I’m trying to find a better solution to manage configuration files, both user’s dotfiles and system files in /etc. I’m running an ubuntu server where I have a bunch services with custom configurations, and systemd drop-in files, but on top of that I also have some scripts and user dotfiles that I need to track.

What I’m doing right now is that I have a folder full of symlinks in the admin user’s directory (poor username choice, btw) and I’m using bindfs to mount this directory inside a git repository, this way git won’t see them as symlinks, and will version them as regular files. The problem with doing this is that as git deletes and rewrites files, bindfs fails to track the changes and converts the symlink to regular files.

I looked into chezmoi, but that is only meant to track user dotfiles and will refuse to add a file from /etc, that is unless doing some extra work. But even so, chezmoi will not track the user:group of files, so I would still have to manage that manually.

I also looked into GNU Stow, and that would not complain about files from /etc or anywhere, but it similarly will not track permissions and I would have to manage that manually.

I see that some people are using ansible to manage dotfiles, but at that point, it would make sense to just migrate to ansible, except I don’t want to rebuild my server from scratch to use ansible. Also it looks like a lot to learn.

Is there a better solution I’m not seeing? Maybe something using git hooks?

Edit:

I ended up using pre-commit and post-merge git hooks to launch a python script. The python script reads from a yaml file where I annotate the file paths and permissions, and then copies to or from the file location to the git repository.

I used the sudoers file to allow the admin user to run this specific script with specific arguments as root without password (because the git commands are run from VS Code and not manually), which is dangerous, be careful when doing that. I have taken special care to make this secure:

  • I used absolute paths for everything, to avoid allowing running from a different pwd as a way to copy different files
  • The script itself is installed in a root-owned location, so an unprevileged user cannot edit it
  • The configuration yaml is root-owned, so an unprevileged user cannot modify which files are copied or their permissions
  • Configuration files that can grant permission are not managed by this script (the yaml, /etc/passwd, /etc/groups, polkit rules, the sudoers file, …)
  • ZeStig@programming.devEnglish
    9·
    8 days ago

    Ah yes, the obligatory NixOS recommendation post.

    On a serious note though, NixOS IS well-suited for this purpose.