{ description = "Example Darwin system flake"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; flake-utils.url = "github:numtide/flake-utils"; nix-darwin.url = "github:LnL7/nix-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; railbird-secrets = { url = "git+ssh://gitea@dev.railbird.ai:1123/railbird/secrets-flake.git"; }; nix-homebrew.url = "github:zhaofengli-wip/nix-homebrew"; brew-src = { url = "github:Homebrew/brew/5.1.7"; flake = false; }; # Optional: Declarative tap management homebrew-core = { url = "github:homebrew/homebrew-core"; flake = false; }; homebrew-cask = { url = "github:homebrew/homebrew-cask"; flake = false; }; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; git-sync-rs = { url = "github:colonelpanic8/git-sync-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; codex-cli-nix = { # Default branch is `main` on GitHub (not `master`). url = "github:sadjow/codex-cli-nix/main"; inputs.nixpkgs.follows = "nixpkgs"; }; claude-code-nix = { url = "github:sadjow/claude-code-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; keepbook = { url = "github:colonelpanic8/keepbook"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; git-blame-rank = { url = "github:colonelpanic8/git-blame-rank"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; }; outputs = inputs @ { self, agenix, git-sync-rs, nix-darwin, nixpkgs, home-manager, nix-homebrew, ... }: let libDir = ../dotfiles/lib; # Keep this on the currently-existing macOS account until the target user # exists locally and its home directory has been migrated. activePrimaryUser = "kat"; targetPrimaryUser = "imalison"; primaryUser = activePrimaryUser; personalUsers = [ activePrimaryUser targetPrimaryUser ]; # Home Manager activation should only target accounts that exist today. # Add targetPrimaryUser here when the macOS account is ready. enabledHomeUsers = [ activePrimaryUser ]; sharedHomeModules = [./home/common.nix]; ivanHomeModules = [./home/ivan.nix]; homeForUser = user: "/Users/${user}"; configuration = { pkgs, lib, config, ... }: let essentialPkgs = (import ../nix-shared/system/essential.nix {inherit pkgs lib inputs;}).environment.systemPackages; disabledAppleSymbolicHotKey = parameters: { enabled = false; value = { inherit parameters; type = "standard"; }; }; in { networking.hostName = "mac-demarco-mini"; imports = [ (import ./gitea-actions-runner.nix) ]; age = { identityPaths = [ "${config.users.users.${primaryUser}.home}/.ssh/id_ed25519" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_rsa_key" ]; secrets.gitea-runner-token.file = ../nixos/secrets/gitea-runner-token.mac-demarco-mini.age; }; services.gitea-actions-runner = { user = "gitea-runner"; instances.nix = { enable = true; name = config.networking.hostName; url = "https://dev.railbird.ai"; tokenFile = config.age.secrets.gitea-runner-token.path; labels = [ "nix-darwin-${pkgs.stdenv.hostPlatform.system}:host" "macos-aarch64-darwin" "nix:host" ]; settings = { cache = { enabled = true; }; host = { workdir_parent = "/var/lib/gitea-runner/action-cache-dir"; }; }; hostPackages = with pkgs; [ bash coreutils curl direnv gawk just git-lfs isort git gnused ncdu nixVersions.stable nodejs openssh wget ]; }; }; launchd.daemons.gitea-runner-nix.serviceConfig.EnvironmentVariables = { XDG_CONFIG_HOME = "/var/lib/gitea-runner"; XDG_CACHE_HOME = "/var/lib/gitea-runner/.cache"; XDG_RUNTIME_DIR = "/var/lib/gitea-runner/tmp"; }; system.primaryUser = primaryUser; security.sudo.extraConfig = '' ${primaryUser} ALL=(ALL) NOPASSWD: ALL ''; system.defaults.NSGlobalDomain."com.apple.swipescrolldirection" = false; system.defaults.CustomUserPreferences."com.apple.screensaver".idleTime = 300; system.defaults.CustomUserPreferences."com.apple.symbolichotkeys".AppleSymbolicHotKeys = { # Disable input source shortcuts that conflict with launcher usage. "60" = disabledAppleSymbolicHotKey [32 49 262144]; "61" = disabledAppleSymbolicHotKey [32 49 786432]; # Disable Spotlight's Command-Space and Finder search window shortcuts. "64" = disabledAppleSymbolicHotKey [32 49 1048576]; "65" = disabledAppleSymbolicHotKey [32 49 1572864]; }; system.defaults.screensaver.askForPassword = false; system.defaults.screensaver.askForPasswordDelay = 0; system.activationScripts.postActivation.text = '' echo >&2 "current-host screensaver defaults..." launchctl asuser "$(id -u -- ${primaryUser})" sudo --user=${primaryUser} -- defaults -currentHost write com.apple.screensaver askForPassword -bool false launchctl asuser "$(id -u -- ${primaryUser})" sudo --user=${primaryUser} -- defaults -currentHost write com.apple.screensaver askForPasswordDelay -int 0 ''; power.sleep = { computer = "never"; display = "never"; harddisk = "never"; }; # launchd.daemons.gitea-runner-restarter = { # serviceConfig = { # ProgramArguments = [ # "/usr/bin/env" # "bash" # "-c" # '' # SERVICE_NAME="org.nixos.gitea-runner-nix" # while true; do # # Check the second column of launchctl list output for our service # EXIT_CODE=$(sudo launchctl list | grep "$SERVICE_NAME" | awk '{print $2}') # if [ -z "$EXIT_CODE" ]; then # echo "$(date): $SERVICE_NAME is running correctly. Terminating the restarter." # exit 0 # else # echo "$(date): $SERVICE_NAME is not running or in error state. Attempting to restart..." # sudo launchctl bootout system/$SERVICE_NAME 2>/dev/null || true # sudo launchctl load /Library/LaunchDaemons/$SERVICE_NAME.plist # sleep 2 # Give the service some time to start # fi # done # '' # ]; # RunAtLoad = true; # ThrottleInterval = 300; # }; # }; launchd.daemons.does-anything-work = { serviceConfig = { ProgramArguments = ["/usr/bin/env" "bash" "-c" "date > /var/log/does-anything-work"]; RunAtLoad = true; }; }; nixpkgs.overlays = [ (import ../nix-shared/overlays) # Use codex and claude-code from dedicated flakes with cachix (final: prev: { codex = inputs.codex-cli-nix.packages.${prev.stdenv.hostPlatform.system}.default; claude-code = inputs.claude-code-nix.packages.${prev.stdenv.hostPlatform.system}.default; git-sync-rs = git-sync-rs.packages.${prev.stdenv.hostPlatform.system}.default; }) ]; environment.systemPackages = essentialPkgs ++ [ pkgs.gnupg pkgs.spotify ]; nixpkgs.config.allowUnfree = true; # Install GUI-visible fonts into /Library/Fonts/Nix Fonts. fonts.packages = with pkgs; [ nerd-fonts.jetbrains-mono ]; # Homebrew casks (managed by nix-darwin, installed by nix-homebrew) homebrew = { enable = true; taps = builtins.attrNames config.nix-homebrew.taps; brews = [ "ddcctl" "m1ddc" ]; casks = [ "codex-app" "ghostty" "hammerspoon" "raycast" "vlc" ]; masApps = { Xcode = 497799835; }; onActivation.cleanup = "zap"; }; # Auto upgrade nix package and the daemon service. launchd.user.envVariables.PATH = config.environment.systemPath; launchd.user.agents.hammerspoon.serviceConfig = { ProgramArguments = ["/usr/bin/open" "-gja" "Hammerspoon"]; RunAtLoad = true; }; programs.direnv.enable = true; # Necessary for using flakes on this system. nix.settings = { experimental-features = "nix-command flakes"; substituters = [ "https://cache.nixos.org" "https://codex-cli.cachix.org" "https://claude-code.cachix.org" ]; trusted-public-keys = [ "codex-cli.cachix.org-1:1Br3H1hHoRYG22n//cGKJOk3cQXgYobUel6O8DgSing=" "claude-code.cachix.org-1:YeXf2aNu7UTX8Vwrze0za1WEDS+4DuI2kVeWEE4fsRk=" ]; }; # Set Git commit hash for darwin-version. system.configurationRevision = self.rev or self.dirtyRev or null; # Used for backwards compatibility, please read the changelog before changing system.stateVersion = 4; # The platform the configuration will be used on. nixpkgs.hostPlatform = "aarch64-darwin"; users.users = lib.genAttrs personalUsers (user: { name = user; home = homeForUser user; openssh.authorizedKeys.keys = inputs.railbird-secrets.keys.kanivanKeys; }) // { gitea-runner = { name = "gitea-runner"; isHidden = false; home = "/Users/gitea-runner"; createHome = false; }; }; programs.zsh = { enable = true; enableSyntaxHighlighting = true; }; home-manager = { useGlobalPkgs = true; useUserPackages = true; backupFileExtension = "hm-backup"; extraSpecialArgs = { inherit inputs libDir; }; sharedModules = sharedHomeModules; users = lib.genAttrs enabledHomeUsers (_: { imports = ivanHomeModules; }); }; }; in { darwinConfigurations."mac-demarco-mini" = nix-darwin.lib.darwinSystem { modules = [ agenix.darwinModules.default home-manager.darwinModules.home-manager nix-homebrew.darwinModules.nix-homebrew { nix-homebrew = { enable = true; user = primaryUser; autoMigrate = true; package = inputs.brew-src // { name = "brew-5.1.7"; version = "5.1.7"; }; taps = { "homebrew/homebrew-core" = inputs.homebrew-core; "homebrew/homebrew-cask" = inputs.homebrew-cask; }; }; } configuration ]; }; # Expose the package set, including overlays, for convenience. darwinPackages = self.darwinConfigurations."mac-demarco-mini".pkgs; }; }