Skip to content

ChipWolf/dotfiles

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

678 Commits
.agents/skills
.agents/skills
 
 
.github
.github
 
 
.vscode
.vscode
 
 
docs
docs
 
 
home
home
 
 
schemas
schemas
 
 
tests
tests
 
 
.chezmoiroot
.chezmoiroot
 
 
.devskim.json
.devskim.json
 
 
.dockerignore
.dockerignore
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.macos
.macos
 
 
.markdownlint.json
.markdownlint.json
 
 
.markdownlintignore
.markdownlintignore
 
 
.mega-linter.yml
.mega-linter.yml
 
 
.powershell-psscriptanalyzer.psd1
.powershell-psscriptanalyzer.psd1
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.release-please-manifest.json
.release-please-manifest.json
 
 
.rgignore
.rgignore
 
 
AGENTS.md
AGENTS.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
install.ps1.tmpl
install.ps1.tmpl
 
 
install.sh.tmpl
install.sh.tmpl
 
 
mise.toml
mise.toml
 
 
release-please-config.json
release-please-config.json
 
 
setup.sh
setup.sh
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Dotfiles

macOS BadgeSort tmux Neovim Linux Homebrew Git Docker GitHub Actions Bitwarden Python

Opinionated dotfiles managed with chezmoi. One repo configures macOS (primary), Linux, Windows, and GitHub Codespaces. A single bootstrap command installs dependencies, applies configs, and gets a new machine to a working state.

What you get

Tool Role macOS Linux Windows Codespaces
zsh + Powerlevel10k Shell and prompt x x x
Oh My Posh Prompt engine (Windows) x
Ghostty Terminal emulator x
WezTerm Terminal emulator (Windows) x
tmux Terminal multiplexer x
Neovim (LazyVim) Editor x x x x
OpenCode AI coding agent x x x x
tree-sitter CLI Treesitter parser generator x
WakaTime CLI Coding activity tracker x x
Git Version control config x x x x
GnuPG Encryption and signing x x
Tailscale VPN mesh and secure remote access x
Homebrew Package manager x x x
mise Runtime manager (node, python, go, etc.) x x x x
Finicky Default browser router x
Steam Game platform (Windows) x
Sysinternals Windows diagnostics utilities x
GlazeWM Windows tiling window manager x
YASB Windows status bar x
WinLibs (GCC) C compiler toolchain (Windows) x

Install

Warning

These scripts fetch and execute code from this repo in a single command. Review them first if that matters to you, or use the inspect-first path below.

The install scripts are published as GitHub Release assets with SLSA Build L3 provenance, verified with: gh attestation verify install.sh --repo chipwolf/dotfiles

macOS / Linux

sh -c "$(curl -fsSL https://github.com/chipwolf/dotfiles/releases/download/v1.6.2/install.sh)"

Windows (PowerShell, the script self-elevates)

irm https://github.com/chipwolf/dotfiles/releases/download/v1.6.2/install.ps1 | iex

What happens

macOS / Linux:

  1. Installs Homebrew (if missing) and chezmoi.
  2. chezmoi init --apply clones this repo and writes configs to ~/.
  3. brew bundle installs everything from the rendered Homebrew bundle template. brew upgrade and brew cleanup run after.
  4. Antidote (zsh plugin manager) prewarms the plugin cache.
  5. mise installs managed runtimes. Neovim syncs plugins.
  6. Sets the Homebrew-installed zsh as the default shell.

Windows:

  1. Installs Chocolatey (if missing) and chezmoi.
  2. chezmoi init --apply clones this repo and writes configs to ~/.
  3. choco install installs packages (Neovim, WezTerm, GlazeWM, YASB, mise, Oh My Posh, and others).
  4. Provisions WSL with Ubuntu via cloud-init: creates a user, clones this repo inside WSL, and runs the Linux bootstrap. If Ubuntu is already installed, it pulls and re-applies instead.
  5. mise installs managed runtimes. Neovim syncs plugins.

Inspect first

If you want to review everything before it touches your machine:

chezmoi init https://github.com/chipwolf/dotfiles
chezmoi diff
chezmoi apply

This clones the repo and shows a diff. Nothing is written until chezmoi apply. You need chezmoi installed first (brew install chezmoi or see chezmoi.io/get).

Prerequisites

The bootstrap scripts handle most dependencies. You need:

  • macOS/Linux: curl or wget, and a POSIX shell.
  • Windows: PowerShell 5+.

Secrets and Bitwarden

chezmoi is configured to use Bitwarden CLI (bw) as its secret manager. Some templates (for example WakaTime API key config) read values from Bitwarden at apply time, so unlock Bitwarden before chezmoi apply when those targets are in scope. See docs/secrets.md for details.

Template flags

chezmoi uses two boolean flags to adapt behavior per machine. Both are set automatically in home/.chezmoi.toml.tmpl.

Flag When true What it gates
codespaces CODESPACES env var is set Skips GUI apps and redundant packages in the Brewfile. Uses the overlay fast path in install.sh.tmpl.
private Windows, or ~/.private exists Enables personal-machine config: excludes work-specific MCP servers and Atlassian integrations from OpenCode.

Important

To mark a macOS or Linux machine as private, run touch ~/.private before chezmoi apply.

Updating

Pull the latest changes from the repo and re-apply:

chezmoi update

For local repo checks before commit:

pre-commit install

Codespaces

When you set a personal dotfiles repo in your GitHub Codespaces settings, set the install script to setup.sh. GitHub clones this repo into each new codespace and runs that script.

setup.sh is a lightweight Codespaces-only shim: it renders install.sh from install.sh.tmpl with chezmoi execute-template, then executes the generated installer.

This repo ships a pre-baked overlay container image on GHCR. When install.sh detects CODESPACES=1, it pulls only the overlay layers that differ from the base devcontainer image and extracts them directly, skipping the full bootstrap.

Important

Dotfiles changes only take effect in new codespaces. Existing ones keep their current state unless rebuilt.

Forking

Recommended fork workflow:

  1. Fork this repo on GitHub.
  2. Clone your fork locally.
  3. Update identity and package overlays (checklist below).
  4. Run chezmoi apply and validate your machine state.

Fork checklist

Change these files first:

  • Identity: home/.chezmoidata/profile.yaml
    • profile.git.name
    • profile.git.email
    • profile.git.githubUser
    • profile.git.githubRepo (for WSL bootstrap clone target)
    • profile.git.signingKey (optional)
    • profile.codespaces.gitName
  • Git config template: home/dot_gitconfig.tmpl (usually no change needed, only edit if you want different structure)
  • Homebrew packages: home/.chezmoidata/brew/*.yaml
    • Keep 00-base.yaml for shared packages.
    • Replace 10-chipwolf.yaml with your own overlay file (for example 10-yourname.yaml) and adjust package entries.
    • Keep package state in home/Brewfile.tmpl and home/.chezmoidata/brew/*.yaml; no checked-in rendered Brewfile is required.
  • Agent permissions (optional but common): home/.chezmoidata/agent-permissions/*.yaml
    • Keep 00-base.yaml for shared rules.
    • Replace 10-chipwolf.yaml with your own overlay file.
  • MCP servers (optional but common): home/.chezmoidata/mcps/*.yaml
    • Keep 00-base.yaml for shared servers.
    • Replace 10-chipwolf.yaml with your own overlay file.
  • OpenCode config template: home/dot_config/opencode/opencode.jsonc.tmpl (usually no change needed unless you want to change render structure)

Optional removals if not relevant to your setup:

  • home/private_dot_gnupg/ (if you do not use this GnuPG setup)
  • home/dot_config/finicky.js (if you do not use Finicky on macOS)
  • home/dot_scripts/executable_7zw (if you do not use the archive/encryption wrapper)
  • Any app/package entries you do not want in home/.chezmoidata/brew/*.yaml

Install scripts note:

  • install.sh.tmpl and install.ps1.tmpl are the installer source of truth.
  • Release automation renders release-ready install.sh and install.ps1 from those templates using the current repository and tag values.

Tip

The chezmoi source state lives under home/ (set by .chezmoiroot). Filenames use chezmoi's attribute prefixes: dot_ becomes a leading ., private_ restricts permissions, executable_ adds the execute bit. home/dot_config/nvim/ deploys to ~/.config/nvim/.

SSH key setup

If you use a YubiKey for SSH authentication:

ykman config usb -d OTP
ykman fido access change-pin
ssh-keygen -t ed25519-sk -C "user@domain.tld" -O resident -O verify-required

Full workflow (backup keys, credential hygiene, recovery): docs/yubikey.md.

Provenance SLSA 3

All release artifacts are built with SLSA Build L3 provenance via GitHub artifact attestations in reusable workflows that isolate the build from the calling workflow.

This covers:

Note

Provenance does not cover the chezmoi source state (templates, configs, run scripts) or packages installed by Homebrew, Chocolatey, or mise. Those are outside the attestation boundary.

Verify:

# Install scripts (download the asset first)
gh attestation verify install.sh --repo chipwolf/dotfiles

# Container image
gh attestation verify oci://ghcr.io/chipwolf/dotfiles:v1.6.2 --repo chipwolf/dotfiles

Further reading

Document Contents
docs/brew.md Homebrew overlays, template rendering, and brew-review workflow
docs/agent-permissions.md Shared agent permission rule schema, overlays, and rendering model
docs/mcp-servers.md MCP server setup, conditions, targets, and arg interpolation
docs/yubikey.md YubiKey SSH workflow, backup strategy, credential hygiene
docs/secrets.md Bitwarden integration, GnuPG config, secret introduction order

About

Opinionated dotfiles managed with chezmoi. MacOS, Linux, Codespaces, and Windows.

Topics

dotfiles dotfiles-windows dotfiles-macos dotfiles-linux

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

2 forks
Report repository

Releases 15

v1.6.2 Latest
Apr 13, 2026
+ 14 releases

Packages

 
 
 

Contributors

Languages