Closes#1032
Add `"check"` to the `onActivation.cleanup` enum. When set, nix-darwin runs
`brew bundle cleanup` during system checks to detect Homebrew packages that
are installed but not present in the generated Brewfile. If extra packages
are found, activation fails with a list of them and remediation steps.
Unlike `"uninstall"` and `"zap"`, the `"check"` mode never removes packages
-- it only reports. This runs during both `darwin-rebuild check` and
`darwin-rebuild switch`, matching the behavior of all other system checks.
Add `enableBashIntegration`, `enableFishIntegration`, and
`enableZshIntegration` options that evaluate `brew shellenv` to set up
Homebrew's environment and shell completions. This automates the
boilerplate that every nix-darwin Homebrew user currently writes manually.
All three shells use `interactiveShellInit`, consistent with direnv and
home-manager conventions. Fish additionally sets up completions paths in
the same hook.
Closes#596
`homebrew.brewPrefix` defaulted to the bin directory (`/opt/homebrew/bin`),
not the actual Homebrew prefix (`/opt/homebrew`). This misled users into
writing `${config.homebrew.brewPrefix}/bin`, producing the broken path
`/opt/homebrew/bin/bin`.
Replace it with `homebrew.prefix`, which has correct semantics matching
`brew --prefix`. The old `brewPrefix` option is removed using
`mkRemovedOptionModule`, which catches both users who set the option and
users who read it in custom code. A warning also fires if the new `prefix`
value ends with `/bin`, catching users who copy the old value verbatim.
Homebrew Bundle removed lockfile support in Homebrew 4.4.0 (Oct 2024):
the `--no-lock` CLI flag, the `HOMEBREW_BUNDLE_NO_LOCK` env var, and
the `no_lock` parameter in `installer.rb` are all dead code. Setting
`homebrew.global.lockfiles` has had no effect on current Homebrew
versions.
- Replace the `lockfiles` option with a hidden stub (matching `noLock`)
- Replace the `noLock` hard assertion with a shared deprecation warning
for both options
- Stop setting `HOMEBREW_BUNDLE_NO_LOCK` in `environment.variables`
- Remove the lockfiles paragraph from the `brewfile` option description
Whalebrew support was fully removed from Homebrew Bundle in
Homebrew 4.7.0 (Nov 2025). A `whalebrew` entry in a Brewfile now
raises `RuntimeError: Invalid Brewfile: undefined method 'whalebrew'`,
breaking the entire `brew bundle` invocation.
Use `mkRemovedOptionModule` so that existing configs get a clear
warning instead of an undefined-option error. Also removes the
auto-addition of `"whalebrew"` to `homebrew.brews` and the Brewfile
generation for Docker containers.
Add support for `cargo "pkg"` entries in the generated Brewfile. Homebrew
Bundle supports installing Rust crates via `cargo install`; the `rust`
formula is automatically installed if not already present.
Add support for `go "pkg"` entries in the generated Brewfile. Homebrew
Bundle supports installing Go packages via `go install`; the `go`
formula is automatically installed if not already present.
Both `brew bundle` formula and cask installers support a `postinstall`
option -- a shell command to run after the package is installed or
upgraded. The command only executes when the package actually changed,
not on every `brew bundle` run.
Examples from the Homebrew docs added to the `homebrew.brews` and
`homebrew.casks` option examples and tests.
Homebrew supports `link: :overwrite` which runs `brew link --overwrite`,
force-overwriting existing symlinks. Extract the existing
`restart_service` special-case logic into a reusable helper
(`mkBrewfileLineBoolOrSymbolString`) for options that can be either a
bool or a Ruby symbol in the Brewfile.
We ran into this issue wherein GitHub's `actions/checkout` would fail
because `git-config` would fail to include additional configuration.
The symptom was:
```
Error: fatal: could not read Username for 'https://github.com': terminal prompts disabled
```
And is caused by `git config --local includeIf.gitdir:/var/lib/github-runners/_work/…`.
Wherein `git` apparently resolves (canonicalizes) the current repository
path which then does not match the argument for `includeIf.gitdir` which
then means the configuration that `actions/checkout` is trying to apply
does not get pulled in, which then prevents git from authenticating with
GitHub and fails the build.
Ngl, gemini 3 found that out for me.
We could prefix `/private` everywhere, but changing the user's home
directory is going to [be tricky], not sure what do to about that.
[be tricky]: 7e22bf538a/modules/users/default.nix (L208)
Addresses an error like the following:
```sh-session
$ sudo darwin-rebuild --verbose --print-build-logs switch
building the system configuration...
fetching git input 'git+file:///private/etc/nix-darwin'
error:
… while evaluating an expression to select 'drvPath' on it
at «internal»:1:552:
… while evaluating strict
at «internal»:1:552:
(stack trace truncated; use '--show-trace' to show the full trace)
error: 'vim_configurable' has been renamed to/replaced by 'vim-full'
```
See <853d9f31ea>
Fixesnix-darwin/nix-darwin#1622
Adds a new `services.dnsmasq.servers` option to configure upstream DNS servers. This allows users to specify which DNS servers dnsmasq should forward queries to, supporting domain-specific routing and custom ports.
When empty (default), dnsmasq uses servers from /etc/resolv.conf.
Signed-off-by: Wigger Boelens <me@wigger.email>
