Merge branch 'nix-darwin:master' into master

Author: orzklv

README.md

@@ -50,13 +50,13 @@ cd /etc/nix-darwin
 
 # To use Nixpkgs unstable:
 nix flake init -t nix-darwin/master
-# To use Nixpkgs 24.11:
-nix flake init -t nix-darwin/nix-darwin-24.11
+# To use Nixpkgs 25.05:
+nix flake init -t nix-darwin/nix-darwin-25.05
 
 sed -i '' "s/simple/$(scutil --get LocalHostName)/" flake.nix
 ```
 
-Make sure to change `nixpkgs.hostPlatform` to `aarch64-darwin` if you are using Apple Silicon.
+Make sure to check if `nixpkgs.hostPlatform` is set to either `x86_64-darwin` for Intel or `aarch64-darwin` for Apple Silicon.
 
 </details>
 
@@ -71,9 +71,9 @@ Add the following to `flake.nix` in the same folder as `configuration.nix`:
   description = "John's darwin system";
 
   inputs = {
-    # Use `github:NixOS/nixpkgs/nixpkgs-24.11-darwin` to use Nixpkgs 24.11.
+    # Use `github:NixOS/nixpkgs/nixpkgs-25.05-darwin` to use Nixpkgs 25.05.
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-    # Use `github:nix-darwin/nix-darwin/nix-darwin-24.11` to use Nixpkgs 24.11.
+    # Use `github:nix-darwin/nix-darwin/nix-darwin-25.05` to use Nixpkgs 25.05.
     nix-darwin.url = "github:nix-darwin/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
   };
@@ -99,8 +99,8 @@ Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-
 ```bash
 # To use Nixpkgs unstable:
 sudo nix run nix-darwin/master#darwin-rebuild -- switch
-# To use Nixpkgs 24.11:
-sudo nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch
+# To use Nixpkgs 25.05:
+sudo nix run nix-darwin/nix-darwin-25.05#darwin-rebuild -- switch
 ```
 
 ### Step 3. Using `nix-darwin`
@@ -143,8 +143,8 @@ Copy the [simple](./modules/examples/simple.nix) example to `/etc/nix-darwin/con
 ```bash
 # If you use Nixpkgs unstable (the default):
 sudo nix-channel --add https://github.com/nix-darwin/nix-darwin/archive/master.tar.gz darwin
-# If you use Nixpkgs 24.11:
-sudo nix-channel --add https://github.com/nix-darwin/nix-darwin/archive/nix-darwin-24.11.tar.gz darwin
+# If you use Nixpkgs 25.05:
+sudo nix-channel --add https://github.com/nix-darwin/nix-darwin/archive/nix-darwin-25.05.tar.gz darwin
 
 sudo nix-channel --update
 ```

modules/homebrew.nix

@@ -54,10 +54,10 @@ let
   # Submodules -------------------------------------------------------------------------------------
   # Option values and descriptions of Brewfile entries are sourced/derived from:
   #   * `brew` manpage: https://docs.brew.sh/Manpage
-  #   * `brew bundle` source files (at https://github.com/Homebrew/homebrew-bundle/tree/9fffe077f1a5a722ed5bd26a87ed622e8cb64e0c):
-  #     * lib/bundle/dsl.rb
-  #     * lib/bundle/{brew,cask,tap}_installer.rb
-  #     * spec/bundle/{brew,cask,tap}_installer_spec.rb
+  #   * `brew bundle` source files (at https://github.com/Homebrew/brew/tree/master/Library/Homebrew/bundle):
+  #     * dsl.rb
+  #     * {brew,cask,tap}_installer.rb
+  #     * ../test/bundle/{brew,cask,tap}_installer_spec.rb
 
   onActivationOptions = { config, ... }: {
     options = {
@@ -234,7 +234,7 @@ let
     options = {
       name = mkOption {
         type = types.str;
-        example = "homebrew/cask-fonts";
+        example = "apple/apple";
         description = ''
           When {option}`clone_target` is unspecified, this is the name of a formula
           repository to tap from GitHub using HTTPS. For example, `"user/repo"`
@@ -502,7 +502,9 @@ let
           [](#opt-homebrew.caskArgs) for the available options.
         '';
       };
-      greedy = mkNullOrBoolOption {
+      greedy = mkOption {
+        type = types.nullOr types.bool;
+        default = cfg.greedyCasks;
         description = ''
           Whether to always upgrade this cask regardless of whether it's unversioned or it updates
           itself.
@@ -605,10 +607,10 @@ in
       type = with types; listOf (coercedTo str (name: { inherit name; }) (submodule tapOptions));
       default = [ ];
       example = literalExpression ''
-        # Adapted examples from https://github.com/Homebrew/homebrew-bundle#usage
+        # Adapted from https://docs.brew.sh/Brew-Bundle-and-Brewfile
         [
           # `brew tap`
-          "homebrew/cask"
+          "apple/apple"
 
           # `brew tap` with custom Git URL and arguments
           {
@@ -642,11 +644,18 @@ in
       '';
     };
 
+    greedyCasks = mkNullOrBoolOption {
+      description = ''
+        Whether to always upgrade casks listed in [](#opt-homebrew.casks) regardless
+        of whether it's unversioned or it updates itself.
+      '';
+    };
+
     brews = mkOption {
       type = with types; listOf (coercedTo str (name: { inherit name; }) (submodule brewOptions));
       default = [ ];
       example = literalExpression ''
-        # Adapted examples from https://github.com/Homebrew/homebrew-bundle#usage
+        # Adapted from https://docs.brew.sh/Brew-Bundle-and-Brewfile
         [
           # `brew install`
           "imagemagick"
@@ -680,7 +689,7 @@ in
       type = with types; listOf (coercedTo str (name: { inherit name; }) (submodule caskOptions));
       default = [ ];
       example = literalExpression ''
-        # Adapted examples from https://github.com/Homebrew/homebrew-bundle#usage
+        # Adapted from https://docs.brew.sh/Brew-Bundle-and-Brewfile
         [
           # `brew install --cask`
           "google-chrome"
@@ -802,8 +811,10 @@ in
       if [ -f "${cfg.brewPrefix}/brew" ]; then
         PATH="${cfg.brewPrefix}:${lib.makeBinPath [ pkgs.mas ]}:$PATH" \
         sudo \
+          --preserve-env=PATH \
           --user=${escapeShellArg cfg.user} \
           --set-home \
+          env \
           ${cfg.onActivation.brewBundleCmd}
       else
         echo -e "\e[1;31merror: Homebrew is not installed, skipping...\e[0m" >&2

modules/module-list.nix

@@ -49,6 +49,7 @@
   ./system/version.nix
   ./time
   ./networking
+  ./networking/applicationFirewall.nix
   ./nix
   ./nix/linux-builder.nix
   ./nix/nix-darwin.nix
@@ -113,7 +114,7 @@
   ./programs/man.nix
   ./programs/info
   ./programs/nix-index
-  ./programs/ssh
+  ./programs/ssh.nix
   ./programs/tmux.nix
   ./programs/vim.nix
   ./programs/zsh

modules/networking/applicationFirewall.nix

@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+let
+  cfg = config.networking.applicationFirewall;
+
+  socketfilterfw =
+    option: value:
+    lib.concatStringsSep " " [
+      "/usr/libexec/ApplicationFirewall/socketfilterfw"
+      "--${option}"
+      (if value then "on" else "off")
+    ];
+in
+{
+  meta.maintainers = [
+    (lib.maintainers.prince213 or "prince213")
+  ];
+
+  options.networking.applicationFirewall = {
+    enable = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to enable application firewall.";
+    };
+    blockAllIncoming = lib.mkEnableOption "blocking all incoming connections";
+    allowSigned = lib.mkEnableOption "built-in software to receive incoming connections" // {
+      default = true;
+    };
+    allowSignedApp =
+      lib.mkEnableOption "downloaded signed software to receive incoming connections"
+      // {
+        default = true;
+      };
+    enableStealthMode = lib.mkEnableOption "stealth mode";
+  };
+
+  config = {
+    system.activationScripts.networking.text = ''
+      echo "configuring application firewall..." >&2
+
+      ${lib.optionalString (cfg.enable != null) (socketfilterfw "setglobalstate" cfg.enable)}
+      ${lib.optionalString (cfg.enable == true) (socketfilterfw "setblockall" cfg.blockAllIncoming)}
+      ${socketfilterfw "setallowsigned" cfg.allowSigned}
+      ${socketfilterfw "setallowsignedapp" cfg.allowSignedApp}
+      ${socketfilterfw "setstealthmode" cfg.enableStealthMode}
+    '';
+  };
+}

modules/nix/default.nix

@@ -443,11 +443,14 @@ in
       nixPath = mkOption {
         type = nixPathType;
         inherit (managedDefault "nix.nixPath" (
-          lib.optionals cfg.channel.enable [
-            # Include default path <darwin-config>.
-            { darwin-config = "${config.environment.darwinConfig}"; }
-            "/nix/var/nix/profiles/per-user/root/channels"
-          ]
+          lib.optionals cfg.channel.enable (
+            lib.optionals (config.environment.darwinConfig != null) [
+              # Include default path <darwin-config>.
+              { darwin-config = "${config.environment.darwinConfig}"; }
+            ] ++ [
+              "/nix/var/nix/profiles/per-user/root/channels"
+            ]
+          )
         )) default;
 
         defaultText = lib.literalExpression ''