skip to content
walterra.dev

Starting off this week I wanted to clean up and revisit my chezmoi setup. So far I only had my ~/.zshrc in it. I wanted to have a go at syncing my Claude Code slash commands and custom agents with it now too.

It’s been a while since I synced between the 2 laptops I have. The annoying part was the merge conflicts between my existing setup and what chezmoi wanted to manage. Had to use chezmoi merge ~/.zshrc and deal with conflicts in opendiff. I then set up chezmoi to use macOS classic FileMerge tool like this:

~/.config/chezmoi/chezmoi.yaml
merge:
  command: "opendiff"
  args:
    - "{{ .Destination }}"
    - "{{ .Source }}"
    - "-merge"
    - "{{ .Target }}"

It still messed up the merge, at least I had a beautiful UI to do that!

Next chezmoi kept yelling about having my ANTHROPIC_API_KEY hardcoded in .zshrc, which fair enough, that’s terrible security practice. Took way longer than it should have to figure out the template syntax.

Commands that actually worked:

Terminal window
chezmoi init
chezmoi merge ~/.zshrc
chezmoi secret keyring set --service=anthropic --user=$USER
mv dot_zshrc dot_zshrc.tmpl

The key insight was that .tmpl extension triggers template processing automatically. So now .zshrc has export ANTHROPIC_API_KEY="{{ keyring "anthropic" .chezmoi.username }}" instead of the raw key.

Tried about 5 different variations of the keyring template syntax before finding the right one. Docs weren’t super clear on this.

The downside is that each new machine needs the keyring set up manually. Makes sense from a security perspective but it’s going to be annoying when I set up new dev environments. Trade-off I guess. For another time: Maybe I one can access synced 1Password vaults to do this.

Overall happy with the result. API keys are out of version control finally and the setup should work cleanly on new machines without exposing secrets. Just need to remember to set up the keyring first.