feat: install some apps from apple store instead of homebrew

feat: replace username with ryan
fix: secrets

Makefile

@@ -44,15 +44,12 @@ darwin-set-proxy:
 	sudo python3 scripts/darwin_set_proxy.py
 
 darwin: darwin-set-proxy
-	nix build .#darwinConfigurations.harmonica.system \
-	  --extra-experimental-features 'nix-command flakes'
+	nix build .#darwinConfigurations.harmonica.system
 	./result/sw/bin/darwin-rebuild switch --flake .
 
 darwin-debug: darwin-set-proxy
-	nix build .#darwinConfigurations.harmonica.system \
-	  --show-trace --verbose \
-	  --extra-experimental-features 'nix-command flakes'
-	./result/sw/bin/darwin-rebuild switch --flake . --show-trace --verbose
+	nix build .#darwinConfigurations.harmonica.system --show-trace --verbose
+	./result/sw/bin/darwin-rebuild switch --flake .#harmonica --show-trace --verbose
 
 
 ############################################################################

flake.lock

@@ -7,17 +7,16 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1684153753,
-        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "lastModified": 1689334118,
+        "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143",
         "type": "github"
       },
       "original": {
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
         "type": "github"
       }
     },
@@ -242,10 +241,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1689338661,
-        "narHash": "sha256-yRWO66sDXWYMKgGVHQ5KmzaOQbgFdKpfikHVi/OLioM=",
+        "lastModified": 1689349623,
+        "narHash": "sha256-qcoafd+3BirNkN44YcLhixH+AEbmEcu238S8D0qooFQ=",
         "ref": "refs/heads/main",
-        "rev": "e468b93e6d92c5398e55d30f1ec9752030308035",
+        "rev": "6ed7a2c3c4c10bda234db78f0051d6e6f39ce187",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -360,11 +359,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1689192006,
-        "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
+        "lastModified": 1689282004,
+        "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
+        "rev": "e74e68449c385db82de3170288a28cd0f608544f",
         "type": "github"
       },
       "original": {
@@ -382,11 +381,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1689333233,
-        "narHash": "sha256-MRJcuia/nnpN4rigEOZTgDKPjNfaiqr8LfLdqcTJmdc=",
+        "lastModified": 1689352891,
+        "narHash": "sha256-R2WdPDvDzT4h+vgJKd/LcZk/GsGnVONez5/h3ay2jtM=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "62657e12fcad6f4e1180f87031c718787faf8fb1",
+        "rev": "a4d97549d6410c03cfaa13568d025edd0269f8bb",
         "type": "github"
       },
       "original": {
@@ -445,11 +444,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1689192006,
-        "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
+        "lastModified": 1689282004,
+        "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
+        "rev": "e74e68449c385db82de3170288a28cd0f608544f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -11,10 +11,10 @@
   # the nixConfig here only affects the flake itself, not the system configuration!
   nixConfig = {
     experimental-features = [ "nix-command" "flakes" ];
+    trusted-users = [ "ryan" ];
 
     substituters = [
       # replace official cache with a mirror located in China
-      "https://mirrors.bfsu.edu.cn/nix-channels/store"
       "https://mirrors.ustc.edu.cn/nix-channels/store"
       "https://cache.nixos.org"
     ];
@@ -70,7 +70,7 @@
     };
 
     # secrets management, lock with git commit at 2023/5/15
-    agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3";
+    agenix.url = "github:ryantm/agenix";
 
     # AstroNvim is an aesthetic and feature-rich neovim config.
     astronvim = { url = "github:AstroNvim/AstroNvim/v3.32.0"; flake = false; };
@@ -193,7 +193,7 @@
             home-manager.useUserPackages = true;
 
             home-manager.extraSpecialArgs = inputs;
-            home-manager.users.admin = import ./home/darwin;
+            home-manager.users.ryan = import ./home/darwin;
           }
         ];
       };

home/base/server/core.nix

@@ -65,14 +65,14 @@
       enable = true;
       config = {
         pager = "less -FR";
-        theme = "Catppuccin-mocha";
-      };
-      themes = {
-        Catppuccin-mocha = builtins.readFile (pkgs.fetchurl {
-          url = "https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme";
-          hash = "sha256-qMQNJGZImmjrqzy7IiEkY5IhvPAMZpq0W6skLLsng/w=";
-        });
+      #  theme = "Catppuccin-mocha";
       };
+      #themes = {
+       # Catppuccin-mocha = builtins.readFile (pkgs.fetchurl {
+       #   url = "https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme";
+       #   hash = "sha256-qMQNJGZImmjrqzy7IiEkY5IhvPAMZpq0W6skLLsng/w=";
+       # });
+      #};
     };
 
     # skim provides a single executable: sk.

home/darwin/default.nix

@@ -12,9 +12,9 @@
   # Home Manager needs a bit of information about you and the
   # paths it should manage.
   home = {
-    username = "admin";
+    username = "ryan";
     # set homeDirectory make build fail
-    homeDirectory = "/Users/admin";
+    homeDirectory = "/Users/ryan";
 
     # This value determines the Home Manager release that your
     # configuration is compatible with. This helps avoid breakage

hosts/harmonica/default.nix

@@ -11,6 +11,6 @@
     ../../modules/darwin/core.nix
     ../../modules/darwin/apps.nix
 
-    ../../secrets
+    ../../secrets/darwin.nix
   ];
 }

hosts/idols/ai/default.nix

@@ -20,7 +20,7 @@
     # ../../../modules/nixos/remote-building.nix
     ../../../modules/nixos/user-group.nix
 
-    ../../../secrets
+    ../../../secrets/nixos.nix
   ];
 
   nixpkgs.overlays = import ../../../overlays args;

modules/darwin/apps.nix

@@ -11,7 +11,7 @@
 
   system = {
 
-    # activationScripts are executed every time you boot the system or run `nixos-rebuild`.
+    # activationScripts are executed every time you boot the system or run `nixos-rebuild` / `darwin-rebuild`.
     activationScripts.postUserActivation.text = ''
       # activateSettings -u will reload the settings from the database and apply them to the current session,
       # so we do not need to logout and login again to make the changes take effect.
@@ -125,8 +125,19 @@
     };
   };
 
+  # Homebrew Mirror
+  environment.variables = {
+    HOMEBREW_API_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api";
+    HOMEBREW_BOTTLE_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles";
+    HOMEBREW_BREW_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git";
+    HOMEBREW_CORE_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git";
+    HOMEBREW_PIP_INDEX_URL = "https://pypi.tuna.tsinghua.edu.cn/simple";
+  };
+
   homebrew = {
-    enable = true;
+     # TODO Homebrew install takes a long time, 
+     # So only enable this when you make changes.
+    enable = false;
 
     onActivation = {
       autoUpdate = false;
@@ -135,8 +146,17 @@
     };
 
     # Applications to install from Mac App Store using mas.
+    # You need to install all these Apps manually first so that your apple account have records for them.
+    # otherwise Apple Store will refuse to install them.
+    # For details, see https://github.com/mas-cli/mas 
     masApps = {
       # Xcode = 497799835;
+      Wechat = 836500024;
+      QQ = 451108668;
+      WeCom = 1189898970;  # Wechat for Work
+      TecentMetting = 1484048379;
+      NeteaseCloudMusic = 944848654;
+      QQMusic = 595615424;
     };
 
     taps = [
@@ -161,7 +181,6 @@
 
     # `brew install --cask`
     casks = [
-      # broser & editor
       "firefox"
       "google-chrome"
       "visual-studio-code"
@@ -169,13 +188,9 @@
       # IM & audio & remote desktop & meeting
       "telegram"
       "discord"
-      "wechat"
-      "qq"
       "neteasemusic"
       "qqmusic"
       "microsoft-remote-desktop"
-      "wechatwork"
-      "tencent-meeting"
 
       # "anki"
       "clashx"    # proxy tool
@@ -185,7 +200,6 @@
       "raycast"   # (HotKey: alt/option + space)search, caculate and run scripts(with many plugins)
       "iglance"   # beautiful system monitor
       "eudic"     # 欧路词典
-      "baiduinput"  # baidu input method
       # "reaper"  # audio editor
 
       # Development

modules/darwin/core.nix

@@ -14,7 +14,7 @@
   # enable flakes globally
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
-  nix.settings.trusted-users = ["admin"];
+  nix.settings.trusted-users = ["ryan"];
 
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
@@ -44,7 +44,9 @@
   security.pam.enableSudoTouchIdAuth = true;
 
   # Set your time zone.
-  time.timeZone = "Asia/Shanghai";
+  # comment this due to the issue:
+  #   https://github.com/LnL7/nix-darwin/issues/359
+  # time.timeZone = "Asia/shanghai";
 
   # Apps
   # `home-manager` currently has issues adding them to `~/Applications`
@@ -80,9 +82,9 @@
   };
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.admin = {
-    home = "/Users/admin";
-    description = "admin";
+  users.users.ryan = {
+    home = "/Users/ryan";
+    description = "ryan";
 
     # set user's default shell back to zsh
     #    `chsh -s /bin/zsh`

scripts/darwin_set_proxy.py

@@ -12,7 +12,8 @@ from pathlib import Path
 NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist")
 NIX_DAEMON_NAME = "org.nixos.nix-daemon"
 # http proxy provided by clash
-HTTP_PROXY = "http://127.0.0.1:7890"
+# HTTP_PROXY = "http://127.0.0.1:7890"
+HTTP_PROXY = "http://192.168.5.201:7890"
 
 pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())
 
@@ -20,6 +21,15 @@ pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())
 pl["EnvironmentVariables"]["HTTP_PROXY"] = HTTP_PROXY
 pl["EnvironmentVariables"]["HTTPS_PROXY"] = HTTP_PROXY
 
+# Homebrew Mirror
+pl["EnvironmentVariables"].update({
+  "HOMEBREW_API_DOMAIN": "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api",
+  "HOMEBREW_BOTTLE_DOMAIN": "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles",
+  "HOMEBREW_BREW_GIT_REMOTE": "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git",
+  "HOMEBREW_CORE_GIT_REMOTE": "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git",
+  "HOMEBREW_PIP_INDEX_URL": "https://pypi.tuna.tsinghua.edu.cn/simple",
+})
+
 os.chmod(NIX_DAEMON_PLIST, 0o644)
 NIX_DAEMON_PLIST.write_bytes(plistlib.dumps(pl))
 os.chmod(NIX_DAEMON_PLIST, 0o444)

secrets/darwin.nix

@@ -0,0 +1,56 @@
+
+{ config, pkgs, agenix, mysecrets, ... }:
+
+{
+  imports = [
+    agenix.darwinModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default
+  ];
+
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ 
+    "/Users/ryan/.ssh/juliet-age"  # macOS
+  ];
+
+  age.secrets = {
+    "wg-business.conf" = {
+      file = "${mysecrets}/wg-business.conf.age";
+    };
+
+    # alias-for-work
+    "alias-for-work.nushell" = {
+      file = "${mysecrets}/alias-for-work.nushell.age";
+    };
+    "alias-for-work.bash" = {
+      file = "${mysecrets}/alias-for-work.bash.age";
+    };
+  };
+
+  # place secrets in /etc/
+  environment.etc = {
+    # wireguard config used with `wg-quick up wg-business`  
+    "wireguard/wg-business.conf" = {
+      source = config.age.secrets."wg-business.conf".path;
+    };
+
+    # The following secrets are used by home-manager modules
+    # But nix-darwin doesn't support environment.etc.<name>.mode
+    # So we need to change its mode manually 
+    "agenix/alias-for-work.nushell" = {
+      source = config.age.secrets."alias-for-work.nushell".path;
+    };
+    "agenix/alias-for-work.bash" = {
+      source = config.age.secrets."alias-for-work.bash".path;
+    };
+  };
+
+  # activationScripts are executed every time you boot the system or run `nixos-rebuild` / `darwin-rebuild`.
+  system.activationScripts.postUserActivation.text = ''
+    sudo chmod 644 /etc/agenix/alias-for-work.nushell
+    sudo chmod 644 /etc/agenix/alias-for-work.bash
+  '';
+
+}

secrets/default.nix

@@ -1,68 +0,0 @@
-{ config, pkgs, agenix, mysecrets, ... }:
-
-{
-  imports = [
-    (agenix.nixosModules.default)
-  ];
-
-  environment.systemPackages = [
-    agenix.packages."${pkgs.system}".default
-  ];
-
-  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
-  age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
-
-  ############################################################################
-  #
-  # The following secrets are used by NixOS Modules
-  #
-  ############################################################################
-
-  # wireguard config used with `wg-quick up wg-business`  
-  age.secrets."wg-business.conf" = {
-    # wether secrets are symlinked to age.secrets.<name>.path(default to true)
-    symlink = true;
-    # target path for decrypted file
-    path = "/etc/wireguard/";
-    # encrypted file path
-    file = "${mysecrets}/wg-business.conf.age";
-    mode = "0400";
-    owner = "root";
-    group = "root";
-  };
-
-  # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
-  age.secrets."smb-credentials" = {
-    file = "${mysecrets}/smb-credentials.age";
-  };
-
-
-  ############################################################################
-  #
-  # The following secrets are used by home-manager modules
-  # So they should be readable by the user `ryan`
-  #
-  ############################################################################
-
-  age.secrets."alias-for-work.nushell" = {
-    file = "${mysecrets}/alias-for-work.nushell.age";
-  };
-  age.secrets."alias-for-work.bash" = {
-    file = "${mysecrets}/alias-for-work.bash.age";
-  };
-
-  environment.etc = {
-    "agenix/alias-for-work.nushell" = {
-      source = config.age.secrets."alias-for-work.nushell".path;
-      mode = "0600";
-      uid = 1000;
-      gid = 1000;
-    };
-    "agenix/alias-for-work.bash" = {
-      source = config.age.secrets."alias-for-work.bash".path;
-      mode = "0600";
-      uid = 1000;
-      gid = 1000;
-    };
-  };
-}

secrets/nixos.nix

@@ -0,0 +1,56 @@
+
+{ config, pkgs, agenix, mysecrets, ... }:
+
+{
+  imports = [
+    agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default
+  ];
+
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ 
+    "/home/ryan/.ssh/juliet-age"   # Linux
+  ];
+
+  # Used only by NixOS Modules
+  # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
+  age.secrets."smb-credentials" = {
+    file = "${mysecrets}/smb-credentials.age";
+  };
+
+  age.secrets = {
+    "wg-business.conf" = {
+      file = "${mysecrets}/wg-business.conf.age";
+    };
+
+    # alias-for-work
+    "alias-for-work.nushell" = {
+      file = "${mysecrets}/alias-for-work.nushell.age";
+    };
+    "alias-for-work.bash" = {
+      file = "${mysecrets}/alias-for-work.bash.age";
+    };
+  };
+
+  # place secrets in /etc/
+  environment.etc = {
+    # wireguard config used with `wg-quick up wg-business`  
+    "wireguard/wg-business.conf" = {
+      source = config.age.secrets."wg-business.conf".path;
+    };
+
+    # The following secrets are used by home-manager modules
+    # So we need to make then readable by the user
+    "agenix/alias-for-work.nushell" = {
+      source = config.age.secrets."alias-for-work.nushell".path;
+      mode = "0644";
+    };
+    "agenix/alias-for-work.bash" = {
+      source = config.age.secrets."alias-for-work.bash".path;
+      mode = "0644";
+    };
+  };
+}