nixfiles/system/machine/Darwin/configuration.nix

# Default nix-darwin host. Minimal macOS baseline; the user environment
# (shell, git, editor) is carried by the shared ./lyrathorpe/home modules,
# the same ones used by the Linux hosts. nixpkgs.hostPlatform is set by
# mkDarwinHost in flake.nix.
{ pkgs, username, ... }:
{
  programs.zsh.enable = true;

  # Install the Nerd Font into /Library/Fonts so iTerm2 can use it (set it in
  # iTerm2 -> Settings -> Profiles -> Text -> Font: "JetBrainsMono Nerd Font").
  # Provides the powerline/Nerd glyphs the tmux statusline draws.
  fonts.packages = [ pkgs.nerd-fonts.jetbrains-mono ];

  # CLI tooling sourced from nixpkgs instead of Homebrew formulae. Pure library
  # dependencies are omitted; nix pulls them into closures automatically.
  environment.systemPackages = with pkgs; [
    # Build & toolchain
    autoconf
    automake
    cmake
    coreutils
    gcc
    gettext
    gnumake
    pkgconf
    ruby
    zig
    # Version control & dev workflow
    pre-commit
    deno
    opentofu
    # Compression
    lz4
    p7zip
    xz
    zstd
    # Crypto & networking
    gnupg
    gnutls
    openssl
    pinentry_mac
    unbound
    wget
    # Media
    ffmpeg
    svt-av1
    yt-dlp
    # Graphics / Vulkan / SDL
    glslang
    moltenvk
    spirv-tools
    vulkan-loader
    vulkan-tools
    SDL2
    sdl3
    # Embedded
    esptool
    picotool
    # Misc utilities
    f3
    gnused
    lua5_4
    magic-wormhole
    ncurses
    mas
    sqlite
  ];

  # Account that runs user-level activation and Homebrew.
  system.primaryUser = username;

  # nix-homebrew owns and installs the Homebrew prefix declaratively, so brew
  # itself no longer needs a manual bootstrap. enableRosetta permits x86_64
  # formulae via Rosetta 2 on Apple Silicon.
  nix-homebrew = {
    autoMigrate = true;
    enable = true;
    enableRosetta = true;
    user = username;
  };

  # Declarative Homebrew for packages with no nixpkgs equivalent or that must be
  # the vendor build (GUI casks).
  homebrew = {
    enable = true;
    onActivation = {
      autoUpdate = true;
      upgrade = true;
      # Lists below are authoritative: anything not declared is uninstalled.
      cleanup = "zap";
    };
    taps = [ ];
    # Formulae kept on brew: vendor PWA host and version-pinned toolchains that
    # are simpler to track via brew than to match exactly in nixpkgs.
    brews = [
      "firefoxpwa"
      "llvm@21"
      "lld@21"
      "python@3.14"
      "dosbox-staging"
    ];
    # GUI applications. macOS app bundles are managed as casks; nixpkgs darwin
    # GUI support is unreliable, so these stay on brew for continuity.
    casks = [
      "alfred"
      "android-platform-tools"
      "angry-ip-scanner"
      "arduino-ide"
      "autodesk-fusion"
      "bambu-studio"
      "bitwarden"
      "citrix-workspace"
      "curseforge"
      "discord"
      "firefox"
      "freecad"
      "gcc-arm-embedded"
      "google-chrome"
      "istat-menus"
      "iterm2"
      "macfuse"
      "microsoft-teams"
      "nextcloud"
      "obs"
      "omnidisksweeper"
      "openscad@snapshot"
      "orcaslicer"
      "plex"
      "plexamp"
      "postman"
      "signal"
      "steam"
      "thunderbird"
      "virtualbox"
      "visual-studio-code"
      "vnc-viewer"
      "vscodium"
      "winbox"
    ];
    # Mac App Store apps are not managed declaratively: nix-darwin 26.05 forces
    # activation to run as root, and `mas` cannot reach the App Store session
    # from root, so installs silently fail. Install them by hand with
    # `mas install <id>` from a GUI Terminal (the `mas` CLI is in
    # environment.systemPackages above).
  };

  # Touch ID authorises sudo (and darwin-rebuild's sudo prompt) instead of a
  # typed password. sudo_local keeps the change in /etc/pam.d/sudo_local so it
  # survives macOS updates. reattach pulls in pam_reattach: pam_tid (Touch ID)
  # otherwise fails inside tmux/screen because the process is detached from the
  # GUI login session -- and terminals here auto-start tmux, so it is required.
  security.pam.services.sudo_local = {
    touchIdAuth = true;
    reattach = true;
  };

  # Declarative macOS UI defaults -- the main reason to run nix-darwin beyond
  # package management. Applied on activation; all reversible.
  system.defaults = {
    dock = {
      show-recents = false;
      mru-spaces = false; # don't reorder spaces by use
    };
    finder = {
      AppleShowAllExtensions = true;
      ShowPathbar = true;
      FXPreferredViewStyle = "Nlsv"; # list view
      _FXShowPosixPathInTitle = true;
    };
    NSGlobalDomain = {
      AppleInterfaceStyle = "Dark";
      ApplePressAndHoldEnabled = false; # key-repeat instead of the accent popup
      InitialKeyRepeat = 15;
      KeyRepeat = 2;
    };
    trackpad = {
      Clicking = true; # tap to click
      TrackpadThreeFingerDrag = true;
    };
  };

  # Used for backwards compatibility; read `darwin-rebuild changelog` before changing.
  system.stateVersion = 5;
}