harivansh-afk/nix
1
1
Fork 0
mirror of https://github.com/harivansh-afk/nix.git synced 2026-04-15 14:03:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
nix/README.md
Harivansh Rathi ff77053297 secrets
2026-03-15 14:09:37 -04:00

126 lines
3.4 KiB
Markdown
Raw Blame History

# Nix Config
## Approach
This repo is the source of truth for the machine's reproducible developer
environment:
- `home/` contains the Home Manager modules for user-facing tools
- `config/` contains the repo-owned config trees copied from your daily setup
- `modules/` contains host-level `nix-darwin` policy and package layers
- `modules/homebrew.nix` is intentionally narrow and only exists for GUI apps
that are still easier to keep in Brew on macOS
- `home/migration.nix` contains one-time ownership handoff logic from `~/dots`
into Home Manager so the steady-state modules can stay focused on real config
## Layout
- `flake.nix`: top-level flake and host wiring
- `hosts/hari-macbook-pro/default.nix`: this machine's host config
- `modules/base.nix`: Nix settings and core packages
- `modules/macos.nix`: macOS defaults and host-level settings
- `modules/packages.nix`: system packages and fonts
- `modules/homebrew.nix`: the remaining Homebrew-managed GUI apps
- `home/`: Home Manager modules for shell, editor, CLI tools, and app config
- `home/migration.nix`: transitional cleanup for old `~/dots` symlinks
- `config/`: repo-owned config files consumed by Home Manager
## Ownership Boundaries
- Nix owns packages, dotfiles, shell/editor config, launchd services, and
selected macOS defaults
- Homebrew is retained only for a narrow GUI cask boundary
- Keychain items, TCC/privacy permissions, browser history, and most
`~/Library/Application Support` state are intentionally outside declarative
Nix ownership
## Dedicated Inputs
Most tools come from `nixpkgs`. Fast-moving CLIs that you want to update on
their own cadence are pinned as dedicated flake inputs:
- `googleworkspace-cli`
- `claudeCode`
Bitwarden note:
- `bw` is installed via Homebrew as `bitwarden-cli`
- `bws` is not currently managed in this repo because I did not find a
supported nixpkgs or Homebrew package for it on macOS during verification
- daily shell secrets are synced from Bitwarden into `~/.config/secrets/shell.zsh`
via `just secrets-sync`
- vault items are currently the source of truth for imported machine secrets and
SSH material
## Commands
First switch:
```bash
nix run github:LnL7/nix-darwin/master#darwin-rebuild -- switch --flake .#hari-macbook-pro
```
After the first successful switch:
```bash
just switch
just build
just check
```
Update everything pinned by the flake:
```bash
nix flake update
just switch
```
Update only Codex or Claude:
```bash
nix flake lock --update-input claudeCode
just switch
```
Update Codex:
```bash
brew upgrade --cask codex
just switch
```
Sync Bitwarden-backed shell secrets:
```bash
export BW_SESSION="$(bw unlock --raw)"
just secrets-sync
```
Restore file-based secrets from Bitwarden:
```bash
export BW_SESSION="$(bw unlock --raw)"
just secrets-restore-files
```
## What Still Needs Manual Handling
- Promoting vault-backed secrets into Bitwarden Secrets Manager machine-account
flows, if you want fully non-interactive sandbox secret injection later
- App state under `~/Library/Application Support`
- Anything that depends on local credentials, keychains, or encrypted stores
- Manual cleanup of old non-Nix installs that are no longer wanted
## Current Homebrew Scope
The current Homebrew boundary is only:
- `cap`
- `codex`
- `raycast`
- `riptide-dev`
- `thebrowsercompany-dia`
- `wispr-flow`
Homebrew activation is currently `cleanup = "uninstall"`, so anything outside
that list is treated as drift and removed on `darwin-rebuild switch`.
Reference in a new issue View git blame Copy permalink