UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

167 lines (123 loc) 7.41 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
--- render_with_liquid: false --- # Roadmap This roadmap steers the project from a "feature-rich dotfiles repo" to an **Enterprise-Grade Shell Distribution**. The structure is organized by strategic pillars (**Trust**, **Predictability**, **Observability**) rather than linear phases, though the original 100-Phase vision is preserved within these categories. --- ## Reproducibility **Goal:** "Reproducible Shell Environments". > *This distribution aims for deterministic rebuilds: the same tag yields the same environment across machines.* - [ ] **Pinned Formulae**: Strict version locking for Homebrew bundle and Apt packages. - [ ] **Binary Locking**: Future versions may replace bootstrap download helpers with checksum-verified artifacts once a portable verification strategy is finalized. - [ ] **State Capture**: `chezmoi` templates that capture host-specific state for idempotence. - [ ] **Manifests**: Optional `Brewfile.lock` or equivalent for Linux. - [ ] **Cloud-Init (Phase 28)**: Generate `user-data` scripts for AWS/GCP bootstrapping. - [ ] **Container Native (Phase 28)**: Base Docker image for devcontainers. - [ ] **Terraform Provider (Phase 28)**: Custom provider to provision dotfiles state. ## Observability **Goal:** "Observable Shell Lifecycle". > *The shell is instrumented: failures, timing, and lifecycle events are visible by design.* - [x] **Audit Structuring**: JSON-structured logging for bootstrap and provisioning events. - [x] **Debug Modes**: First-class support for `DOTFILES_DEBUG=1` and `DOTFILES_TRACE=1`. - [x] **Telemetry (Local)**: Granular startup timing breakdown via `dot perf`. - [ ] **Health Dashboard (Phase 39)**: CLI view of system "health" metrics. - [ ] **System Status (Phase 39)**: Real-time resource usage, battery, and network stats. - [ ] **Update Manager (Phase 39)**: Visual interface for tool updates and migration. ## Secrets **Goal:** "Explicit Secrets Model". > *Secrets are never committed; sensitive state is encrypted or host-local by default.* - [x] **Secret Driver**: Native integration with 1Password/Bitwarden CLI via `chezmoi`. - [x] **Encryption**: Promoted use of `age` encryption for all private config files. - [ ] **Leak Prevention (Phase 29)**: Pre-commit hooks (TruffleHog/Gitleaks) for high-entropy detection. - [ ] **Vault Integration (Phase 29)**: Native HashiCorp Vault support. - [ ] **Hardware Enclaves (Phase 29)**: Support for Secure Enclave/TPM key storage. - [ ] **OIDC Auth (Phase 29)**: Keyless authentication via GitHub OIDC. ## Toolchain **Goal:** "Composable Shell Layers". > *The distribution is layered: core safety is mandatory, advanced features are opt-in.* - [ ] **Core Layer**: XDG, PATH, Safety (`set -euo pipefail`). (Zero external deps). - [ ] **UX Layer**: Prompt (Starship), Aliases, Completions. - [ ] **Toolchain Layer**: Rust replacements (`eza`, `bat`, `ripgrep`). - [ ] **Cross-Compiler Toolchain (Phase 34)**: - [ ] **Multi-Arch**: `qemu-user-static` for ARM64/AMD64. - [ ] **Wasm Target**: WebAssembly toolchain setup. - [ ] **Embedded Dev**: Presets for Arduino/ESP32. ## Opt-in features **Goal:** "Explicit Feature Flags". > *Advanced features are gated behind explicit opt-in flags.* - [ ] **Feature Toggles**: Environment variables (e.g., `ENABLE_AI=0`, `ENABLE_HISTORY_SYNC=0`). - [ ] **Lazy Loading**: Strict lazy-loading for all non-core plugins. - [ ] **Plugin Ecosystem (Phase 35)**: - [ ] **Module Registry**: Public index of dotfiles modules. - [ ] **Dependency Solving**: Semantic versioning for modules. - [ ] **Verified Publishers**: Cryptographic signing for "Official" modules. ## Safety **Goal:** "Documented Threat Model". > *Security decisions are driven by an explicit, documented threat model.* - [x] **Threat Model Doc**: A lightweight document defining the trust boundary (Local Machine). See `docs/security/THREAT_MODEL.md`. - [ ] **Supply Chain**: Verification steps for upstream dependencies. - [ ] **Identity & Access (Phase 40)**: - [ ] **SSH Certs**: Short-lived SSH Certificates. - [ ] **YubiKey Bio**: Biometric enforcement for `sudo`. - [ ] **PAM Modules**: Custom auth modules. - [ ] **Auditd Rules**: Pre-configured audit rules. ## Validation **Goal:** "Self-Validating Environment". > *The environment can validate itself after installation or update.* - [x] **Smoke Tests**: Automated verification of key aliases (`ls`, `git`, `docker`). - [x] **CI Validation**: GitHub Actions workflow to boot and verify the shell syntax. - [x] **Chaos Engineering (Phase 41)**: - [ ] **Config Chaos**: Randomly corrupt config files to test recovery. - [ ] **Network Simulation**: Simulate high latency/packet loss. - [ ] **Permission Fuzzing**: Verify strict umask behavior. ## Distribution **Goal:** "Supported Platforms Matrix". > *Only listed platforms are guaranteed to work; others are best-effort.* - [x] **Support Matrix**: Explicit table of OS/Version support. See `docs/reference/SUPPORT_MATRIX.md`. - [ ] **Windows Deep Integration (Phase 53)**: - [ ] **PowerShell Profile**: Mirror Zsh functionality. - [ ] **WinGet**: Declarative package management. - [ ] **WSL Bridge**: Seamless interop. - [ ] **Linux Deep Integration (Phase 55)**: - [x] **Systemd User Units**: User service management. - [ ] **Desktop Envs**: GNOME/KDE/Sway configs. --- ## Future ### Domain-Specific Environments - [ ] **Data Science (Phase 38)**: Conda/Mamba, GPU Config, Jupyter. - [ ] **Network Topologies (Phase 56)**: Mesh Networks, Tor, Private VPNs. - [ ] **Build Systems (Phase 57)**: Bazel, Maven/Gradle, CMake. - [ ] **Financial Operations (Phase 63)**: Cost CLI, Ledger, Stock Tickers. - [ ] **Game Development (Phase 64)**: Unity/Unreal CLI, Godot, Blender. - [ ] **Scientific Computing (Phase 68)**: Latex, R/Julia, Pandoc. - [ ] **Quantum Computing (Phase 69)**: Qiskit, Simulators. - [ ] **Bio-Informatics (Phase 70)**: Genomics, PDB, FASTA. ### Enterprise & Operations - [ ] **Collaborations (Phase 45)**: Pair Programming, Team Sync, ChatOps. - [ ] **Database DevOps (Phase 46)**: DB Clients, Local Docker DBs, Migrations. - [ ] **Serverless (Phase 47)**: Lambda, Edge Workers, Wasm. - [ ] **Enterprise Fleet (Phase 30)**: MDM Profiles, Policy as Code. - [ ] **Legal & Procurement (Phase 93)**: RFP Templates, Vendor Management. - [ ] **Recruiting & HR (Phase 94)**: Resume Generators, coding interview sets. ### Accessibility & Legacy - [ ] **Accessibility (Phase 36)**: Screen Reader optimization, High Contrast. - [ ] **Legacy Modernization (Phase 42)**: Mainframe/Unix support, PowerShell Core. --- ## Completed ### Core Foundations - [x] **Universal Config (Chezmoi) (Phase 1)** - [x] **Shell Environment (Phase 2)** - [x] **Tool Modernization (Phase 3)** - [x] **Performance Optimization (Phase 4)** ### Hardened Security - [x] **Security & Validation (Phase 5)** - [x] **Package Management (Phase 6)** - [x] **Hardened Security (Phase 21)** - [x] **Enterprise Core (Phase 23)**: SLSA, SBOM, Signed Releases. - [x] **Legal & Licensing (Phase 92)**: FOSSology, Headers, CLA. ### Experience - [x] **Documentation (Phase 25)**: DocSite, Interactive Tour. - [x] **Self-Healing (Phase 27)**: Doctor, Auto-Repair. - [x] **OS Bundling (Phase 26)**: XDG Compliance, Vendor Hooks. - [x] **Predictive Shell (Phase 32)**: Autosuggest, Local LLM. - [x] **Visual Layer (Phase 34)**: Yazi, Zellij, Ghostty.