cfgd

Declare your entire machine — packages, dotfiles, system settings, secrets — with composable profiles and shareable, cross-platform modules.

Status: Alpha — APIs may change.

• What is cfgd
• How It Works
• Quick Start
• Why cfgd exists
• Shareable Modules
• How cfgd compares
• Features
• Documentation
• Distribution

What is cfgd

Most dotfile managers track files. cfgd enables you to manage your entire machine. You declare packages, files, secrets, and system settings in version-controlled YAML. cfgd diffs what you want against what you have, builds a plan, and reconciles — continuously. If something drifts, it's detected and corrected.

How It Works

Profiles declare your machine's desired state — packages, files, system settings. They compose via inheritance — share a common base across machines, then specialize per context. See docs/profiles.md.

             base
            ╱    ╲
        work    personal
       ╱    ╲
  laptop    devcontainer

Modules are shareable, self-contained config packages. Install someone else's dev environment or publish your own. Cross-platform package resolution picks the right manager automatically. See docs/modules.md.

Reconciliation continuously ensures machines match their declared state. Drift is detected, reported, and optionally auto-corrected. Failed actions don't abort — they're logged and skipped. See docs/reconciliation.md.

Quick Start

# Install via Homebrew
brew install tj-smith47/tap/cfgd

# Or via install script
curl -fsSL https://github.com/tj-smith47/cfgd/releases/latest/download/install.sh | sh

# Or via cargo
cargo install cfgd

# Bring your config to a new machine in seconds
cfgd init --from git@github.com:you/machine-config.git

# Or start fresh
cfgd init

# Or let AI scan your system and generate config for you
export ANTHROPIC_API_KEY=sk-...
cfgd generate

# Set up shell completions (add to your shell's rc file)
source <(cfgd completions bash)  # .bashrc
source <(cfgd completions zsh)   # .zshrc
cfgd completions fish | source   # config.fish

Why cfgd exists

I recently switched jobs, and spent the last week of my old job backing up scripts and dotfiles, parsing out company specific info, and composing a tarball to transfer. At the new job, I spent another few days getting my new machine reconfigured. Over time, I gradually discovering things I'd forgotten, as well as some things (e.g., System Settings) that I thought would have been nice to have included in the backup. This all felt very manual and incomplete, and I thought there needed to be a better way; I should just be able to clone a repo and have my entire workstation — packages, scripts, dotfiles, system settings - feel familiar again. And even better, to keep aspects of that feeling in sync betweeen my home and work laptops (parts of it, at least).

Another inspiring aspect had to do with working in devcontainers. At my previous company I had set up custom scripts to inject dotfiles into the devcontainer so a user could replicate their dev environment inside the container once they shell in. At minimum, I wanted my full neovim editor setup available in any ephemeral container without having to modify the devcontainer config in every team's repository I worked in just to accommodate my setup. I needed something that could bootstrap my config into any environment from the outside, regardless of which / whose repo I was working in. Plus, I had some coworkers in need of education about the superiority of vim-motions, and wanted a quick and easy way to share my exact setup, down to the alias.

cfgd was architected by a platform / infrastructure engineer, and borrows from the best ideas across practices:

• Kubernetes — declarative reconciliation loop, KRM resource model
• Terraform — plan/apply workflow, state tracking, drift detection
• Puppet — continuous enforcement via daemon, module ecosystem
• Nix — reproducible machine state from a single source of truth
• Ansible — YAML-driven config management, idempotent task execution
• Kustomize — layered overrides and patches
• chezmoi — dotfile management

Shareable Modules

This is my favorite feature; a single, packaged, works anywhere in no time at all config file for a tool.

cfgd module create my-dev-env
cfgd profile update --module community/nvim

A module declares packages with cross-platform resolution, config files, shell env's and aliases, and lifecycle scripts:

apiVersion: cfgd.io/v1alpha1
kind: Module
metadata:
  name: nvim
  description: Neovim editor configuration
spec:
  depends: [node, python]
  packages:
    - name: neovim
      minVersion: "0.10"
      prefer: [brew, snap]
      deny: [apt]
    - name: ripgrep
    - name: fd
      aliases:
        apt: fd-find
        dnf: fd-find
    - name: gcc
      aliases:
        apt: build-essential
        dnf: "@development-tools"
      platforms: [linux]
  files:
    - source: files/init.lua
      target: ~/.config/nvim/init.lua
    - source: files/lua
      target: ~/.config/nvim/lua
  env:
    - name: EDITOR
      value: nvim
  aliases:
    - name: v
      command: nvim
  scripts:
    postApply:
      - nvim --headless '+Lazy! sync' '+MasonToolsInstallSync' +qa

See docs/modules.md for the full spec including git file sources, registries, and dependency resolution.

How cfgd compares

Puppet is the closest philosophical match — declarative state, continuous enforcement, module ecosystem. If that model clicked for you but standing up a JVM server and writing a Ruby-era DSL to manage your dotfiles in 2026 doesn't, cfgd is what that idea looks like rebuilt from scratch for developer workstations.

cfgd is a good fit when you want: one-liners for cross-platform machine bootstrapping, shareable dev environment modules, continuous reconciliation between machines or subscribed sources, or team config distribution with policy enforcement.

Features

For developers:

• One-command bootstrap — cfgd init --from <repo> --apply on a new machine, done
• AI-guided generation — cfgd generate scans your system and builds profiles/modules; MCP server for AI editor integration
• Shareable modules — cross-platform dev environment packages with dependency resolution and registries
• 15 package managers — brew, apt, dnf, pacman, cargo, npm, pipx, snap, and more, with automatic platform-aware resolution
• Secrets — SOPS/age encryption + 1Password, Bitwarden, HashiCorp Vault; secret-backed environment variables
• Tera templates — render dotfiles with variables, OS detection, custom functions
• Continuous drift detection — daemon watches for changes, auto-syncs, notifies or auto-corrects

For platform & infrastructure engineers:

• Multi-source config — publish team baselines with policy tiers (locked/required/recommended/optional)
• Kubernetes operator — CRDs for MachineConfig, ConfigPolicy, DriftAlert; admission webhook; device gateway with fleet dashboard
• Node configuration — sysctl, kernel modules, containerd, kubelet, AppArmor, seccomp, certificates
• CSI driver — OCI-based module injection into pods via volumes
• Crossplane integration — TeamConfig XR for self-service team environment distribution
• kubectl plugin — kubectl cfgd debug/exec/inject/status for node inspection

For security & compliance:

• Compliance snapshots — continuous machine state capture with JSON/YAML export for Vanta, Drata, or custom integrations
• Key provisioning — declarative SSH key generation, GPG key management, and git signing configuration
• Encryption enforcement — per-file encryption requirements with SOPS/age backend validation
• Policy enforcement — locked files, required packages, encryption constraints on target paths
• Drift remediation — daemon detects and auto-corrects configuration drift with per-module policies
• Fleet visibility — device gateway aggregates compliance scores across enrolled machines

Documentation

Distribution

In addition to publishing binaries to GitHub Releases (Linux, macOS, Windows — x86_64 + aarch64), each release also publishes to:

CI/CD integrations:

# Example: set up your dev tools on a GitHub Actions runner
- uses: tj-smith47/cfgd/ecosystem/github-action-setup@master
  with:
    source: git@github.com:you/machine-config.git
    module: dev-tools

Modules can also be exported as DevContainer Features for injection into devcontainers:

cfgd module export my-tool --format devcontainer

Building from source:

git clone https://github.com/tj-smith47/cfgd.git && cd cfgd
cargo build --release

License

MIT