02 15:46:19 +00:00			`{`
			`programs.zsh.enable = true;`
feat(darwin): declare brew/nixpkgs packages for macOS continuity 2026-06-02 16:08:53 +00:00
feat(fonts): JetBrains Mono Nerd Font on every host 2026-06-10 14:08:06 +01:00			`# Install the Nerd Font into /Library/Fonts so iTerm2 can use it (set it in`
			`# iTerm2 -> Settings -> Profiles -> Text -> Font: "JetBrainsMono Nerd Font").`
			`# Provides the powerline/Nerd glyphs the tmux statusline draws.`
			`fonts.packages = [ pkgs.nerd-fonts.jetbrains-mono ];`

feat(darwin): declare brew/nixpkgs packages for macOS continuity 2026-06-02 16:08:53 +00:00			`# CLI tooling sourced from nixpkgs instead of Homebrew formulae. Pure library`
			`# dependencies are omitted; nix pulls them into closures automatically.`
			`environment.systemPackages = with pkgs; [`
			`# Build & toolchain`
			`autoconf`
			`automake`
			`cmake`
			`coreutils`
			`gcc`
			`gettext`
			`gnumake`
			`pkgconf`
			`ruby`
			`zig`
			`# Version control & dev workflow`
			`pre-commit`
			`deno`
			`opentofu`
			`# Compression`
			`lz4`
			`p7zip`
			`xz`
			`zstd`
			`# Crypto & networking`
			`gnupg`
			`gnutls`
			`openssl`
			`pinentry_mac`
			`unbound`
			`wget`
			`# Media`
			`ffmpeg`
			`svt-av1`
			`yt-dlp`
			`# Graphics / Vulkan / SDL`
			`glslang`
			`moltenvk`
			`spirv-tools`
			`vulkan-loader`
			`vulkan-tools`
			`SDL2`
			`sdl3`
			`# Embedded`
			`esptool`
			`picotool`
			`# Misc utilities`
			`f3`
			`gnused`
			`lua5_4`
			`magic-wormhole`
			`ncurses`
feat: add mas 2026-06-02 17:33:06 +01:00			`mas`
feat(darwin): declare brew/nixpkgs packages for macOS continuity 2026-06-02 16:08:53 +00:00			`sqlite`
			`];`
feat(darwin): add nix-darwin support with a default macOS host 2026-06-02 15:46:19 +00:00
feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`# Account that runs user-level activation and Homebrew.`
			`system.primaryUser = username;`

feat(darwin): wire nix-homebrew and make Homebrew authoritative 2026-06-02 15:56:37 +00:00			`# nix-homebrew owns and installs the Homebrew prefix declaratively, so brew`
			`# itself no longer needs a manual bootstrap. enableRosetta permits x86_64`
			`# formulae via Rosetta 2 on Apple Silicon.`
			`nix-homebrew = {`
fix: enable homebrew auto-migrate 2026-06-02 17:21:48 +01:00			`autoMigrate = true;`
feat(darwin): wire nix-homebrew and make Homebrew authoritative 2026-06-02 15:56:37 +00:00			`enable = true;`
			`enableRosetta = true;`
			`user = username;`
			`};`

feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`# Declarative Homebrew for packages with no nixpkgs equivalent or that must be`
feat(darwin): wire nix-homebrew and make Homebrew authoritative 2026-06-02 15:56:37 +00:00			`# the vendor build (GUI casks, Mac App Store apps).`
feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`homebrew = {`
			`enable = true;`
			`onActivation = {`
			`autoUpdate = true;`
			`upgrade = true;`
feat(darwin): wire nix-homebrew and make Homebrew authoritative 2026-06-02 15:56:37 +00:00			`# Lists below are authoritative: anything not declared is uninstalled.`
			`cleanup = "zap";`
feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`};`
			`taps = [ ];`
feat(darwin): declare brew/nixpkgs packages for macOS continuity 2026-06-02 16:08:53 +00:00			`# Formulae kept on brew: vendor PWA host and version-pinned toolchains that`
			`# are simpler to track via brew than to match exactly in nixpkgs.`
			`brews = [`
			`"firefoxpwa"`
			`"llvm@21"`
			`"lld@21"`
			`"python@3.14"`
			`];`
			`# GUI applications. macOS app bundles are managed as casks; nixpkgs darwin`
			`# GUI support is unreliable, so these stay on brew for continuity.`
			`casks = [`
			`"alfred"`
			`"android-platform-tools"`
			`"angry-ip-scanner"`
			`"arduino-ide"`
			`"autodesk-fusion"`
			`"bambu-studio"`
			`"bitwarden"`
			`"citrix-workspace"`
			`"curseforge"`
			`"discord"`
			`"firefox"`
			`"freecad"`
			`"gcc-arm-embedded"`
			`"google-chrome"`
			`"istat-menus"`
			`"iterm2"`
			`"macfuse"`
			`"microsoft-teams"`
			`"nextcloud"`
			`"obs"`
			`"omnidisksweeper"`
			`"openscad@snapshot"`
			`"orcaslicer"`
			`"plex"`
			`"plexamp"`
			`"postman"`
			`"signal"`
			`"steam"`
			`"thunderbird"`
			`"virtualbox"`
			`"visual-studio-code"`
			`"vnc-viewer"`
			`"vscodium"`
			`"winbox"`
			`];`
feat(darwin): declare Mac App Store apps 2026-06-02 16:31:02 +00:00			`masApps = {`
			`Amphetamine = 937984704;`
			`"Apple Configurator" = 1037126344;`
			`"Game Controller Tester" = 1500593102;`
feat: also include hass and infuse 2026-06-02 17:34:46 +01:00			`"Home Assistant" = 1099568401;`
			`Infuse = 1136220934;`
feat(darwin): declare Mac App Store apps 2026-06-02 16:31:02 +00:00			`Keynote = 409183694;`
			`Numbers = 409203825;`
			`Pages = 409201541;`
			`PDFgear = 6469021132;`
			`PL2303Serial = 1624835354;`
			`WireGuard = 1451685025;`
			`};`
feat(darwin): enable declarative Homebrew on the macOS host 2026-06-02 15:50:21 +00:00			`};`

feat(darwin): declarative macOS defaults + Touch-ID sudo 2026-06-10 16:44:53 +01:00			`# Touch ID authorises sudo (and darwin-rebuild's sudo prompt) instead of a`
			`# typed password. sudo_local keeps the change in /etc/pam.d/sudo_local so it`
			`# survives macOS updates.`
			`security.pam.services.sudo_local.touchIdAuth = true;`

			`# Declarative macOS UI defaults -- the main reason to run nix-darwin beyond`
			`# package management. Applied on activation; all reversible.`
			`system.defaults = {`
			`dock = {`
			`autohide = true;`
			`show-recents = false;`
			`mru-spaces = false; # don't reorder spaces by use`
			`tilesize = 48;`
			`};`
			`finder = {`
			`AppleShowAllExtensions = true;`
			`ShowPathbar = true;`
			`FXPreferredViewStyle = "Nlsv"; # list view`
			`_FXShowPosixPathInTitle = true;`
			`};`
			`NSGlobalDomain = {`
			`AppleInterfaceStyle = "Dark";`
			`ApplePressAndHoldEnabled = false; # key-repeat instead of the accent popup`
			`InitialKeyRepeat = 15;`
			`KeyRepeat = 2;`
			`};`
			`trackpad = {`
			`Clicking = true; # tap to click`
			`TrackpadThreeFingerDrag = true;`
			`};`
			`};`

feat(darwin): add nix-darwin support with a default macOS host 2026-06-02 15:46:19 +00:00			# Used for backwards compatibility; read `darwin-rebuild changelog` before changing.
			`system.stateVersion = 5;`
			`}`