It’s for things like dotfiles, apt/brew packages, and LaunchAgents/systemd.
EDIT: I feel a little bad having hijacked this, as someone that hears a lot of opinions about devtools I can definitely say chezmoi is a darling of the community and I highly recommend checking it out.
Being able to centralize this config is far more attractive than having a separate Ansible or pyinfra process.
Edit: The docs on this are very encouraging! However, it is not clear- what is experimental? Anything notably buggy or churning? Any far off features you hope to implement some day?
I’d argue it’s a good time to play with features since if you have any ideas on how it might better fit your workflow I still have the ability to change the design before it’s largely frozen.
Hopefully can use this alone instead of needing to combine w/ chezmoi / nix to get everything shell and pkg manager agnostic, consistent, and DRY (bash/zsh/fish + macports/pkgsrc/brew).
The "exception" to that are linux package managers like apt-get and dnf which it calls under the hood. I think can't be an actual issue since it's not like you would ever use ubuntu/redhat without their system package manager installed.
Some months ago I ported part of my git bare repo to chezmoi but never really picked it up since, even if I see it as a great and very complete tool for managing complex dotfiles, I don't have many machines and can live by with a bunch of if uname -s, and the fact that I still need to wrangle brewfiles and scripts for packages. Having the sytem package managers glue along the configs and symlinks is exactly what I wanted.
Thanks so much for your work on mise! I used to be a heavy asdf user but nowadays I'm an even heavier mise user!
Random question while you're here: mise is undergoing pretty heavy development these days and I recently noticed that 1) my coworkers and I are not always on the same version, so some features/bug fixes are not available to everyone, and 2) package registries often don't have the latest mise version.
So I think we need a meta tool manager here to manage the tool manager version. :) Seriously, though, have you considered having mise manage its own version? I think that'd be pretty neat!
Thinking aloud, I guess one way to do this might be to distribute through package registries only a lightweight bootstrap application, which 1) reads the pinned mise version from mise.toml and downloads it as necessary, and 2) sets up a basic shell hook that the active mise version can then hook into(?) I know, this probably sounds a lot easier than it actually is.
I would make use of min_version. It's not perfect, but will at least help bring laggards along.
I think Chezmoi's templates and file naming conventions don't click for me, but it's nice to see a good variety in this problem space.
* Permission management, so that ssh wouldn't refuse to log you in because ~/.ssh/authorized_keys is 0755 instead of 0644.
* Templating, because ~/.ssh/config has slightly different options on Mac and Linux, so you can't use the exact same file contents as-is on both systems.
I can run `chezmoi apply` and get all the files in the right places and they're all setup just right. Like so many others, I'd previously built my own ad-hoc system to handle these things, and it ended up looking like a crappy, half-baked version of Chezmoi. When it came up on my radar I immediately ported my own system over to it and never looked back.
For a System administrator the problem is many orders of magnitude worse
I don't understand what makes it more understandable than Home Manager, though.
If you look at the source of a Home Manager `programs.foo` module, it should look mostly like this:
home.packages = [ cfg.package ];
xdg.configFile."foo/config.yaml".source = yamlFormat.generate "config.yaml" cfg.settings;
With some programs it is as simple as you show, but with others there are options around the config and other nix module nasties that I avoid if I can. hjem-rum is a sister project to hjem that provides some similar modules.
Thanks for the recommendation.
One major benefit for me is that I no longer need to have once-in-a-while tools installed, because I can always spin up a temporary shell with `nix-shell -p packageName`. This significantly decreased the amount of software I have in my environment.
This works great with agentic coding. Agent wants to run `ripgrep`, but you don't have it? Tell it to run `nix run nixpkgs#ripgrep` instead.
But the biggest benefit is that now that you know Nix! So you can start using it to create reproducible development environments and uninstall mise, asdf, nvm, pyenv, etc. You can spin up reproducible servers running NixOS and never touch Ansible again. You can even install it in your router.
Or you can do none of that and continue just using it for your dotfiles. It plays nice with other tools.
About 6 weeks ago I installed NixOS on a spare laptop and did 100% of the configuration through Claude Codex. Initially I copied "/etc/nixos" off to my existing workstation, until Claude Code bootstrapped it enough to run on the NixOS machine.
I've been running it as my primary workstation for the last 3-4 weeks, and it's been great! 100% configured by Claude Code or Codex CLI.
Configuring a machine via Nix lang is not that fun. Configuring a machine via English is.
And I've thrown some curveballs at this setup. I asked it for gitbutler-cli, which NixOS doesn't/didn't provide, and it was able to package up and build it. It's running Sway. I have my secrets and configs in SOPS+Home Manager.
And in return one gets a saner programming language than the Nix language.
I like mise, but at the end of the day some programs are more complex than just pulling a precompiled, dynamically linked binary and hoping it works.
I thought it was the former but "just pulling a precompiled, dynamically linked binary and hoping it works" makes me think we're not on the same page since to me that has nothing to do with dotfiles.
Also noting that I don't see the problem as "dotfile management" but as "system AND user configuration management" which extends beyond some plain text files in $HOME.
ed.: and home manager is just one tool which provides not only dotfile management, but drvs for installing particular programs and configuring then in highly opinionated ways -- I do not use it
This is a serious problem in Nix too. I often trip over buggy and abandoned Nix packages. Nix often makes it easy to roll back or work around them, but they're absolutely there.
Are you really in this thread to talk about dotfile managers, or are you here to criticize Nix, given that Nix directly competes with your company's only product?
tfrancisl was polite (even though I arguably wasn’t in the beginning) so I felt it important to return the favor.
And `home-manager` is maybe the most glaring instance of a tool that is demonstrably ill-posed where the "you're holding it wrong" from the community is a the community problem, not anyone holding anything wrong. From the Zed editor configuration stanza in `home-manager`: https://github.com/nix-community/home-manager/blob/a78606767.... That's not a Zed problem, that's a Nix problem. No one is holding it wrong, XDG config paths get mutated.
Another example and this is the one that really shows the shape of the thing: https://github.com/nixified-ai/flake/blob/bbd3a04fa1ae294096....
There is absolutely nothing "impure" about taking content-addressed bytes from a CAS (Xet in this instance) and surfacing them as a derivation. The "impurity" is called a "coeffect" and the action over the coeffect is called "grade discharge". This is thoroughly studied and works properly, it can cope with all of these cases and it's creates scope for dramatically more reproducible systems that are much easier to reason about (they are possible to reason about). Also, if you can't download shit from HuggingFace in 2026 without a weird hack where the name of the field is a scolding? That's gonna be putting downward pressure on adoption.
And most of the high-friction shit in Nix is like this, ignorance hardened into dogma hardened into theology. To wit:
- FHS vs. zany one-of-a-kind filesystems are nothing to do with purity or hermeticity or reproducibility, it's pure theology and the constant breakage with all the `patchFail` jank is at this point a jobs program, it's totally unnecessary. Namespaces/unshare, we have all the stuff to do this properly (`patchelf` and `unshare --bind-mount` are mathematically dual but only one blows content addressing).
- `drv` hash addressing is a reproducibility war crime. Floating CA is fine it's just broken upstream and in Determinate, it's not a valid ideological debate, it's bugs.
- there is absolutely no reason why the builder where a binary is produced needs to have the same filesystem layout or find libraries in the same place as the resulting artifact runs in any more than an adult needs to live in the same house they grew up in. `patchelf` works.
- having `libcuda.so.1` and friends at `/run/opengl-driver/lib` is dark comedy and source builds of `NCCL` when NVIDIA-certified binaries are in a wheel (zip file) on PyPI is the sequel. this is straight up bad for the planet and we should feel bad we haven't fixed it.
I could go on, but the main point for this thread is to the people who are on the fence about Nix: you're not holding it wrong the `nixpkgs` maintainers are holding it wrong, and more and more of us are getting serious about fixing it. Don't give up on declarative and reproducible systems that you can reason about because Nix is stuck in a weird place as software and as a community. There are reformers on the case.
This is just a mechanism for the builder to inject credentials during fetch time. The derivation is still content addressed (it's a fixed output derivation).
The derivation isn't even marked as impure or whatever. There is just an environment variable that gets injected by the builder into the build env so you can authenticate.
This is required to talk to hugging face
What are you on about?
Or do you mean that the cas address of HF should directly be addreessable in nix itself?
Silently smuggling environment variables into a builder means the build is not reproducible, nor is it possible to know a-priori whether the build is reproducible. Nix reverts to the same level of guarantee you get from Ubuntu or whatever without the convenience of Ubuntu: Docker is dramatically more principled!
The galaxy brain people who do real mathematics of whom I am merely a humble fan worked this one out. The credential is a "coffect", which is a generalization of this sort of thing that is tracked ("graded") and accounted for ("discharged"), a process that allows you to reason about your system (to for example know that a massive build is going to be useless before you do it since you don't have the credential for the model you were trying to run with the thing you built).
Punching random holes in Nix is worse than just disabling the sandbox or whatever other BDSM thing, because if you aren't going to get correct you might as well get easy.
Why put up with Nix's bullshit if it's still going to be less correct than Docker anyways? Most people agree (c.f. Docker as opposed to Nix winning too hard in the market).
My approach is different: unfuck Nix.
Worse is not better any more than a tough man stops short of a tender chicken. Better is better.
https://gist.github.com/b7r6/57b9057b87a56e98c4d306d83eed5dc...
I've been using (and contributing to) chezmoi for ~6 years now. Given that it has first-class integration with secrets managers, I suspect that it does things that Home Manager can't.
I did too. Until I tried configuring it with Claude Code. I'll give you my money back guarantee on it.
Ultimately, my workplace setup is what has the most gravity. And the most I can get most workplaces to standardize on is Homebrew for package management of off-the-shelf software. Nix is so far outside of the wheelhouse for most engineers that I can't even propose it. It would be too much of a distraction for too many people for too long that it's just not seen as worth it and it's not worth spending the political capital on the attempt. Employers would literally prefer to run scripts from a whitewashing, barely-auditable Jenkins instance with parameterized jobs than to attempt to figure out how to distribute portable scripts and get everyone's permissions working.
So I need to pick software that will cooperate with other tools in an unstable fashion, rather than software that attempts to fully and exclusively control the environment to provide guarantees. Chezmoi fits. Nix and home-manager do not.
You can run Nix and Home Manager on macOS or any Linux distro. You don't even need root.
It works exactly like you describe: it provides its guarantees for all software that you manage through Nix, and doesn't get in the way of software that you don't manage through Nix.
Unlike with NixOS, you can run binaries that expect an FHS-compliant system just fine.
You can just silently use it and enjoy the convenience for the declarative parts of your setup, with no detriment to your ability to run the imperative, ad-hoc setup scripts that your company requires.
I don't really recommend it to others, since there's all these great tools that have the features you need (per-machine config, secrets, templating), but I get a deep satisfaction from the fact that I understand every part of this setup from top to bottom. It only has the functionality I need, and I know it doesn't depend on anything that might become unmaintained since it's just POSIX shell scripts.
Even still, I might eventually make the jump to something like chezmoi or nix if I'm not able to implement something I need easily, but that hasn't happened yet.
The last few years I've rarely had to switch machines, so maybe chezmoi is overkill now, but it works well, so I'm in no rush to simplify again just for the sake of it (and who knows if I'll need chezmoi's features for real again in the future).
I thought about using any one of those tools but happily chose shell scripts and symlinks instead. It hasn't let me down in almost a decade with https://github.com/nickjj/dotfriedrice and would highly recommend this approach.
It's basically a 2,500 line shell script to fully automate setting up a system from scratch in a general purpose / opinionated but customizable way that works on Arch Linux, Debian, Ubuntu, macOS and supports WSL 2 in Windows. I have it running on multiple systems, no need to even fork it since it uses patterns suitable for making changes in git ignored files and also has a config file for certain things.
When it comes to setting up a complete desktop environment or even just terminal based tools, dotfiles IMO are more than config files. There's install scripts, packages, system level configs, running commands, OS specific differences and more. It's really nice to be able to run 1 command and have a fresh system ready to go in about 10 minutes.
Shell script is probably my favorite language at this point.
I have stow too in my micro DE, use it across a few machines and it's holding up really well. I designed my dotfiles so that changes would happens exclusively to files not tracked by stow. I have .zshrc tracked, but environment goes to .zshenv and general local customisation goes to .local/lib/zsh/overrides.zsh (https://gitlab.com/gabriel.chamon/archie/-/blob/main/deploym...). Hyprland config is tracked but device specific configs live in .config/hype/config/device.conf (https://gitlab.com/gabriel.chamon/archie/-/blob/main/deploym...). Deployment instructions/automation is to just copy dist folders in place, which aren't tracked by stow.
It depends on everyone's style. For me personally changes I don't remember having made to files I track in the repo are symptoms that I might need to review how I organize my files. Maybe those changes were something that broke and I forgot to commit after fixing. In any case for me this bidirectional nature of symlinks are a feature, not a bug in this management system.
I like that when combined with `mise` (https://mise.jdx.dev) I can roll out a new computer in 2-3 commands and have my entire environment configured the way I like, with neovim and all the plugins and language servers.
That way I don't have to remember to commit+push+pull changes to existing dotfiles (like bashrc or vimrc which I edit often) to sync them to other machines, it happens automatically in almost real time as soon as the file is saved on one of my machines (syncthing uses inotify to detect changes on monitored directories)
Pretty snazzy, watching YouTube in Firefox on a 13 year old laptop with hardware h264 decode and everything tuned exactly to my liking.
Now I want to use Nix* to manage my multi-machine MacOS and Linux setup (with lots of dotfile config overlap, of course).
That’s the HN experience for you.
Kind souls: what is currently the blessed way to manage MacOS dots with Nix? I recall there is more than one paradigm - what’s the approach that simplest, most robust and can be adopted incrementally?
Edit: Just to say that I think Atuin now also plays in this space. Haven’t checked it out, though.
I treat my powerful desktop computer as my main machine. Then I have a bunch of laptops.
Then I just rsync my entire home directory out to all the laptops.
From there. The rule is quite simple. Any file created on a laptop are considered ephemeral. If I create data that I have to keep. It gets rsynced back the other direction to the main machine.
This process has served me well for at least 15 years now and is supported by a small handful of shell scripts to automate this process
> rsync my entire home directory out to all the laptops
> This process has served me well for at least 15 years now and is supported by a small handful of shell scripts to automate this process
I feel in a similar way but not with shell scripts. Ruby autogenerates them if I need them too. Ruby is my ultimate glue to hold together everything.
Chez moi is definitely not without its rough edges but it seems to have gotten the subtle essentials right enough for adhd me to not have abandoned it yet.
`make dotfiles` just creates a bunch of symlinks, takes 5 minutes, all good and happy. Everything is modular, declarative, simple. Never looked back.
stow is an indispensable tool for me to manage /usr/local for manually installed software. my workflow goes:
./configure --prefix=/usr/local/stow/myapp
make && make install
stow myapp
stow -D myapp module load myapp
module unload myapp
[1]: https://modules.readthedocs.io/en/latest/ [2]: https://lmod.readthedocs.io/en/latest/
Yadm is another alternative, the main thing I don't like about it though is that I'm not a fan of cross OS dotfiles. Having niri files on my work Mac and aerospace dotfiles on Linux annoys me quite a bit.
As powerful as the templating in chezmoi is, I think it should be considered a last resort and only used for simple files. They break your editor features like highlighting.
> Having niri files on my work Mac and aerospace dotfiles on Linux annoys me quite a bit
> They break your editor features like highlighting
My configuration lives primarily in .yml files. These are kept super-simple. When need be and another format is required, ruby autogenerates these for me. For instance, all my bash aliases are kept in .yml files which then get turned into bash rc files or any other target format for other shells. Same for most of my other configuration too - not always .yml but usually some text file. I never understood the neet for .foobar directories or files. They just hide a system that is intrinsically ugly and needlessly complicated.
;)