Do you not use many packages and only strictly use FOSS tooling? I have a large and growing list of packages that have to be managed in Homebrew still because the package is one of the following:
1. Not available at all in nixpkgs (e.g. Docker Desktop, BetterTouchTool, etc)
2. In nixpkgs, but completely broken or missing some architecture support (e.g. Firefox)
3. Actually available and somewhat functional in nixpkgs, but some significant features don't work because of code signing requirements and needing to be managed in the Applications folder (e.g. 1Password)
Quite a few tools do in fact work well with nix on Mac. Especially if it's FOSS and/or a cli-only based tool. And for FOSS tooling such as Firefox, there is often a convoluted workaround (I'm currently using `github:bandithedoge/nixpkgs-firefox-darwin`). And of course you can always package it yourself by doing things The Hard Way.
But the platform is still quite a ways away from being able to be used as a daily driver on Mac without Homebrew.
Huh, interesting. I did primarily use FOSS and CLI applications. It's been a couple years, so I don't remember what exactly I used it for. I probably installed Docker Desktop via whatever method docker recommends, and I'm not sure about Firefox.
For alacrity, I remember it being annoying to integrate into Mac's launcher, but it otherwise worked.
Pretty much everything else was programming-related and just worked.
If you want graphical apps to be handled by nix on macos, you might be interested in <https://github.com/BatteredBunny/brew-nix>. nixpkgs does not package macos sandboxed apps AFAIK, that means typically only cli utilities, libraries and development tools only work.
Tried this when it was released on HN. It does not work out of the box. There is some problem with launching apps from outside of the applications folder. The trampoline Mac-app-útil approach does not work. Though in theory it probably should for most applications. I don’t know enough about the code signing process to be able to debug what is wrong with it.
I recently tried out mac-app-util¹, which fixes some of the usual pain with GUI apps. In conjunction with brew-nix², it looks like it might be most of what I'll need to move away from having Nix manage Homebrew for me.
I don't use very many GUI apps so now that the installation piece is taken care of, I can just package everything I use if it really comes down to it. That'd be worth it for me just to get rid of the painfully slow `brew` invocations that lurk in my activation scripts.
I tried this exact combination but it did not work out of the box for the apps I tried. For gui apps bundled with brew-nix they will panic due to something about how the code signing keys are copied with brew-nix. The Mac-app-util trampoline launcher does work with the regular way that brew is managed with nix (which under the hood just shells out to brew) though. So the problem is likely related to brew-nix installing apps outside of the Applications folder.
I hacked around a bit trying a few different approaches before giving up and switching back to the regular nix-Darwin homebrew approach. But the issue is probably solvable by someone who knows a lot more about how the code signing process works with Macs and the Applications folder
Ugh! How annoying. Which apps did you try that with? I just gave it a try with a couple random ones. I tried Marta, CyberDuck, IINA, KeePassXC, and CotEditor and they all worked.
(Spotify didn't build because the Brew package doesn't have a hash, and Karabiner Elements didn't build bc idk why, but that's actually in Nixpkgs already and that version works fine.)
I did double-check that I have SIP enabled and everything. I'd be interested in trying to repro!
Aside: that mac-app-util works so nicely for the macOS apps that are already in Nixpkgs makes it feel much more worth it to me to package GUI apps for macOS, if that'll mean I can get rid of `brew` entirely. I wonder if this will spur others to also package more GUI apps this way.
1Password and docker desktop are two good test subjects. 1Password especially is the one I mentioned above as being a problem child in general with nix setups on Mac
VScode in particular was the one that broke for me, though that is actually available and mostly functional in nixpkgs so that one is not a showstopper.but might be a good test case to repro
I just tried 1Password and it refused to start not being in `/Applications`. I've seen this happen with one other app (Secretive), although it doesn't quite refuse to run. I can't remember all the details, but I think it has to do with a limitation in newer versions of macOS, where apps that try to register launchd services can only do so if they live in /Applications rather than ~/Applications. The problem with launching those background services from binaries that live in ~/Applications disappears if you disable SIP. When I first encountered it, it made me wonder if ~/Applications is not really supported on modern macOS. I wish I could find the issue for that but I didn't, when I looked just now. :-\
1Password definitely acts weird for me, to where I kind of wonder if the .app folder is malformed somehow. The version installed in the Nix store actually works fine-- but not if I double-click it or open it with the `open` command. In that case it kinda acts like something is going to launch but then it never comes up. But if I manually invoke `/Applications/Nix\ Apps/1Password.app/Contents/MacOS/1Password` from my terminal, it starts up fine! But when I directly launch that executable from Finder, the application does not start and I see that same message about not living in /Applications printed in the terminal. Idk why 1Password refuses to run from anywhere other than /Applications but that seems to be it's message rather than the operating system's.
It's a shame 1Password's Mac app can't run from the Nix store. They clearly have at least one Nixer at the company because they have cool integrations like this:
I couldn't even get the Docker Desktop package to build from `brew-nix`. OrbStack in the Nix store died on signature errors, but when I visited Security & Privacy in System Preferences after that, there was a little notice that OrbStack had been blocked from running because it was from an unrecognized developer, with the option to allow it. After being allowed, it seemed to work as normal. Same for Podman Desktop.
Why do the signatures for those apps end up getting replaced with this setup anyway?
As for your first question, about why 1Password refuses to run outside of Applications, I’m pretty sure it’s security. There is something special about Applications on MacOS that apparently AgileBits views as an attack vector when run outside of it.
I was curious about your final question as well, but I know little about how this works. The error when I tried vscode looked to be that the signature had gotten malformed somehow during brew-nix’s copy operation but since I had no idea what a correct signature should even look like I got stumped there.
1. Not available at all in nixpkgs (e.g. Docker Desktop, BetterTouchTool, etc)
2. In nixpkgs, but completely broken or missing some architecture support (e.g. Firefox)
3. Actually available and somewhat functional in nixpkgs, but some significant features don't work because of code signing requirements and needing to be managed in the Applications folder (e.g. 1Password)
Quite a few tools do in fact work well with nix on Mac. Especially if it's FOSS and/or a cli-only based tool. And for FOSS tooling such as Firefox, there is often a convoluted workaround (I'm currently using `github:bandithedoge/nixpkgs-firefox-darwin`). And of course you can always package it yourself by doing things The Hard Way.
But the platform is still quite a ways away from being able to be used as a daily driver on Mac without Homebrew.