Public Mac bootstrap files for uinaf machines.
This repo owns the portable layer: Homebrew bundles, chezmoi-managed zsh startup, mise runtimes, Git and SSH defaults, Codex defaults, editor settings, and setup and audit scripts.
It does not own secrets, identity, Codex auth/state, browser profiles, app caches, dependency folders, build output, or project checkouts. Those stay machine-local.
| Profile | Use it for | Installs |
|---|---|---|
| Shared | Base tools every uinaf Mac should have. | Brewfile |
| Personal | A human-operated laptop or desktop. | Brewfile + Brewfile.personal |
| Devbox | A shared SSH-first agent host. | Brewfile + Brewfile.devbox |
Most users want personal. Always-on agent hosts use devbox.
Install Apple Command Line Tools, Homebrew, git, and gh, then clone the
repo:
gh auth login
mkdir -p ~/projects/uinaf
gh repo clone uinaf/dotfiles ~/projects/uinaf/dotfiles
cd ~/projects/uinaf/dotfiles
./scripts/bootstrap/brew-bundle.sh personal
./scripts/bootstrap/install.sh
./scripts/bootstrap/configure-git.sh --profile personal
./scripts/bootstrap/configure-power.sh --profile personal
./scripts/bootstrap/configure-spotlight.sh
./scripts/app-store/personal.sh
mise trust
mise install
./scripts/bootstrap/pull-repos.sh
./scripts/verify/bootstrap.sh --profile personalIf git or gh is not available yet, or for the full first-machine flow,
devbox setup, Chrome vertical tabs, Blacksmith, and Tizen notes, read
Bootstrap guide.
configure-power.sh and configure-spotlight.sh are deliberate sudo steps.
install.sh stays user-level and should not change system policy implicitly.
./scripts/bootstrap/install.sh applies tracked files from chezmoi/ into
$HOME through scripts/bootstrap/apply-dotfiles.sh. Use
Bootstrap guide for the ordered setup flow,
Chezmoi source state for source naming rules, and
Mise tasks for the split between repo tasks and machine runtime
pins.
| Surface | Tracked source | Local-only extension |
|---|---|---|
| zsh | chezmoi/dot_zshenv, chezmoi/dot_zprofile, chezmoi/dot_zshrc |
machine shell history and ad hoc local files |
| mise | chezmoi/private_dot_config/mise/config.toml |
repo-local runtime files |
| Git | chezmoi/dot_gitconfig |
~/.gitconfig.local |
| SSH | chezmoi/private_dot_ssh/private_config |
~/.ssh/config.local, private keys |
| Codex | installer-managed defaults, including ChatGPT-login enforcement | auth, sessions, approvals, memory, worktrees |
| Editors | chezmoi-managed Zed and Ghostty defaults | app state, fonts, caches |
Keep these out of Git:
- Git identity, signing keys, and 1Password SSH agent vault selection.
- Infisical workspace/project auth and 1Password human vault references.
- SSH private keys, certificates, Tizen archives, and device keys.
- Codex auth, Browser approvals, sessions, caches, worktrees, and app state.
- Browser profiles, Docker/Colima state, dependency folders, and build output.
For always-on agent hosts, use the secret model in Devbox setup. The short version: humans may use 1Password and Infisical, agents use Infisical machine identity auth only, and tokens or client credentials must not live in default shells, process managers, tracked files, or generated dotenv refresh stacks.
Brewfile.personal is the shared human-operated Mac profile, not a private app
wishlist. Keep one-machine tweaks in local config files, keep durable personal
preferences in a fork, and send focused pull requests for changes that should
become part of the shared uinaf bootstrap.
Use repo checks before committing:
./scripts/verify/repo.shEquivalent mise task:
mise trust
mise run verify
mise run verify:fastTo install the local pre-push guard for the fast repo gate:
./scripts/bootstrap/install-git-hooks.shUse live-machine checks only on a machine that should actually use these dotfiles:
./scripts/verify/bootstrap.sh --profile personal
./scripts/verify/bootstrap.sh --profile devboxFor security posture:
./scripts/audit/repo.sh --skip-mscp
mise run audit:repo
./scripts/audit/host.sh
./scripts/audit/personal.sh
./scripts/audit/devbox.shSee Security audits for the audit layers, Lynis host audit, and macOS Security Compliance Project flow.
| Need | Read |
|---|---|
| Install or update a Mac | Bootstrap guide |
| Operate a shared agent host | Devbox setup |
| Understand dotfile source state | Chezmoi source state |
| Understand mise tasks and runtime pins | Mise tasks |
| Help as an AI agent | Agent guide |
| Understand verification and CI | Agent readiness |
| Understand GitHub Actions | GitHub pipelines |
| Run security checks | Security audits |
| Build React Native apps | React Native |
| Contribute changes | Contributing |
| Report a vulnerability | Security |
| Find scripts | Script guide |
MIT. See License.