Personal macOS dotfiles managed with Nix and Home Manager, encrypted with age, and automated with Task.
- Dotfile Management: Nix with Home Manager for declarative configuration
- Encryption: age for secrets (multi-recipient: personal + CI keys)
- Testing: Automated syntax checks and linting via Task
- Security: CodeQL analysis, dependency scanning, OpenSSF Scorecard
- Git Hooks: Automated quality checks (lint on commit, test on push)
- CI/CD: GitHub Actions validates changes on Ubuntu & macOS
- Tool Management: mise for version-pinned development tools
One-line installation for fresh macOS machines:
curl -fsSL https://smyk.la | bashThis will automatically:
- Install Homebrew and all dependencies
- Clone the repository to the correct location
- Set up age encryption
- Configure Nix and apply system configuration
- Install Vim and Tmux plugins
- Set up git hooks
For non-interactive installation:
curl -fsSL https://smyk.la | bash -s -- --yesWith custom installation directory:
curl -fsSL https://smyk.la | bash -s -- --dir ~/dotfilesWith environment variables:
BOOTSTRAP_EMAIL=user@example.com BOOTSTRAP_NAME="Full Name" \
curl -fsSL https://smyk.la | bash -s -- --yesSee https://smyk.la for more options. The default installation directory is ~/Projects/github.com/smykla-labs/.dotfiles, but this can be customized using --dir flag or BOOTSTRAP_DIR environment variable.
If you prefer manual control over the installation process:
Prerequisites:
- macOS (tested on macOS 15)
- Homebrew
Steps:
# Clone repository
git clone https://github.com/smykla-labs/.dotfiles ~/Projects/github.com/smykla-labs/.dotfiles
cd ~/Projects/github.com/smykla-labs/.dotfiles
# Install Homebrew packages
brew bundle install --file=Brewfile
# Get age key from 1Password
mkdir -p ~/.config/age
op document get dyhxf4wgavxqwqt23wbsl5my2m > ~/.config/age/key.txt
chmod 600 ~/.config/age/key.txt
# Apply dotfiles via Home Manager
home-manager switch --flake ./nix#home-bart
# Install vim plugins (Vundle)
vim +PluginInstall +qall
# Install tmux plugins (TPM) - run inside tmux session
# Press: <prefix> + I (default prefix is Ctrl-b)# Install git hooks (recommended)
task hooks:install
# Run tests
task test
# Run linters
task lint
# List all tasks
task --listGit hooks automate quality checks:
- pre-commit: Runs
task lintbefore each commit - pre-push: Runs
task testbefore each push - Skip with
--no-verifyflag if needed
.dotfiles/
├── nix/ # Nix configuration
│ ├── flake.nix # Flake entry point
│ ├── modules/ # Nix modules
│ │ ├── darwin/ # nix-darwin system config
│ │ └── home/ # home-manager user config
│ └── secrets/ # sops-nix encrypted secrets
├── .github/workflows/ # CI/CD workflows
├── hooks/ # Git hooks (pre-commit, pre-push)
├── spec/ # ShellSpec tests
├── Taskfile.yaml # Task automation
└── Brewfile # Homebrew dependencies (legacy)
- Nix: Package management and system configuration
- Home Manager: User environment management
- nix-darwin: macOS system configuration
- sops-nix: Secrets management
- age: File encryption
- Task: Task automation
- mise: Tool version management
- Fish: Shell
- Homebrew: Package management (legacy)
Sensitive files are encrypted with age using two systems:
Secrets managed via nix/secrets/secrets.yaml:
# Edit secrets
SOPS_AGE_KEY_FILE=~/.config/age/key.txt sops nix/secrets/secrets.yamlFiles in .gitattributes (CLAUDE.md, secrets/, todos/):
- Automatically encrypted on commit
- Automatically decrypted on checkout
- Transparent to git operations
Both systems use multi-recipient encryption (personal + CI keys).
- CONTRIBUTING.md - Development workflow and guidelines
- TESTING.md - Testing and CI/CD
- TROUBLESHOOTING.md - Common issues and debugging
- SECURITY.md - Security policy and vulnerability reporting
Tests run automatically in CI on every push:
task test # Run all tests
task lint # Run all lintersSee TESTING.md for details.
MIT License - see LICENSE for details.