Personal dotfiles managed with chezmoi. One repo, public-safe:
every secret is committed only as age ciphertext and the decryption key lives off-repo.
chezmoi init --apply clzmjThis clones the repo, asks the questionnaire (below), decrypts the age key from
key.txt.age (prompts once for the passphrase), then installs Homebrew + Oh My Zsh +
Rust and runs brew bundle. One command, whole machine.
chezmoi init asks a few questions (answers persist; re-running never re-asks):
| Prompt | Effect |
|---|---|
| Machine name | defaults to this host's hostname, inherited per-machine |
personal |
git identities (~/.gitconfig-*) + github/gitlab/hf SSH keys & hosts |
unbroker |
Unbroker AWS profile + credentials |
pz |
PZ AWS SSO profiles |
hostinger |
Hostinger SSH host |
Answer no and that context's SSH/AWS material never lands on the machine.
| Goal | Do this |
|---|---|
| Add a package | casa add → pick manager (brew/cask/tap/go/uv/npm/cargo) → name → installs + records in the Brewfile |
| Remove package(s) | casa remove → pick manager → multi-select from the Brewfile → uninstalls + de-records |
| Update packages | casa update → shows what's outdated → pick one/many/all |
| Update everything | sysupdate (brew upgrade + chezmoi update) |
| Edit a dotfile | dotfiles (fzf picker over all managed files incl. encrypted) |
| Add a secret | chezmoi add --encrypt <file> |
casa keeps ~/.Brewfile (the chezmoi source) in sync as you go — new entries land
in the OS-correct section (# casa:<type> anchors), and it offers to commit. You can
also hand-edit the Brewfile directly; chezmoi apply then runs brew bundle +
brew bundle cleanup to reconcile (no auto-dump).
The Brewfile and ~/.zprofile are templated on .chezmoi.os: Homebrew formulae
install on macOS and Linux; casks/fonts and macOS-only paths are gated to darwin.
GUI/personal apps are not managed here — install them by hand: Spotify, WhatsApp, Zoom, Slack, Chrome, Helium, Google Drive, VLC, Blender, Affinity, Arturia, MS Word, Wispr Flow, KeyCastr, CodexBar, Ollama.app, Docker Desktop, Ghostty, DBeaver, PortKiller.
To stop brew tracking an installed cask without removing the app:
rm -rf "$(brew --caskroom)/<app>".
encryption = "age", identity at~/key.txt(off-repo), recipient committed.- Per-client AWS blocks are encrypted fragments in
dot_aws/secrets/, assembled into~/.aws/configand~/.aws/credentialsby templates viainclude | decrypt. - SSH server configs live in
~/.ssh/config.d/*.conf(encrypted), pulled in by the nativeIncludein~/.ssh/config.
The age identity (~/key.txt) is a raw, passphrase-less key and is never
committed to this public repo. Copy it by hand before (or during) chezmoi init:
scp ~/key.txt newhost:~/key.txt # or via a password manager / USBchezmoi init --apply then decrypts everything. If ~/key.txt is missing, the
run_once_before_00-decrypt-key script prints a reminder instead of failing silently.
(Optional, if you ever want one-command bootstrap instead of manual copy: encrypt
the key with a passphrase you choose — age --passphrase -o key.txt.age ~/key.txt,
commit key.txt.age, and the script will decrypt it on a new machine.)
.chezmoi.toml.tmpl questionnaire → machine/email/domain gates + age config
.chezmoiignore gates domain files per answer; hides secret fragments
dot_Brewfile.tmpl packages (OS-templated)
dot_config/zsh/*.zsh shell aliases + functions, sourced by ~/.zshrc
dot_aws/ config.tmpl + credentials.tmpl + secrets/ fragments
dot_ssh/ config.tmpl + Include'd config.d/ + encrypted keys
run_once_before_00-* decrypt age key on a new machine
run_once_after_10-* install brew / omz / rust
run_onchange_after_20-* brew bundle when the Brewfile changes