This repository contains my personal configuration for my macOS system and programs.
curl -fsSL https://bensadik.net/dotfiles | bash- Nix - Nix is a powerful package manager for Unix systems that makes package management reliable and reproducible.
- nix-darwin - nix-darwin is a set of tools for using Nix as a standalone macOS package manager.
- Homebrew - Homebrew is a package manager for macOS.
- home-manager - Manage user configuration using Nix.
Machine secrets are pulled from Infisical and loaded by Zsh.
Build-time secrets are also synced into secrets/secrets.yaml for sops-nix. A fresh install expects these Infisical keys to exist:
EMAILFULLNAMEWHISPER_HOSTNAMESSH_ID_ED25519_PERSONALSSH_ID_ED25519_PERSONAL_PUBSSH_ID_ED25519_WORKSSH_ID_ED25519_WORK_PUBSSH_ID_ED25519_SECURESSH_ID_ED25519_SECURE_PUB
To seed those SSH key secrets from the current machine, run:
~/dotfiles/bin/push-ssh-keysUse ~/dotfiles/bin/push-ssh-keys --dry-run to preview the target without changing Infisical.
- Fill in
programs/infisical/infisical.conf - Apply the dotfiles:
sudo darwin-rebuild switch --flake ~/dotfiles#$USER - Authenticate with
infisical loginif you are not usingINFISICAL_MACHINE_TOKEN - Pull secrets with
infisync
INFISICAL_MACHINE_PROJECT_ID="<project-id>"
INFISICAL_MACHINE_ENV="prod"
INFISICAL_MACHINE_PATH="/"
# Optional for self-hosted Infisical
# INFISICAL_MACHINE_DOMAIN="https://infisical.example.com/api"
# Optional for non-interactive auth
# INFISICAL_MACHINE_TOKEN="<machine-identity-or-service-token>"Pulled secrets are written to ~/.local/state/infisical/machine.env with 0600 permissions and auto-loaded in new shells.