swaphb/nix-darwin-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update Homebrew configuration: change cleanup strategy to 'zap', add azure-cli, and fix logi-options package name; add zsh configuration in shell.nix

Browse Source
This commit is contained in:
swaphb
2025-08-27 22:36:50 -04:00
parent f292f26361
commit 7b056f83ab
6 changed files with 51 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/darwin/apps/homebrew.nix
View File

@@ -4,12 +4,14 @@
# Darwin-level Homebrew configuration
homebrew = {
enable = true;
onActivation.cleanup = "uninstall";
# Change cleanup strategy to be less aggressive
onActivation.cleanup = "zap"; # Only remove uninstalled packages
onActivation.autoUpdate = false;
onActivation.upgrade = false;
brews = [
"argoproj/homebrew-tap/kubectl-argo-rollouts"
"azure-cli"
"gh"
"git"
"gnu-tar"
@@ -32,7 +34,7 @@
"httpie"
"joplin"
"localsend"
"logi-options+"
"logi-options-plus"
"meetingbar"
"orbstack"
"parsec"

12
modules/darwin/security/default.nix
View File

@@ -3,11 +3,11 @@
# Enable TouchID for PAM auth: you could also place security/pam or other service configs here:
security.pam.services.sudo_local.touchIdAuth = true;
system.defaults.alf = {
allowsignedenabled = 1; # Allows any signed Application to accept incoming requests. Default is true. 0 = disabled 1 = enabled
allowdownloadsignedenabled = 0; # Allows any signed Application to accept incoming requests. Default is false. 0 = disabled 1 = enabled
globalstate = 1; # Enable the internal firewall to prevent unauthorised applications, programs and services from accepting incoming connections. 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
loggingenabled = 0; # Enable logging of blocked incoming connections. 0 = disabled 1 = enabled
stealthenabled = 1; # Enable stealth mode. This will prevent the computer from responding to ICMP ping requests and will not answer to port scans. 0 = disabled 1 = enabled
networking.applicationFirewall = {
enable = true;
blockAllIncoming = false; # Set to true if you want to block all except essential services
allowSigned = true;
allowSignedApp = false;
enableStealthMode = true;
};
}