Once you hit the Chezmoi stage, you're only about 6 months from Nix and Home Manager. I mean, why climb _almost_ to the top of a mountain and then just sit down?
I've bounced off Nix every time I tried it, before I even started trying something like Home Manager.
I've been using (and contributing to) chezmoi for ~6 years now. Given that it has first-class integration with secrets managers, I suspect that it does things that Home Manager can't.
The chezmoi integration with 1Password is excellent; for those who prefer Bitwarden, it supports both the default CLI (which has some inexcusable behaviours for a security product, IMO) and `rbw` (which is infinitely better than the default CLI). It supports `pass`, `gopass`, `passage`, AWS Secrets Manager, KeePass, and several other approaches.
It was the work of a couple of minutes to enable a secret for a Claude Code API token to be mounted in a VM where I'm running Claude for a project where the value is pulled from 1Password and I can regenerate it and reapply without fear.
If one doesn't have to worry about secrets in one's dotfiles, I'm sure that other dotfile managers including Nix with Home Manager will suffice. I do, so they won't.
I ran NixOS for a while, before I switched to Apple Silicon, so I consider myself fairly well-versed-enough (although nowhere near an expert) in Nix and the Nix ecosystem. My last four jobs have all issued me MacBook Pros; the last three with Apple Silicon.
Ultimately, my workplace setup is what has the most gravity. And the most I can get most workplaces to standardize on is Homebrew for package management of off-the-shelf software. Nix is so far outside of the wheelhouse for most engineers that I can't even propose it. It would be too much of a distraction for too many people for too long that it's just not seen as worth it and it's not worth spending the political capital on the attempt. Employers would literally prefer to run scripts from a whitewashing, barely-auditable Jenkins instance with parameterized jobs than to attempt to figure out how to distribute portable scripts and get everyone's permissions working.
So I need to pick software that will cooperate with other tools in an unstable fashion, rather than software that attempts to fully and exclusively control the environment to provide guarantees. Chezmoi fits. Nix and home-manager do not.
You can run Nix and Home Manager on macOS or any Linux distro. You don't even need root.
It works exactly like you describe: it provides its guarantees for all software that you manage through Nix, and doesn't get in the way of software that you don't manage through Nix.
Unlike with NixOS, you can run binaries that expect an FHS-compliant system just fine.
You can just silently use it and enjoy the convenience for the declarative parts of your setup, with no detriment to your ability to run the imperative, ad-hoc setup scripts that your company requires.
> You can just silently use it and enjoy the convenience for the declarative parts of your setup, with no detriment to your ability to run the imperative, ad-hoc setup scripts that your company requires.
That's the kicker though. Nix's benefits come from the guarantees it can make based on its integration with the rest of the Nix-controlled ecosystem. Without the control, you don't get the guarantees, and you lose the raison d'être. You need to actively avoid the "value-added" parts (e.g. package options) because latest Homebrew upstream may give you a version that exposes an option that is not yet exposed by the package options, and you can't patch the package with Nix because you're not using a Nix-based package.
Chezmoi is declarative. The templates give me generated configuration. I can rollback anytime I want by reverting Git commits and calling chezmoi apply. It works well within its less-ambitious goals (compared to Nix).
If you’re using Nix and HM to manage a configuration file for a package that isn’t managed by Nix and HM, you don’t get the same guarantees, sure.
But you also don’t get them at all with Chezmoi, right?
Surely having these guarantees for some packages beats having it for none? In practice _most_ packages you’ll want to use are already in Nixpkgs, and kept up to date.
> You need to actively avoid the "value-added" parts (e.g. package options) because latest Homebrew upstream may give you a version that exposes an option that is not yet exposed by the package options, and you can't patch the package with Nix because you're not using a Nix-based package.
You mean build-time options?
You can usually override the version number/URL in your own configuration to get the new version earlier. But new versions land in nixpkgs-unstable with about the same cadence as Homebrew anyway.
Same thing with runtime options. Want `programs.foo.enableNewThing` but it’s not in HM yet? You can just define that option in your own configuration, no need to stop using the value-added module nor wait for HM.
> Surely having these guarantees for some packages beats having it for none?
> You can just define that option in your own configuration
This is exactly what I'm talking about. Once you have Nix on your system, it infects everything. You want to let it control everything, because that is where its power is. Your life would be so much easier if you could let it control even more, like the stuff you share with your team. It's the siren call. And then you find yourself pitching it to your team, and then you inevitably fail to pitch it, because you ramped up to it over months and it's just impossible to get anybody else ramped up to Nix that quickly.
It's guaranteed heartbreak every time and I got sick of it.
I've been using (and contributing to) chezmoi for ~6 years now. Given that it has first-class integration with secrets managers, I suspect that it does things that Home Manager can't.