Public Mac bootstrap files for uinaf machines.
This repo owns the portable layer: Homebrew bundles, chezmoi-managed zsh startup, mise runtimes, Git and SSH defaults, Codex defaults, editor settings, and setup and audit scripts.
It does not own secrets, identity, Codex auth/state, browser profiles, app caches, dependency folders, build output, or project checkouts. Those stay machine-local.
| Profile | Use it for | Installs |
|---|---|---|
| Shared | Base tools every uinaf Mac should have. | Brewfile |
| Personal | A human-operated laptop or desktop. | Brewfile + Brewfile.personal |
| Devbox | A shared Mac mini or SSH-first agent host. | Brewfile + Brewfile.devbox |
Most users want personal. Always-on agent hosts use devbox.
Install Apple Command Line Tools, Homebrew, git, and gh, then clone the
repo:
gh auth login
mkdir -p ~/projects/uinaf
gh repo clone uinaf/dotfiles ~/projects/uinaf/dotfiles
cd ~/projects/uinaf/dotfiles
./scripts/bootstrap/brew-bundle.sh personal
./scripts/bootstrap/install.sh
./scripts/bootstrap/configure-git.sh --profile personal
./scripts/bootstrap/configure-power.sh --profile personal
./scripts/app-store/personal.sh
mise trust
mise install
./scripts/bootstrap/pull-repos.sh
./scripts/verify/bootstrap.sh --profile personalIf git or gh is not available yet, or for the full first-machine flow,
devbox setup, Chrome vertical tabs, Blacksmith, and Tizen notes, read
Bootstrap guide.
configure-power.sh is a deliberate sudo step. install.sh stays user-level
and should not change system power policy implicitly.
./scripts/bootstrap/install.sh applies tracked files from chezmoi/ into
$HOME through scripts/bootstrap/apply-dotfiles.sh. Use
Bootstrap guide for the ordered setup flow,
Chezmoi source state for source naming rules, and
Mise tasks for the split between repo tasks and machine runtime
pins.
| Surface | Tracked source | Local-only extension |
|---|---|---|
| zsh | chezmoi/dot_zshenv, chezmoi/dot_zprofile, chezmoi/dot_zshrc |
machine shell history and ad hoc local files |
| mise | chezmoi/private_dot_config/mise/config.toml |
repo-local runtime files |
| Git | chezmoi/dot_gitconfig |
~/.gitconfig.local |
| SSH | chezmoi/private_dot_ssh/private_config |
~/.ssh/config.local, private keys |
| Codex | installer-managed defaults, including ChatGPT-login enforcement | auth, sessions, approvals, memory, worktrees |
| Editors | chezmoi-managed Zed and Ghostty defaults | app state, fonts, caches |
Keep these out of Git:
- Git identity, signing keys, and 1Password SSH agent vault selection.
- 1Password service-account tokens and item references.
- SSH private keys, certificates, Tizen archives, and device keys.
- Codex auth, Browser approvals, sessions, caches, worktrees, and app state.
- Browser profiles, Docker/Colima state, dependency folders, and build output.
For always-on agent hosts, use the secret model in Devbox setup: service-account tokens live in machine-local storage, generated runtime env files are owner-only, and normal shells do not export long-lived tokens.
Brewfile.personal is the shared human-operated Mac profile, not a private app
wishlist. Keep one-machine tweaks in local config files, keep durable personal
preferences in a fork, and send focused pull requests for changes that should
become part of the shared uinaf bootstrap.
Use repo checks before committing:
./scripts/verify/repo.shEquivalent mise task:
mise trust
mise run verify
mise run verify:fastTo install the local pre-push guard for the fast repo gate:
./scripts/bootstrap/install-git-hooks.shUse live-machine checks only on a machine that should actually use these dotfiles:
./scripts/verify/bootstrap.sh --profile personal
./scripts/verify/bootstrap.sh --profile devboxFor security posture:
./scripts/audit/repo.sh --skip-mscp
mise run audit:repo
./scripts/audit/host.sh
./scripts/audit/personal.sh
./scripts/audit/devbox.shSee Security audits for the audit layers, Lynis host audit, and macOS Security Compliance Project flow.
| Need | Read |
|---|---|
| Install or update a Mac | Bootstrap guide |
| Operate a shared agent Mac mini | Devbox setup |
| Understand dotfile source state | Chezmoi source state |
| Understand mise tasks and runtime pins | Mise tasks |
| Help as an AI agent | Agent guide |
| Understand verification and CI | Agent readiness |
| Understand GitHub Actions | GitHub pipelines |
| Run security checks | Security audits |
| Build React Native apps | React Native |
| Contribute changes | Contributing |
| Report a vulnerability | Security |
| Find scripts | Script guide |
MIT. See License.