Skip to content

lookitsatravis/macos-personal

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

macOS personal setup

Opinionated shell scripts to back up dotfiles and secrets to this repo and to bootstrap a new Mac from it.

Keep this repository private. It contains SOPS-encrypted material that is still sensitive, plus plaintext config that can reveal hosts, tooling, and habits after restore.

What gets backed up

Configuration lives in init.sh (sourced by backup.sh and restore.sh).

  • DOTFILES — copied into backup/ (files and directories under $HOME).
  • ~/.config — rsync’d into backup/.config/, with excludes listed in backup.sh (CONFIG_RSYNC_EXCLUDES).
  • SOPS — each path under $HOME is encrypted with SOPS + age into sops/ (single files as path.enc; directories are one .enc per file, mirroring the tree). The sops/ tree is not deleted on each backup: existing ciphertext is reused when the plaintext file’s SHA-256 matches sops/.plaintext-sha256, so Git does not pick up spurious ciphertext churn from re-encrypting unchanged files.
  • backup/nonbrew-applications.txt — paths of .app bundles in /Applications and ~/Applications that do not resolve under Homebrew Caskroom/Cellar and are not com.apple.*. Built by record_nonbrew_applications in modules/nonbrew-apps.sh; restore.sh calls show_nonbrew_applications after SOPS. Heuristic only.

Secrets and paths currently in SOPS include things like .ssh, .netrc, kube/docker config, .claude.json, .cursor/mcp.json, ACME dirs under .acme.sh, .secrets, .zsh_history, etc. Adjust the arrays in init.sh to match what you want.

Secrets: age + 1Password

  • Encrypt (backup): backup.sh uses --age with either SOPS_AGE_RECIPIENT in init.sh (your age1… public key) or, if that is empty, op read "$SOPS_AGE_KEY_RECIPIENT_PATH".
  • Decrypt (restore): modules/sops.sh reads the age secret key with op read "$SOPS_AGE_KEY_PASSWORD_PATH" and sets SOPS_AGE_KEY for sops -d.

The 1Password item fields are documented next to SOPS_AGE_KEY_*_PATH in init.sh.

You need the 1Password CLI (op) signed in for backup encrypt and restore decrypt.

Running scripts (repo root)

backup.sh and restore.sh require PWD to be the repository root (they source init.sh, which checks this).

cd /path/to/macos-personal
./backup.sh    # refresh backup/ and sops/
./backup.sh --force-sops   # re-encrypt every SOPS file (ignore hash registry)
./backup.sh --init-sops-registry   # hash plaintext only; write sops/.plaintext-sha256 and exit (no backup, no encrypt)
./restore.sh   # install tooling and restore home + decrypt sops

SOPS hash registry: sops/.plaintext-sha256 is a sorted TSV (path-under-home<TAB>sha256). It is safe to commit in a private repo; it does not contain secrets, but fixed paths plus hashes can still hint what exists—treat like the rest of the repo.

Bootstrap: After cloning or changing this logic, run ./backup.sh --init-sops-registry once (from repo root) so the registry matches your current plaintext files; then normal ./backup.sh can skip re-encryption where ciphertext already exists and plaintext is unchanged.

Or use make from anywhere:

make -C /path/to/macos-personal backup
make -C /path/to/macos-personal restore
make -C /path/to/macos-personal brew-cleanup   # optional; see below

Running make with no target runs help and prints available targets (it does not run backup).

Prune Homebrew to match the Brewfile

make brew-cleanup runs brew bundle cleanup --force against backup/Brewfile, uninstalling formulae and casks that are not listed there. Anything you still use must appear in that file or it will be removed. Run brew bundle check --file=backup/Brewfile first if you want to see drift without uninstalling.

New machine checklist

  1. Install Xcode Command Line Tools — open Terminal and run:
    xcode-select --install
    Follow the prompt to download and install. This provides git, make, compilers, and other prerequisites that Homebrew and the restore scripts depend on.
  2. Clone this repo (private) and cd into it.
  3. Sign in to 1Password and run op signin (or use app integration) so op read works for restore.
  4. Run ./restore.sh or make restore from the repo root.
  5. Complete any GUI installer steps (e.g. Docker Desktop, 1Password).
  6. Restart the terminal (restore prints this as well).

Order of operations in restore.sh: oh-my-zsh (and Powerlevel10k) → dotfiles / .configHomebrew + BrewfilemacOS defaultsdevboxSOPS decrypt.

What restore changes on macOS

  • Dock: autohide, Recents off
  • Finder: extensions visible, hidden files, path bar, list view, folders on top, search scoped to current folder
  • Spaces / Mission Control: group windows by app

Update the backup on your current Mac

From the repo root, with op authenticated and Homebrew available (for brew bundle dump):

./backup.sh
# or: make backup

To change what is included, edit init.sh (DOTFILES, SOPS) and backup.sh (CONFIG_RSYNC_EXCLUDES). You can also edit backup/Brewfile by hand or trim it after brew bundle dump. If you add a new SOPS path and the corresponding .enc is missing, backup encrypts it once; the registry is rewritten each run with current hashes.

Credit

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors