Personal configuration files, managed with chezmoi. Uses Go templates for hostname-based multi-environment support across work and home machines.
Prerequisites: chezmoi, age, age-plugin-se, age-plugin-yubikey
chezmoi init git@github.com:USER/dotfiles.git
chezmoi apply --initThe --init flag regenerates the chezmoi config from the source template before applying, which is necessary on first run to configure the secrets backend.
Secrets (API URLs, server addresses) are stored in .chezmoisecrets.age — a YAML file encrypted with age. Each machine has a Secure Enclave key via age-plugin-se and a YubiKey backup via age-plugin-yubikey. The file is encrypted for all recipients, so any single key can decrypt it.
Chezmoi's [secret] config calls a wrapper script (chezmoi-secrets) that decrypts and outputs the YAML. Templates access values with:
{{ (secret | fromYaml).some_key | quote }}
Secure Enclave:
mkdir -p ~/.config/chezmoi
age-plugin-se keygen -o ~/.config/chezmoi/age-identity.txtYubiKey:
age-plugin-yubikey
# Save identity output to ~/.config/chezmoi/age-identity-yubikey.txtAdd both recipient lines (from the identity files) to .chezmoisecrets-recipients.txt in the repo root.
chezmoi-secrets editThis opens your $EDITOR with an empty file. Write your secrets as YAML:
atuin_sync_server: https://atuin.example.com
mealplan_url: https://mealplan.example.com/apiSave and close. The script encrypts to all recipients and writes .chezmoisecrets.age.
- On the new machine, generate SE and YubiKey identities (see above)
- On an existing machine, add the new recipient lines to
.chezmoisecrets-recipients.txt - Re-encrypt for all recipients — run
chezmoi-secrets edit, save without changes - Commit and push
.chezmoisecrets.ageand.chezmoisecrets-recipients.txt - On the new machine:
chezmoi init git@github.com:USER/dotfiles.git
chezmoi apply --initchezmoi-secrets edit # modify values, save
chezmoi diff # verify rendered templatesCommit .chezmoisecrets.age and push. Other machines pick up changes on next chezmoi update.