Take back your dotfiles with Chezmoi

In Linux, dotfiles are hidden text files that are used to store various configuration settings for many such as Bash and Git to more complex applications like i3 or VSCode.

Most of these files are contained in the ~/.config directory or right in the home directory. Editing these files allows you to customize applications beyond what a settings menu may provide, and they tend to be portable across devices and even other Linux distributions. But one talking point across the Linux enthusiast community is how to manage these dotfiles and how to share them.

We will be showcasing a tool called Chezmoi that does this task a little differently from the others.

The history of dotfile management

If you search GitHub for dotfiles, what you will see are over 100k repositories after one goal: Store people’s dotfiles in a shareable and repeatable manor. However, other than using git, they store their files differently.

While Git has solved code management problems that also translates to config file management, It does not solve how to separate between distributions, roles (such as home vs work computers) secrets management, and per device configuration.

Because of this, many users decide to craft their own solutions, and the community has responded with multiple answers over the years. This article will briefly cover some of the solutions that have been created.

Experiment in an isolated environment

Do you want to try these below solutions quickly in a contained environment? Run:

$ podman run --rm -it fedora

… to create a Fedora container to try the applications in. This container will automatically delete itself when you exit the shell.

The install problem

If you store your dotfiles in Git repository, you will want to make it easy for your changes to automatically be applied inside your home directory, the easiest way to do this at first glance is to use a symlink, such as ln -s ~/.dotfies/bashrc ~/.bashrc. This will allow your changes to take place instantly when your repository is updated.

The problem with symlinks is that managing symlinks can be a chore. Stow and RCM (covered here on Fedora Magazine) can help you manage those, but these are not seamless solutions. Files that are private will need to be modified and chmoded properly after download. If you revamp your dotfiles on one system, and download your repository to another system, you may get conflicts and require troubleshooting.

Another solution to this problem is writing your own install script. This is the most flexible option, but has the tradeoff of requiring more time into building a custom solution.

The secrets problem

Git is designed to track changes. If you store a secret such as a password or an API key in your git repository, you will have a difficult time and will need to rewrite your git history to remove that secret. If your repository is public, your secret would be impossible to recover if someone else has downloaded your repository. This problem alone will prevent many individuals from sharing their dotfiles with the public world.

The multi-device config problem

The problem is not pulling your config to multiple devices, the problem is when you have multiple devices that require different configuration. Most individuals handle this by either having different folders or by using different forks. This makes it difficult to share configs across the different devices and role sets

How Chezmoi works

Chezmoi is a tool to manage your dotfiles with the above problems in mind, it doesn’t blindly copy or symlink files from your repository. Chezmoi acts more like a template engine to generate your dotfiles based on system variables, templates, secret managers, and Chezmoi’s own config file.

Getting Started with Chezmoi

Currently Chezmoi is not in the default repositories. You can download the current version of Chezmoi as of writing with the following command.

$ sudo dnf install https://github.com/twpayne/chezmoi/releases/download/v1.7.17/chezmoi-1.7.17-x86_64.rpm

This will install the pre-packaged RPM to your system.

Lets go ahead and create your repository using:

$ chezmoi init

It will create your new repository in ~/.local/share/chezmoi/. You can easily cd to this directory by using:

$ chezmoi cd

Lets add our first file:

chezmoi add ~/.bashrc 

… to add your bashrc file to your chezmoi repository.

Note: if your bashrc file is actually a symlink, you will need to add the -f flag to follow it and read the contents of the real file.

You can now edit this file using:

$ chezmoi edit ~/.bashrc

Now lets add a private file, This is a file that has the permissions 600 or similar. I have a file at .ssh/config that I would like to add by using

$ chezmoi add ~/.ssh/config

Chezmoi uses special prefixes to keep track of what is a hidden file and a private file to work around Git’s limitations. Run the following command to see it:

$ chezmoi cd

Do note that files that are marked as private are not actually private, they are still saved as plain text in your git repo. More on that later.

You can apply any changes by using:

$ chezmoi apply

and inspect what is different by using

$ chezmoi diff

Using variables and templates

To export all of your data Chezmoi can gather, run:

$ chezmoi data

Most of these are information about your username, arch, hostname, os type and os name. But you can also add our own variables.

Go ahead and run:

$ chezmoi edit-config

… and input the following:

         email = "fedorauser@example.com"
         name = "Fedora Mcdora"

Save your file and run chezmoi data again. You will see on the bottom that your email and name are now added. You can now use these with templates with Chezmoi. Run:

$ chezmoi add  -T --autotemplate ~/.gitconfig

… to add your gitconfig as a template into Chezmoi. If Chezmoi is successful in inferring template correctly, you could get the following:

         email = "{{ .email }}"
         name = "{{ .name }}"

If it does not, you can change the file to this instead.

Inspect your file with:

$ chezmoi edit ~/.gitconfig

After using

$ chezmoi cat ~/.gitconfig

… to see what chezmoi will generate for this file. My generated example is below:

[root@a6e273a8d010 ~]# chezmoi cat ~/.gitconfig 
     email = "fedorauser@example.com"
     name = "Fedora Mcdora"
 [root@a6e273a8d010 ~]# 

It will generate a file filled with the variables in our chezmoi config.
You can also use the varibles to perform simple logic statements. One example is:

{{- if eq .chezmoi.hostname "fsteel" }}
# this will only be included if the host name is equal to "fsteel"
{{- end }}

Do note that for this to work the file has to be a template. You can check this by seeing if the file has a “.tmpl” appended to its name on the file in chezmoi cd, or by readding the file using the -T option

Keeping secrets… secret

To troubleshoot your setup, use the following command.

$ chezmoi doctor 

What is important here is that it also shows you the password managers it supports.

[root@a6e273a8d010 ~]# chezmoi doctor
 warning: version dev
      ok: runtime.GOOS linux, runtime.GOARCH amd64
      ok: /root/.local/share/chezmoi (source directory, perm 700)
      ok: /root (destination directory, perm 550)
      ok: /root/.config/chezmoi/chezmoi.toml (configuration file)
      ok: /bin/bash (shell)
      ok: /usr/bin/vi (editor)
 warning: vimdiff (merge command, not found)
      ok: /usr/bin/git (source VCS command, version 2.25.1)
      ok: /usr/bin/gpg (GnuPG, version 2.2.18)
 warning: op (1Password CLI, not found)
 warning: bw (Bitwarden CLI, not found)
 warning: gopass (gopass CLI, not found)
 warning: keepassxc-cli (KeePassXC CLI, not found)
 warning: lpass (LastPass CLI, not found)
 warning: pass (pass CLI, not found)
 warning: vault (Vault CLI, not found)
 [root@a6e273a8d010 ~]# 

You can use either of these clients, or a generic client, or your system’s Keyring.

For GPG, you will need to add the following to your config using:

$ chezmoi edit-config
   recipient = "<Your GPG keys Recipient"

You can use:

$ chezmoi add --encrypt

… to add any files, these will be encrypted in your source respository and not exposed to the public world as plain text. Chezmoi will automatically decrypt them when applying.

We can also use them in templates. For example, a secret token stored in Pass (covered on Fedora Magazine). Go ahead and generate your secret.

In this example, it’s called “githubtoken”:

rwaltr@fsteel:~] $ pass ls
 Password Store
 └── githubtoken
 [rwaltr@fsteel:~] $ 

Next, edit your template, such as your .gitconfig we created earlier and add this lines.

token = {{ pass "githubtoken" }}

Then lets inspect using:

$ chezmoi cat ~/.gitconfig
[rwaltr@fsteel:~] $ chezmoi cat ~/.gitconfig 
 This is Git's per-user configuration file.
           name = Ryan Walter
           email = rwalt@pm.me
           token = mysecrettoken
 [rwaltr@fsteel:~] $ 

Now your secrets are properly secured in your password manager, your config can be publicly shared without risk!

Final notes

This is only scratching the surface. Please check out Chezmoi’s website for more information. The author also has his dotfiles public if you are looking for more examples on how to use Chezmoi.

Fedora Project community


  1. Yaroslav

    To store dotfiles in a VCS it’s enough to have a bare git repository (see https://www.atlassian.com/git/tutorials/dotfiles for the full recipe).
    Your tool seems to contradict the UNIX philosophy that there should be one instrument for each task. To create dotfiles from templates seems an ununderstandable overhead here.

      1. Linux isn’t UNIX.
      2. There is more than one philosophy for tools.
      • Yaroslav

        What exactly in your comment should be not obvious for Linux users?
        Linux belongs to the UNIX family. See https://en.wikipedia.org/wiki/Linux
        Yes, I’m aware of the existence different philosophies. UNIX philosophy is pretty good though. Care to explain what philosophy or good programming patterns this tool follows?

        • Sebastiaan Franken

          No, it doesn’t. Linux is a UNIX-like (with emphasis on the like part) OS family. It’ s not part of the UNIX family.

          Also, “good programming patterns” seem to change every six months or so…

    • I would disagree, I would say it embraces the Unix philosophy.

      It does one thing well, it builds your dotfiles based on a template. It does not solve encryption. It uses GPG to do that, it does not solve password management. It uses password managers for that. It does not solve code revisioning. It uses Git (or any of your choosing)

      I was originally using git with stow. Which would be similar to your config alias. But when I was installing to other systems. I would have to chmod all my private files. I also was attempting to branches to separate my roles. But found that managing the commits between the two branches a bit of a chore.

  2. ergr

    I have symlink to my config file for example .vimrc

    mc alvways ask me breaking simlink or no. How tell mc tho stop ask me? In normal hard link too!

  3. I am using dotdrop, which also does many of these except the secrets management and templating (AFAIK).

    Seems I need to look into chezmoi, thanks for sharing!

  4. Stephen

    A timely article for me as I was in the process of cleaning up my dot files again. I was using stow, but had seen some drawbacks with it over time. I set up chezmoi, and have it covering the primary dot files with intentions of adding all of them in eventually. The biggest issue I am having currently is trying to stop old habits from interfering with it, like editing a file with Vim instead of chezmoi edit. I use Silverblue, so it would be nice if this was layered from an official package repo or COPR at least. Ideally, it should be able to be a flatpak quite easily.

    • Have you started using templates yet? If you edited your file and it’s not a template. You can re-add it using Chezmoi add and it would achieve the same affect.

      This took me some time to adapt to as well. But Chezmoi edit is mainly important for your template files. Since your target will be different from your source.

      Packaging it for Fedora is something I’m currently looking at. But I have not packaged something before and might take me some time.

      • Stephen

        Yes I have my .gitconfig setup as a template, and I had already been working on a .zshrc template prior to your article, so like I said timely. I have my pgp key setup for encryption as well. It seems promising, and a better thought out solution thanthe usual methods of dot file care taking.
        The packaging would be good since it becomes a problem at update time on Silverblue, basically I need to update it separately and manually each time while I choose to use it. Official, even COPR repos will get automatically checked for updates, plus the added benefit of being built with everything else at the same time with the same versions of lib’s.

  5. Patrick O'Callaghan

    I have a minor nit: Linux (and UNIX) have no such thing as “hidden” files. Dotfiles are only “hidden” in the sense that by default they don’t appear when you run ‘ls’ and some other utilities that follow the same convention. They don’t have some magical special property that hides them from anything else. Although old hands know this perfectly well, it’s better to avoid this terminology so as not to confuse newcomers.

  6. Thanks for the article. I was about to get crazy with my dot files hahaha BTW, is it me or you can only use diff BEFORE applying? I mean, if I follow the article (using diff AFTER applying) I got nothing as output.

    • You are correct. Diff should come before apply. Otherwise the states match and there is nothing that is different! 🙂 My bad

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions