Add support for nix-darwin

[montchr]

This is an updated take on @cmhamill's work in #79 accommodating a lot of recent changes to the module in main. Props to @cmhamill for getting this most of the way there.

I'm tracking this branch in my own system flake and it's working well on macOS. I haven't tested on NixOS.

Fixes #60

[mitchty]

Just as a note from a random nix-darwin user, this all seems to work fine in testing with my own flake setup and thanks for getting it to work!

What I would add to the pr is these outputs to stay close to what home-manager does:

Unstaged changes (1)
modified   flake.nix
@@ -10,6 +10,9 @@
     agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
   in {
 
+    darwinModules.age = import ./modules/age.nix;
+    darwinModule = self.darwinModules.age;
+
     nixosModules.age = import ./modules/age.nix;
     nixosModule = self.nixosModules.age;
 

If anyone else wants to poke around or play along at home, my nix flake config commit using this pr for restic backups is here:
mitchty/nix@ccaf2fa

Thanks again for getting this to work on macos!

[rtimush]

I can also confirm that it works on macos. It's a bit annoying though to remember to run darwin-rebuild on reboot. I guess a launchd service would be needed to overcome this.

[alexghr]

Hey, to add to this, I have migrated my nix config to this fork of agenix and I can confirm that it works with both NixOS and nix-darwin. I've got the same config shared by two different systems 🙌

[rtimush]

As a follow-up to my previous comment, this is the branch that adds a launchd script activating secrets on boot. I haven't tested it too thoroughly, but it works for me.

[misuzu]

Any updates on this?

[ryantm]

This is looking simpler than I remembered! My main concern (beyond needing another round of merge conflict fixes) is having some kind of test for this in GitHub Actions. I'm worried people working only on NixOS will break it by accident.

[ryantm]

Maybe this can provide some inspiration for making a GitHub action for testing this? https://github.com/LnL7/nix-darwin/blob/master/.github/workflows/test.yml

[montchr]

Hey all, sorry for the delay in getting back to this. I did not have access to a Mac for a few months, as I only use it when provided as a work computer and I recently changed employers... After many delays, I now have a new aarch64-darwin laptop running with my existing nix-darwin/home-manager configs.

So with all that said, I'll fix the merge conflicts and look into adding some tests.

[montchr]

Well, quite a lot has changed here in the past few months! The conflicts unfortunately don't appear to have a straightforward resolution, as the underlying approaches changed on main since this branch was originally cut. So I'm thinking it may be best to start this work over on a new branch from the current state of main and compare with my additions on this branch.

[rtimush]

Speaking of the GitHub Action tests, I have actually added some to my branch (rtimush@bc6d151) before I realized that there are so many conflicts to resolve.

[JayRovacsek]

Keen to help if it's needed at all @montchr, super keen to have age behaving nicely under one flake input 😁

[n8henrie]

@ryantm @montchr @rtimush

It looks like this has stalled a bit -- I'm a relatively new nix user and brand new to agenix, looking for a solution for secrets on aarch64-darwin (nix-darwin, my primary machine), aarch64-linux (nixos), and nixos x86_64-linux (nixos), and it looks like agenix is probably the best solution.

Because the merge conflicts were a little too hairy for me to rebase, I tried to manually pluck them out as well as add in the launchd code and the GitHub Actions tests. I've put it together in #141 -- I hope you don't mind me piggybacking off your work.

The provided tests are passing but I don't think it's ready to merge, as I am still trying to figure out how all this works, and trying to make sure I remapped the dependencies properly for things like installNonRootSecrets that no longer exist. I would love if we can get a few extra eyes on this and hopefully get it merged!

[n8henrie]

It's a bit annoying though to remember to run darwin-rebuild on reboot. I guess a launchd service would be needed to overcome this.

@rtimush you might not need the launchd script -- do you have https://daiderd.com/nix-darwin/manual/index.html#opt-services.activate-system.enable enabled (default is true)?

[rtimush]

@n8henrie I do, it's just that nix-darwin only runs a couple of built-in scripts on activation, and any custom scripts we add will not be executed:
https://github.com/LnL7/nix-darwin/blob/3db1d870b04b13411f56ab1a50cd32b001f56433/modules/services/activate-system/default.nix#L39-L40