I would also recommend looking into NixOS reproducible builds, which allows declaratively specifying the entire system configuration and precisely defining which packages are installed, their versions, and dependencies. The OS remains immutable and consistent. A quite powerful tool for creating a secure and minimalistic workstation environment.
You can also use Nix/Home Manager to manage your Mac (what the author is using). I used NixOS for a few months as a VM and then eventually just switched back to my Mac. Couldn't stand all of the hacks that were needed to get software to behave the way Nix expected them (i.e., JIT binaries not dynamically linked to /nix/store).
Nix-Darwin is nice module system for macOS as well. It's a bit older than Home Manager, and also supports configuring some macOS-specific and systemwide settings.
https://nixos.org/