In the past I’ve written some bash scripts and tried a few other approaches to managing my dotfiles across systems, but things always fell a bit short. One of the more important decisions when deciding how to manage them is figuring out what to do with the more sensitive files, like private keys, access/secret keys, etc. The kind of stuff you don’t really want to just throw in git as-is.

Recently, I spent some time exploring Universal Blue, a great toolkit/set of images based on the immutable Linux distribution Fedora Silverblue. The docs mention setting up chezmoi for managing your dotfiles, and I decided to give it a try. Needless to say, I think I’m finally happy with an approach to managing dotfiles. What I found most interesting is how it approached templating your dotfiles while being able to hydrate them from a password manager, all while using Go templates.

There’s a great getting started guide available here, along with detailed documentation on more of the features.

chezmoi + Password Managers = Magic.

My favorite feature of chezmoi so far is the easy integration with password managers like Bitwarden and LastPass. Access/Secret keys, SSH private keys, and other sensitive files can easily be managed by chezmoi while hosting the dotfiles in a public git repo.

Integrating LastPass and chezmoi

Note: If you’ve enabled git auto-commit/auto-push for chezmoi, it’s probably better to disable it while you’re getting things set up (personally, I keep it disabled). If you’ve got a file already existing and add a templated version of it, it defaults to including the existing file as-is. Yikes.

  1. Download LastPass CLI and run lpass login <Your_Username>

  2. Choose a dotfile you’d like to move into LastPass and save the contents of the file as a new note. I like to put these into a chezmoi folder for the sake of keeping organization simple. Be sure to note the folder/name of the note.

  3. Create and edit template file:

chezmoi add --template ~/.mySensitiveFile

chezmoi edit ~/.mySensitiveFile
  1. Delete any existing contents of the file, and replace it with the following line. In this case, I’m referencing the chezmoi folder and a note called mySensitiveFile.
{{ (index (lastpassRaw "chezmoi/mySensitiveFile") 0).note }}
  1. Apply it!
chezmoi apply ~/.mySensitiveFile

You may be prompted to re-enter your LastPass password. Afterward, ~/.mySensitiveFile should contain the contents of your LastPass note! 🎉

Final Thoughts

chezmoi has lots of other great features that are all worth checking out. When it comes to getting a new system up quickly, loaded with all your dotfiles, it’s a solid choice. Using it alongside something like Distrobox, fleek, or home-manager can be a great way to get up and running fast on any new system. Happy dotfile managing!