feat(darwin): add corporate Mac configuration for MSGMAC-MV69Q140FD

Add darwinConfiguration for work Mac with Determinate Nix support,
corporate VPN SSL inspection workaround (NODE_EXTRA_CA_CERTS), and
work-specific Homebrew casks. Move tailscale-app and mullvad-vpn to
personal.nix since they are not needed on corporate machines.

Author: svnlto

.claude/settings.local.json

@@ -1,4 +1,5 @@
 {
+  "includeCoAuthoredBy": false,
   "permissions": {
     "allow": [
       "Bash(git:*)",
@@ -13,10 +14,14 @@
     ],
     "deny": []
   },
-  "includeCoAuthoredBy": false,
   "enableAllProjectMcpServers": true,
   "outputStyle": "Architect",
   "spinnerTipsEnabled": false,
   "BASH_DEFAULT_TIMEOUT_MS": "300000",
-  "effortLevel": "high"
+  "effortLevel": "high",
+  "enabledMcpjsonServers": [
+    "code-reasoning",
+    "sequential-thinking",
+    "context7"
+  ]
 }

common/claude-code/settings.json

@@ -2,6 +2,10 @@
   "$schema": "https://json.schemastore.org/claude-code-settings.json",
   "includeCoAuthoredBy": false,
   "enableAllProjectMcpServers": true,
+  "statusLine": {
+    "type": "command",
+    "command": "bash ~/.claude/statusline-command.sh"
+  },
   "enabledPlugins": {
     "terraform-skill@antonbabenko": true,
     "terragrunt-skill@jfr992": true,
@@ -10,10 +14,5 @@
   "alwaysThinkingEnabled": true,
   "feedbackSurveyState": {
     "lastShownTime": 1754125509075
-  },
-  "effortLevel": "medium",
-  "statusLine": {
-    "type": "command",
-    "command": "bash ~/.claude/statusline-command.sh"
   }
 }

common/git/default.nix

@@ -51,22 +51,16 @@ in {
           newHighlight = "green bold 22";
         };
       };
-      # SSH signing with 1Password (cross-platform)
-      user.signingkey = signingKey;
-      gpg.format = "ssh";
-      commit.gpgsign = true;
+      gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers";
     } // lib.optionalAttrs isLinux {
       # Linux-specific: 1Password SSH signing
-      # NOTE: Assumes 1Password installed in standard location (/opt/1Password)
-      # If using custom install path, override this in your platform-specific config
-      gpg.ssh = {
-        program = "/opt/1Password/op-ssh-sign";
-        allowedSignersFile = "~/.ssh/allowed_signers";
-      };
-    } // lib.optionalAttrs isDarwin {
-      # macOS-specific: 1Password agent uses SSH_AUTH_SOCK environment variable
-      # No program path needed - handled by 1Password.app integration
-      gpg.ssh = { allowedSignersFile = "~/.ssh/allowed_signers"; };
+      gpg.ssh.program = "/opt/1Password/op-ssh-sign";
+    };
+
+    signing = {
+      key = signingKey;
+      format = "ssh";
+      signByDefault = true;
     };
   };
 

flake.nix

@@ -116,6 +116,14 @@
           username = defaultUsername;
           extraModules = [ ./systems/aarch64-darwin/homebrew/personal.nix ];
         };
+        "MSGMAC-MV69Q140FD" = mkDarwinSystem {
+          hostname = "MSGMAC-MV69Q140FD";
+          username = "hummes1";
+          extraModules = [
+            ./systems/aarch64-darwin/homebrew/work.nix
+            ./systems/aarch64-darwin/corporate.nix
+          ];
+        };
       };
 
       # Linux Home Manager configurations

systems/aarch64-darwin/corporate.nix

@@ -0,0 +1,31 @@
+# Corporate Mac overrides
+#
+# 1. Determinate Nix — disable nix-darwin's Nix management (conflicts with
+#    Determinate's own daemon).
+# 2. VPN SSL inspection — corporate VPN replaces TLS certs with a CA not in
+#    Node's default trust store.  NODE_EXTRA_CA_CERTS fixes this.
+#
+# Refresh the cert bundle after CA rotation:
+#   refresh-corp-ca
+{ lib, ... }:
+
+{
+  # Determinate Nix manages its own daemon; nix-darwin must not compete.
+  # Force-disable all nix.* options that common/ and systems/ set unconditionally.
+  nix.enable = false;
+  nix.optimise.automatic = lib.mkForce false;
+  home-manager.sharedModules = [
+    {
+      home.sessionVariables = {
+        NODE_EXTRA_CA_CERTS = "$HOME/.corporate-ca.pem";
+      };
+
+      programs.zsh.shellAliases = {
+        refresh-corp-ca = ''
+          security find-certificate -a -p /Library/Keychains/System.keychain > ~/.corporate-ca.pem \
+          && security find-certificate -a -p ~/Library/Keychains/login.keychain-db >> ~/.corporate-ca.pem \
+          && echo "Corporate CA bundle refreshed"'';
+      };
+    }
+  ];
+}

systems/aarch64-darwin/homebrew/common.nix

@@ -30,8 +30,6 @@ _:
       # Networking & VPN
       "arc"
       "google-chrome"
-      "tailscale-app"
-      "mullvad-vpn@beta"
 
       # Media & Entertainment
       "vlc"

systems/aarch64-darwin/homebrew/personal.nix

@@ -19,5 +19,8 @@ _:
     "utm"
     "vagrant-vmware-utility"
     "winbox"
+
+    # Networking & VPN
+    "tailscale-app"
   ];
 }