Open Source Config Management: Why We Built ConfigSync

ConfigSync started the way most developer tools start: with frustration. One of our founders opened a brand new MacBook Pro, stared at a default zsh prompt, and realized that the next eight hours of his life would be spent recreating an environment that had taken years to build.

The code was safe on GitHub. The SSH keys were not. The shell aliases accumulated over five years were on a Time Machine backup somewhere, maybe. The .env.localfiles for a dozen active projects were gone entirely, their contents scattered across Slack messages, 1Password vaults, and hastily written notes.

This was not the first time. It was not even the fifth time. Every hardware upgrade, every company laptop swap, every "let me just wipe and start fresh" ended the same way: days of productivity lost to environment reconstruction. Surely, in 2025, someone had solved this problem.

We went through every tool we could find, and each one solved part of the problem while leaving significant gaps.

Git bare repos. The classic approach: a bare git repository in your home directory with an alias to manage it. It works for dotfiles, but secrets leak into git history. One .env file committed by accident means rotating every credential in it. There is no encryption, no selective sync, and no package management.

GNU Stow. Elegant symlink management. Great for organizing dotfiles into packages. But that is all it does. No sync between machines, no encryption, no secret handling. You still need to pair it with git for versioning and something else for everything else.

chezmoi. The most feature-rich dotfile manager we found. Templates, encryption with age or gpg, and a solid CLI. But cloud sync was still git-based, package tracking was manual, and the templating system had a learning curve that felt disproportionate to the problem.

Mackup. Beautifully simple: it moves application configs to a cloud drive and symlinks them back. But it broke regularly on newer macOS versions, had no encryption, and depended on Dropbox or iCloud for sync, which meant your SSH keys lived on Apple's servers in plaintext.

After using and abandoning half a dozen tools, we wrote down what the ideal solution would look like. The list was short but non-negotiable.

Encrypted sync that just works. Push from one machine, pull on another. Everything encrypted before it leaves the device. No gpg key management, no age key files to lose, no manual encryption steps. A master password and done.

Safe secret handling. Secrets are not an afterthought bolted on with templates. They are a core feature. Environment variables, API keys, and credentials are encrypted, scoped to projects, and synced alongside everything else.

Package tracking. Your environment is more than files. It is installed software. The tool should know what you have installed via Homebrew, npm, pip, and cargo, and be able to install them on a new machine.

Cross-platform support. macOS and Linux at minimum. The same tool, the same workflow, regardless of what operating system the machine runs.

Simplicity. A developer should be able to install it, run one command to capture their environment, and run one command to restore it. No configuration files to write. No templating language to learn.

Building ConfigSync meant making deliberate choices about architecture and philosophy. Several of these decisions shaped the tool in fundamental ways.

Zero-knowledge encryption. We never see your data. Your environment is encrypted on your machine with a key derived from your master password. The sync service stores encrypted blobs. We could not read your data even if compelled to. This is not a feature. It is a requirement for a tool that handles SSH keys and API credentials.

Built-in modules instead of file paths. Most dotfile managers require you to specify which files to track. ConfigSync uses modules that understand the tools they manage. The SSH module knows where SSH config lives on macOS versus Linux. The git module knows about ~/.gitconfig and ~/.config/git/config. You enable a module and it handles the details.

Cloud-native sync. We chose encrypted cloud sync over git-based sync because the user experience is fundamentally better. Push and pull are instant. There is no merge conflict resolution. There are no git commits to manage. Sync should feel like saving a file, not managing a repository.

Watch mode. Manual sync is a tax on attention. Every time you change a config and forget to push, your machines drift. Watch mode monitors your tracked files and pushes changes automatically, so your environment stays in sync without you thinking about it.

ConfigSync is open source because a tool that handles your secrets, credentials, and private configurations must be auditable. You should not have to trust our word that the encryption works. You can read the code. You can verify that your master password never leaves your machine. You can audit the entire encryption pipeline from key derivation to ciphertext upload.

Open source also means you can self-host. If you do not want your encrypted data on our servers, run your own sync backend. The CLI works with any compatible API endpoint. For teams with strict compliance requirements, this is not a nice-to-have. It is a necessity.

Beyond trust and flexibility, open source enables community contribution. The plugin system was designed for this: anyone can write a module for their favorite tool, and the community benefits. We maintain the core. The community extends it.

ConfigSync is under active development. On the roadmap: more built-in modules for popular tools, team features for sharing environment templates across organizations, and a plugin marketplace for community-contributed modules.

We are building ConfigSync in the open on GitHub. If you have ever lost a day to setting up a new machine, or spent an hour tracking down a missing API key, or wondered which of your three laptops has the latest shell config, we built this for you. Contributions, feedback, and bug reports are welcome. Join us on GitHub or Discord and help shape the future of developer environment management.