How dotfiles handles security and system modifications.
DOTFILES_* variables are set to 1.~/.local/share/dotfiles.log. No telemetry.| Feature | Env Var | Action (macOS) | Action (Linux) |
|---|---|---|---|
| Firewall | DOTFILES_FIREWALL |
Enables socketfilterfw + Stealth Mode |
Configures UFW |
| Telemetry | DOTFILES_TELEMETRY |
Disables Diagnostic plists | Disables whoopsie/apport |
| DNS-over-HTTPS | DOTFILES_DOH |
Browser-level settings | Configures resolvectl |
| Idle Security | DOTFILES_LOCK |
Sets screensaver idle time | Sets GNOME/KDE idle-delay |
The dotfiles use age for encryption.
dot secrets-init creates a key at ~/.config/chezmoi/key.txt..age encrypted files.Short-lived SSH certificates reduce the blast radius of key compromise.
dot ssh-cert issue [--ttl 16h] [--principal user]dot ssh-cert status — checks certificate validity and expirydot ssh-cert revoke — revokes active certificatesstep-ca (Smallstep) and local CA key (ssh-keygen)SSH_CERT_TTL environment variable)SSH_CERT_CA_URL for step-ca integrationIf you discover a security vulnerability, don’t open a public issue. Follow the instructions in the Security Policy.