UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

159 lines (107 loc) 3.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
--- render_with_liquid: false --- {% raw %} # Secrets Management Provider-agnostic secrets via `dot secrets`. Supports macOS Keychain, `pass`, and age-encrypted local storage. ## Providers Provider selection is controlled by `.chezmoidata.toml`: ```toml [secrets.policy] provider = "auto" # auto | macos-keychain | pass | plain-enc auto_load = true [secrets.buckets] ai = ["GEMINI_API_KEY", "CLAUDE_API_KEY", "OPENAI_API_KEY"] infra = ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "GITHUB_TOKEN"] ``` `auto` resolves in this order: 1. `macos-keychain` on macOS 2. `pass` when available 3. `plain-enc` fallback (age-encrypted local store) ## Commands ```bash # Bootstrap age key for chezmoi encrypted files dot secrets-init # Optional: create encrypted secrets file for chezmoi dot secrets-create dot secrets edit # Managed secret store dot secrets set GEMINI_API_KEY dot secrets get GEMINI_API_KEY --raw dot secrets list dot secrets provider # Emit export lines for a bucket dot secrets load ai # Load into current shell session eval "$(dot env load ai)" ``` ## Shell Auto-Load When `auto_load = true`, shell startup can load configured buckets automatically via `dot env load <bucket>`. Environment toggles: - `DOTFILES_SECRETS_PROVIDER` - `DOTFILES_SECRETS_AUTO_LOAD` - `DOTFILES_SECRETS_BUCKET_NAMES` ## Governance A pre-commit hook runs: ```bash scripts/diagnostics/secret-governance.sh ``` It blocks staged commits when likely secret patterns are found. In strict mode it also blocks exact matches against managed secret values. ## SSH Key Encryption ```bash dot ssh-key ~/.ssh/id_ed25519 ``` This creates a local encrypted file, which you can add to chezmoi with `chezmoi add --encrypt` if needed. ## External Secrets Backends Chezmoi natively supports external secret managers as template functions. Configure the backend in `.chezmoidata.toml`: ```toml secrets_backend = "age" # age, 1password, bitwarden, pass, vault ``` ### 1Password Requires the [1Password CLI](https://developer.1password.com/docs/cli/) (`op`). ```toml # .chezmoidata.toml secrets_backend = "1password" ``` Use in templates: ```text {{ onepassword "my-secret" "vault-name" }} {{ onepasswordRead "op://vault/item/field" }} ``` ### Bitwarden Requires the [Bitwarden CLI](https://bitwarden.com/help/cli/) (`bw`). ```toml # .chezmoidata.toml secrets_backend = "bitwarden" ``` Use in templates: ```text {{ bitwarden "item" "my-login" }} {{ bitwardenFields "item" "my-login" }} ``` ### HashiCorp Vault Requires the [Vault CLI](https://developer.hashicorp.com/vault/docs/commands) (`vault`). ```toml # .chezmoidata.toml secrets_backend = "vault" ``` Use in templates: ```text {{ vault "secret/data/my-secret" }} ``` ### pass (Password Store) Requires [pass](https://www.passwordstore.org/). ```toml # .chezmoidata.toml secrets_backend = "pass" ``` Use in templates: ```text {{ pass "my-secret" }} ``` See the [chezmoi documentation](https://www.chezmoi.io/user-guide/password-managers/) for full details on each backend. ## Security Notes - **Never commit** `~/.config/chezmoi/key.txt` to version control. - **Avoid shell history exposure** — use `dot secrets set` which prompts securely. - **Rotate credentials** on a regular schedule. {% endraw %}