These are my dotfiles.
The nix/ flake and scripts/ live in this repo, so clone it first. The repo
is public, so clone over HTTPS (the SSH key is provisioned later via 1Password).
Clone into chezmoi's source directory so a single checkout serves as both the
flake root and the chezmoi source:
# git ships with the Xcode Command Line Tools; this triggers their install
xcode-select --install
git clone https://github.com/oschrenk/dotfiles.git ~/.local/share/chezmoi
cd ~/.local/share/chezmoiName the machine next (hostname is used by nix-darwin and chezmoi templating):
./scripts/hostname.shThen install Nix and Homebrew (chezmoi itself is installed later by nix-darwin):
./scripts/bootstrap.shConfigure /etc/nix/nix.custom.conf (Determinate Nix preserves this across upgrades):
echo 'trusted-users = oliver' | sudo tee -a /etc/nix/nix.custom.conf
echo 'extra-substituters = https://nixos-raspberrypi.cachix.org' | sudo tee -a /etc/nix/nix.custom.conf
echo 'extra-trusted-public-keys = nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI=' | sudo tee -a /etc/nix/nix.custom.conf
sudo launchctl kickstart -k system/systems.determinate.nix-daemonIdentity values (name, email, SSH key, timezone) live in the committed
nix/identity.nix, so nothing is needed here on your own machines. When forking
or changing them, edit nix/identity.nix directly, or run task nix-setup-identity
(available after the first apply below, since task is installed by nix-darwin).
Before the first apply, grant Terminal Full Disk Access. Without it,
activation cannot write the TCC-protected com.apple.universalaccess domain, the
switch aborts, and your login shell is left pointing at a fish that is not
installed yet (a dead terminal). On a fresh machine the switch runs in
Terminal.app (Ghostty is not installed yet), so:
- System Settings > Privacy & Security > Full Disk Access > enable Terminal
- Quit Terminal (Cmd-Q) and reopen
Apply the flake. task is not on PATH yet (go-task comes from nix-darwin), and
the flake is in the nix/ subdirectory, so run it directly from the repo root:
sudo nix run nix-darwin -- switch --flake "./nix#$(hostname -s)"If the switch ever does abort on universalaccess and breaks your shell, set
Terminal to open /bin/zsh directly (Settings > General > "Shells open with")
to recover, grant Full Disk Access, then re-run the switch.
Subsequent runs use the task wrapper:
task nix-maxSome secrets (currently the atuin sync key) are sourced from 1Password via opnix. The bootstrap is per-machine and the token never lands in git.
Service account is "Service Account / opnix-bootstrap"
Place the token at /etc/opnix-token:
sudo install -m 0600 -o root -g wheel /dev/null /etc/opnix-token
sudo $EDITOR /etc/opnix-tokenkickstart service manually:
sudo launchctl kickstart -k system/org.nixos.opnix-secretsInitialize chezmoi. The repo is already at chezmoi's source directory from the
bootstrap clone, so chezmoi init reuses it without re-downloading. This
requires task nix-max to have run first, so home-manager has written
~/.local/share/identity/data.toml:
chezmoi initPull binary assets (git-lfs is installed by nix-darwin):
git lfs install
chezmoi cd
git lfs pullApply
chezmoi apply
Follow the on-screen instructions. You will sometimes be asked for a password. Downloading and compiling all the various applications and packages will take roughly 1 hour.
After casks are installed you can already start important apps and configure them
- App Store
- log into iCloud if needed
- 1Password
- Security > Touch Id
- Security > Apple Watch.
- Developer > Use the SSH Agent
- Developer > Enable Biometric Unlock
- Ghostty
- SystemSettings > "Privacy & Security > Full disk access..." Allow for ...
- Arc
- open profiles, and log into services
- Atuin
- The sync key is provisioned by opnix from 1Password (
Bootstrapvault), so no key transfer between machines is needed. Runatuin loginand enter username + password.
- The sync key is provisioned by opnix from 1Password (
- Karabiner Elements.
- Open. Read "System Extensions Blocked" popup. Click on "Open Security Preferences" and press "Allow".
- IntelliJ.
- Configure plugins.
- AutoDarkMode
- Harpooner
- Hocon
- Ideavim
- Key Promoter
- Kotlin
- Scala
- Change settings
- Don't send statistics
- Configure plugins.
- Photos
- Open to synchronize data
- Spotify
- download "Liked Songs"
- sketchybar
- Managed by Nix Home Manager as a launchd user agent (not brew). Restart with
launchctl kickstart -k gui/$(id -u)/org.nix-community.home.sketchybar
- Managed by Nix Home Manager as a launchd user agent (not brew). Restart with
Login:
- Discord
- Slack
Link device:
- Signal
- Telegram
Setup all git projects
- requires ssh key (via 1Password)
- requires
arbol
mkdir ~/Projects
arbol sync
task brewInstall taps/brews/appstask cargoInstall cratestask extensionsInstall Arc Browser extensionstask goInstall go appstask iconsInstall iconstask nodeInstall node toolstask ollamaInstall ollama models
Binary caches defined in a flake's nixConfig are ignored unless the invoking user is trusted and accept-flake-config is set. The fix is to add the cache directly to /etc/nix/nix.custom.conf (which Determinate Nix preserves across upgrades) and restart the daemon:
echo 'extra-substituters = https://example.cachix.org' | sudo tee -a /etc/nix/nix.custom.conf
echo 'extra-trusted-public-keys = example.cachix.org-1:...' | sudo tee -a /etc/nix/nix.custom.conf
sudo launchctl kickstart -k system/systems.determinate.nix-daemonbrew install steam
Steam is the last application (I use) not offering a native arm variant for macOS
# install rosetta 2
# system_profiler SPApplicationsDataType -json | jq -r '.SPApplicationsDataType[] | select (.arch_kind == "arch_i64") | ._name ' | sort
#
# needed for
# Steam
# Steam Helper
softwareupdate --install-rosetta --agree-to-license