Skip to content

aissat/sysfig

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
.github/workflows
.github/workflows
 
 
cmd/sysfig
cmd/sysfig
 
 
contrib
contrib
 
 
docs
docs
 
 
internal
internal
 
 
pkg/types
pkg/types
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
cliff.toml
cliff.toml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

sysfig

Config management for people who own their machines. Track, encrypt, and audit system configs — without thinking about git.

sysfig versions both dotfiles and root-owned /etc/ configs in a single bare git repo. Built-in age encryption, atomic deploys, offline-first, no symlinks.

Install

Debian / Ubuntu (.deb):

curl -Lo sysfig.deb https://github.com/aissat/sysfig/releases/latest/download/sysfig_latest_amd64.deb
sudo dpkg -i sysfig.deb

RHEL / Fedora / Rocky (.rpm):

sudo rpm -i https://github.com/aissat/sysfig/releases/latest/download/sysfig_latest_amd64.rpm

Alpine (.apk):

curl -Lo sysfig.apk https://github.com/aissat/sysfig/releases/latest/download/sysfig_latest_amd64.apk
sudo apk add --allow-untrusted sysfig.apk

Binary (Linux / macOS):

curl -Lo sysfig https://github.com/aissat/sysfig/releases/latest/download/sysfig-linux-amd64
chmod +x sysfig && sudo mv sysfig /usr/local/bin/

Replace linux-amd64 with linux-arm64, darwin-amd64, or darwin-arm64 as needed.

Arch Linux (AUR):

yay -S sysfig   # or: paru -S sysfig

From source:

git clone https://github.com/aissat/sysfig
cd sysfig && go build -o sysfig ./cmd/sysfig
sudo mv sysfig /usr/local/bin/
sysfig doctor   # verify install

3 commands to get started

# 1. Track a file
sysfig track ~/.zshrc
sysfig track /etc/nginx/nginx.conf   # needs sudo for /etc

# 2. Commit changes
sysfig sync

# 3. Restore everything on a new machine
sysfig bootstrap git@github.com:you/conf.git
# → clones repo + applies all configs immediately

4 Ways to Use sysfig

1. Dotfiles only Track ~/.bashrc, ~/.config across laptops. No symlinks, no mess.

2. Solo sysadmin Manage /etc/nginx, /etc/ssh, systemd units across VPS servers. Preserves ownership, permissions, and auto-backs up before replacing.

3. Small team Share encrypted secrets and deploy configs to remote servers via SSH (sysfig deploy --host). No agents on remote machines.

4. Security-conscious admin Track /etc/sudoers with --hash-only — hash recorded locally, nothing pushed. sysfig audit exits 1 on drift, safe to wire into a systemd timer.

Why sysfig?

Tool /etc/ Encryption Offline Metadata Backup Audit No-git-server Single binary
GNU Stow
YADM partial
Chezmoi partial partial
Ansible via vault
sysfig ✓ (age)

Architecture

  /etc/nginx/nginx.conf ─track─▶ ~/.sysfig/repo.git ─sync --push─▶ github / NFS / USB
  /etc/ssh/sshd_config                               ◀─sync --pull─
  ~/.bashrc             ◀─apply─
                                  state.json   (local cache, never committed)
                                  sysfig.yaml  (manifest, committed & shared)
                                  keys/        (encryption keys, never pushed)
                                  backups/     (auto-backups before apply)

Each tracked file gets its own git branch (track/<path>). No full-tree noise, clean per-file history.

Daily workflow

vim /etc/nginx/nginx.conf

sysfig status                          # see what changed
sysfig diff                            # show the diff
sysfig sync --push --message "tuned"   # commit + push

# Or just run:
sysfig watch --push                    # auto-commit + push on every save

New machine

# First time — clone + apply everything immediately
sysfig bootstrap git@github.com:you/conf.git

# Ongoing — pull latest + apply
sysfig deploy

# Air-gapped (USB / NFS / SSH file server)
sysfig bootstrap bundle+local:///mnt/usb/conf.bundle
sysfig deploy    bundle+ssh://backup@server/srv/conf.bundle

Key commands

Command What it does
sysfig track <path> Start tracking a file
sysfig track --encrypt <path> Track and encrypt (age)
sysfig track --hash-only <path> Record hash only — never pushed
sysfig track --local <path> Track locally — never pushed
sysfig status Show sync state of all tracked files
sysfig diff Show what changed since last commit
sysfig sync Commit all changes locally
sysfig sync --push Commit and push to remote
sysfig apply Write tracked configs to disk
sysfig bootstrap <url> New machine: clone + apply
sysfig deploy Existing machine: pull + apply
sysfig watch --push Auto-commit + push on every file change
sysfig audit Check integrity (exits 1 on drift)
sysfig undo <path> Restore file from last commit
sysfig snap take Take a point-in-time snapshot
sysfig doctor Check environment health
sysfig log Show commit history

Documentation

License

MIT — see LICENSE.

About

Config management that thinks like a sysadmin, not a git wrapper.

Topics

config git go linux dotfiles cli ssh golang ansible devops automation admin tools system configuration sysadmin configuration-management

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v0.2.1-dev Latest
Mar 21, 2026
+ 3 releases

Packages

 
 
 

Contributors

Languages