UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

85 lines (62 loc) 2.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
--- render_with_liquid: false --- # Appendix B: Security Checklist Run this checklist after a fresh install and quarterly afterwards. ## Pre-Install - [ ] Download `install.sh` over HTTPS only - [ ] Inspect `install.sh` before running (optional, recommended for untrusted environments) - [ ] Ensure SSH signing key exists and is backed up (`~/.ssh/id_ed25519`) - [ ] Ensure Age key is backed up if reinstalling (`~/.config/age/keys.txt`) ## Post-Install - [ ] Run `dot doctor` — expect score ≥90 - [ ] Run `dot verify --security` — all checks pass - [ ] Verify commit signing: `cd ~/.dotfiles && git verify-commit HEAD` - [ ] Confirm `~/.ssh/allowed_signers` contains your public key - [ ] Check that `~/.config/age/keys.txt` permissions are `0600` - [ ] Run `dot mcp --strict` — policy matches registry ## Ongoing (monthly) - [ ] `dot upgrade` — pick up security patches - [ ] `dot verify --security` — confirm no new leaks - [ ] Review `~/.local/state/dotfiles/mcp-violations.log` — any unexpected entries? - [ ] Review recent attestations — `ls ~/.local/state/dotfiles/attestation/ | tail -10` - [ ] Rotate Age key if compromised or as part of scheduled rotation ## Ongoing (quarterly) - [ ] Rotate SSH signing key - [ ] Audit `~/.ssh/allowed_signers` — remove former team members - [ ] Review SOPS recipient list in `.sops.yaml` - [ ] Run `dot chaos` in a test container — verify heal works - [ ] Update pinned tool versions in `mise.toml` - [ ] Run fleet attestation — confirm all hosts aligned ## Incident Response If a secret leak is detected: 1. **Contain** — remove from history, force-push ```sh git filter-repo --path <file> --invert-paths git push --force ``` 2. **Rotate** — change the leaked secret upstream (Stripe key, SSH key, etc.) 3. **Audit** — check who/what had access 4. **Notify** — inform affected parties if required If a host is compromised: 1. **Revoke** — remove the host's public key from `~/.ssh/allowed_signers` on all other fleet hosts 2. **Re-encrypt**`sops updatekeys` with the host excluded from recipients 3. **Attest** — run `dot fleet attest` to verify revocation propagated 4. **Wipe** — if the host is recoverable, `rm -rf ~/.config/age ~/.dotfiles` and reinstall ## Gates Enforced by CI Every PR to master must pass: - [x] SSH-signed commits - [x] Shellcheck zero warnings (severity=error) - [x] Gitleaks scan - [x] Detect-secrets baseline diff - [x] TruffleHog verified scan - [x] Copyright headers present - [x] 100% unit test coverage - [x] Reliability tests (macOS + Ubuntu) - [x] Checkov infra scan - [x] Version sync (bumped across all files) ## See Also - [Trust Model](../01-concepts/02-trust-model.md) - [Encrypt a Secret tutorial](../02-tutorials/04-encrypt-secret.md) - [Security Policy](../../security/SECURITY.md) - [Incident Response Playbook](../../security/INCIDENT_RESPONSE.md)