update Homebrew configuration: change cleanup strategy to 'zap', add azure-cli, and fix logi-options package name; add zsh configuration in shell.nix

2025-08-27 22:36:50 -04:00
parent f292f26361
commit 7b056f83ab
6 changed files with 51 additions and 43 deletions
--- a/modules/darwin/apps/homebrew.nix
+++ b/modules/darwin/apps/homebrew.nix
@@ -4,12 +4,14 @@
  # Darwin-level Homebrew configuration
  homebrew = {
    enable = true;
-    onActivation.cleanup = "uninstall";
+    # Change cleanup strategy to be less aggressive
+    onActivation.cleanup = "zap"; # Only remove uninstalled packages
    onActivation.autoUpdate = false;
    onActivation.upgrade = false;

    brews = [
      "argoproj/homebrew-tap/kubectl-argo-rollouts"
+      "azure-cli"
      "gh"
      "git"
      "gnu-tar"
@@ -32,7 +34,7 @@
      "httpie"
      "joplin"
      "localsend"
-      "logi-options+"
+      "logi-options-plus"
      "meetingbar"
      "orbstack"
      "parsec"
--- a/modules/darwin/security/default.nix
+++ b/modules/darwin/security/default.nix
@@ -3,11 +3,11 @@
  # Enable TouchID for PAM auth: you could also place security/pam or other service configs here:
  security.pam.services.sudo_local.touchIdAuth = true;

-  system.defaults.alf = {
-    allowsignedenabled = 1; # Allows any signed Application to accept incoming requests. Default is true. 0 = disabled 1 = enabled
-    allowdownloadsignedenabled = 0; # Allows any signed Application to accept incoming requests. Default is false. 0 = disabled 1 = enabled
-    globalstate = 1; # Enable the internal firewall to prevent unauthorised applications, programs and services from accepting incoming connections. 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
-    loggingenabled = 0; # Enable logging of blocked incoming connections. 0 = disabled 1 = enabled
-    stealthenabled = 1; # Enable stealth mode. This will prevent the computer from responding to ICMP ping requests and will not answer to port scans. 0 = disabled 1 = enabled
+  networking.applicationFirewall = {
+    enable = true;
+    blockAllIncoming = false; # Set to true if you want to block all except essential services
+    allowSigned = true;
+    allowSignedApp = false;
+    enableStealthMode = true;
  };
 }
--- a/modules/home/stephen/default.nix
+++ b/modules/home/stephen/default.nix
@@ -2,13 +2,13 @@
 {
  imports = [
    ./terminal/default.nix
+    ./shell.nix
  ];

  home = {
    packages = with pkgs; [
      _1password-cli
      awscli2
-      azure-cli
      brave
      discord
      go
--- a/modules/home/stephen/shell.nix
+++ b/modules/home/stephen/shell.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Configure zsh through programs.zsh instead of home.file
+  programs.zsh = {
+    enable = true;
+    initContent = ''
+      eval "$(starship init zsh)"
+      export PATH="''${KREW_ROOT:-/Users/${config.home.username}/.krew}/bin:$PATH"
+    '';
+  };
+}
--- a/modules/home/stephen/terminal/default.nix
+++ b/modules/home/stephen/terminal/default.nix
@@ -59,12 +59,6 @@
      [[ssh-keys]]
      vault = "Employee"
    '';
-    
-    # Configure zsh
-    ".zshrc".text = ''
-      eval "$(starship init zsh)"
-      export PATH="''${KREW_ROOT:-/Users/${config.home.username}/.krew}/bin:$PATH"
-    '';

    # Configure ghostty
    ".config/ghostty/config".text = ''