UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

46 lines (31 loc) 1.78 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
--- render_with_liquid: false --- # Security How dotfiles handles security and system modifications. ## Core Principles - **Opt-In Only** — No hardening applies unless `DOTFILES_*` variables are set to `1`. - **Local Logging** — All actions log to `~/.local/share/dotfiles.log`. No telemetry. - **No Hidden Sudo** — Sudo requests only for package managers. Never cached indefinitely. ## Hardening | Feature | Env Var | Action (macOS) | Action (Linux) | |---|---|---|---| | Firewall | `DOTFILES_FIREWALL` | Enables `socketfilterfw` + Stealth Mode | Configures UFW | | Telemetry | `DOTFILES_TELEMETRY` | Disables Diagnostic plists | Disables `whoopsie`/`apport` | | DNS-over-HTTPS | `DOTFILES_DOH` | Browser-level settings | Configures `resolvectl` | | Idle Security | `DOTFILES_LOCK` | Sets screensaver idle time | Sets GNOME/KDE idle-delay | ## Secrets The dotfiles use **age** for encryption. - **Initialization**: `dot secrets-init` creates a key at `~/.config/chezmoi/key.txt`. - **Storage**: Secrets are stored as `.age` encrypted files. - **Protection**: Private keys aren't committed to the repo. ## SSH Certificates Short-lived SSH certificates reduce the blast radius of key compromise. - **Issue**: `dot ssh-cert issue [--ttl 16h] [--principal user]` - **Status**: `dot ssh-cert status` — checks certificate validity and expiry - **Revoke**: `dot ssh-cert revoke` — revokes active certificates - **Backends**: `step-ca` (Smallstep) and local CA key (`ssh-keygen`) - **Default TTL**: 16 hours (override via `SSH_CERT_TTL` environment variable) - **CA URL**: Set `SSH_CERT_CA_URL` for `step-ca` integration ## Reporting a Vulnerability If you discover a security vulnerability, don't open a public issue. Follow the instructions in the Security Policy.