For about a decade my dotfiles management strategy was "scp the good ones over when I set up a new machine, and slowly forget which one was the good one". Every laptop ended up with a slightly different .zshrc, a tmux config from 2019, and a vimrc that referenced plugins I'd uninstalled. There was no source of truth, just a population of drifting copies, each one subtly wrong in its own special way.
This week I finally fixed it, and the fix was boring, which is why it works.
The whole thing is a git repo and GNU stow. The repo holds a directory per tool, laid out as if from $HOME. So zsh/.zshrc, tmux/.tmux.conf, nvim/.config/nvim/, and so on. Then stow zsh symlinks .zshrc into place, stow nvim does the config directory, and a single stow */ lays the lot down. Removing a package is stow -D. No bespoke install script to rot, no rsync, just symlinks that point back at a directory under version control.
~/dotfiles$ stow */
~/dotfiles$ ls -la ~/.zshrc
lrwxrwxrwx 1 john john 28 May 28 ~/.zshrc -> dotfiles/zsh/.zshrc
The part I should have done years ago is that everything lives in one repo, machine-specific bits guarded behind a hostname check at the bottom of .zshrc, secrets emphatically not in there. New machine, clone, stow, done. It's not clever and it doesn't need to be. The cleverness was the problem all along.