Nix Config

Approach

This repo is the source of truth for the machine's reproducible developer environment:

• home/ contains the Home Manager modules for user-facing tools
• config/ contains the repo-owned config trees copied from your daily setup
• modules/ contains host-level nix-darwin policy and package layers
• modules/homebrew.nix is intentionally narrow and only exists for GUI apps that are still easier to keep in Brew on macOS
• home/migration.nix contains one-time ownership handoff logic from ~/dots into Home Manager so the steady-state modules can stay focused on real config

Layout

• flake.nix: top-level flake and host wiring
• hosts/hari-macbook-pro/default.nix: this machine's host config
• modules/base.nix: Nix settings and core packages
• modules/macos.nix: macOS defaults and host-level settings
• modules/packages.nix: system packages and fonts
• modules/homebrew.nix: the remaining Homebrew-managed GUI apps
• home/: Home Manager modules for shell, editor, CLI tools, and app config
• home/migration.nix: transitional cleanup for old ~/dots symlinks
• config/: repo-owned config files consumed by Home Manager

Ownership Boundaries

• Nix owns packages, dotfiles, shell/editor config, launchd services, and selected macOS defaults
• Homebrew is retained only for a narrow GUI cask boundary
• Keychain items, TCC/privacy permissions, browser history, and most ~/Library/Application Support state are intentionally outside declarative Nix ownership

Dedicated Inputs

Most tools come from nixpkgs. Fast-moving CLIs that you want to update on their own cadence are pinned as dedicated flake inputs:

• googleworkspace-cli
• claudeCode

Bitwarden note:

• bw is installed via Homebrew as bitwarden-cli
• bws is not currently managed in this repo because I did not find a supported nixpkgs or Homebrew package for it on macOS during verification
• daily shell secrets are synced from Bitwarden into ~/.config/secrets/shell.zsh via just secrets-sync
• vault items are currently the source of truth for imported machine secrets and SSH material

Commands

First switch:

nix run github:LnL7/nix-darwin/master#darwin-rebuild -- switch --flake .#hari-macbook-pro

After the first successful switch:

just switch
just build
just check

Update everything pinned by the flake:

nix flake update
just switch

Update only Codex or Claude:

nix flake lock --update-input claudeCode
just switch

Update Codex:

brew upgrade --cask codex
just switch

Sync Bitwarden-backed shell secrets:

export BW_SESSION="$(bw unlock --raw)"
just secrets-sync

Restore file-based secrets from Bitwarden:

export BW_SESSION="$(bw unlock --raw)"
just secrets-restore-files

What Still Needs Manual Handling

• Promoting vault-backed secrets into Bitwarden Secrets Manager machine-account flows, if you want fully non-interactive sandbox secret injection later
• App state under ~/Library/Application Support
• Anything that depends on local credentials, keychains, or encrypted stores
• Manual cleanup of old non-Nix installs that are no longer wanted

Current Homebrew Scope

The current Homebrew boundary is only:

• cap
• codex
• raycast
• riptide-dev
• thebrowsercompany-dia
• wispr-flow

Homebrew activation is currently cleanup = "uninstall", so anything outside that list is treated as drift and removed on darwin-rebuild switch.