Nix Config

Layout

• flake.nix: top-level flake and host wiring
• hosts/darwin/default.nix: macOS nix-darwin host config
• hosts/linux/default.nix: standalone Linux Home Manager host config
• modules/base.nix: Nix settings and core packages
• modules/macos.nix: macOS defaults and host-level settings
• modules/packages.nix: system packages and fonts
• modules/homebrew.nix: the remaining Homebrew-managed GUI apps
• home/: Home Manager modules for shell, editor, CLI tools, and app config
• home/common.nix: shared Home Manager imports used by macOS and Linux
• home/linux.nix: Linux Home Manager entrypoint
• home/migration.nix: transitional cleanup for old ~/dots symlinks
• config/: repo-owned config files consumed by Home Manager

Ownership Boundaries

• Nix owns packages, dotfiles, shell/editor config, launchd services, and selected macOS defaults
• Homebrew is retained only for a narrow GUI cask boundary
• Keychain items, TCC/privacy permissions, browser history, and most ~/Library/Application Support state are intentionally outside declarative Nix ownership

Bitwarden note:

• bw is installed via Homebrew as bitwarden-cli
• bws is not currently managed in this repo because I did not find a supported nixpkgs or Homebrew package for it on macOS during verification
• daily shell secrets are synced from Bitwarden into ~/.config/secrets/shell.zsh via just secrets-sync
• vault items are currently the source of truth for imported machine secrets and SSH material