-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathbootstrap
More file actions
executable file
·384 lines (331 loc) · 12.9 KB
/
Copy pathbootstrap
File metadata and controls
executable file
·384 lines (331 loc) · 12.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
#!/usr/bin/env bash
set -eu
test -z "${DEBUG:-}" || set -x
##
# parameters
opts="Dhm"
minimal=""
: "${GIT_ROOT:=$HOME/git/sbaxter}"
: "${UMBRELLA_REPO:=sbaxter/sbaxter}"
: "${CLI_REPO:=sbaxter/cli}"
function usage {
cat << _usage_
$(basename "$0"): bootstrap a new Mac from scratch.
usage:
$(basename "$0") [-$opts]
D - turn on debug mode.
h - you are here.
m - minimal mode for lightweight machines (e.g. older Macs, kids' Macs):
skips gh auth, cli.private (clone/install/gitconfig/Brewfile),
and uses Brewfile.lite instead of Brewfile.
env:
GIT_ROOT - umbrella checkout location. default: \$HOME/git/sbaxter
UMBRELLA_REPO - multi-repo orchestrator (full mode). default: sbaxter/sbaxter
CLI_REPO - public cli repo (minimal mode only). default: sbaxter/cli
steps:
1. ensure macOS
2. cache sudo credentials (Homebrew's installer needs sudo)
3. install Homebrew (which installs Xcode command line tools)
4. install gh
5. authenticate with GitHub (browser; generates + uploads SSH key) [skipped with -m]
6. clone \$UMBRELLA_REPO into \$GIT_ROOT, then 'make clone/group/home'
(preflight: brew install python3 if /usr/bin/python3 lacks tomllib)
[minimal: clone \$CLI_REPO into \$GIT_ROOT/cli, no umbrella]
7. run cli/install (+ cli.private/install unless -m)
8. run cli.private/bin/mems (wire ~/.claude memory ↔ sbaxter/memory) [skipped with -m]
9. copy cli.private/gitconfig → ~/.gitconfig [skipped if exists or with -m]
10. brew bundle Brewfile (+ cli.private/Brewfile unless -m; or Brewfile.lite with -m)
11. initialize rust toolchain (rustup stable + cargo-deny, cargo-release, cargo-cyclonedx) [skipped with -m]
12. install Claude Code (native binary via claude.ai/install.sh)
13. apply macOS defaults
14. open iTerm2 (restart if running) so custom prefs take effect
15. run cli.private/bin/nsca (Netskope CA bundle) [skipped with -m or no STAgent]
16. run cli.private/bin/gcs (gcloud components + config + auth) [skipped with -m]
17. import GPG signing key via cli.private/bin/gpg-restore (if absent) [skipped with -m]
idempotent: re-running skips steps already done.
_usage_
}
while getopts $opts opt; do
case $opt in
D) DEBUG=true; set -x ;;
h) usage; exit ;;
m) minimal=1 ;;
?|*) echo; usage; exit 5 ;;
esac
done
shift $((OPTIND-1))
##
##
# step 1: macOS only
test "$(uname -s)" = Darwin || { echo "bootstrap: macOS only!" >&2; exit 1; }
##
##
# step 2: cache sudo credentials — Homebrew's installer needs sudo to
# write to /opt/homebrew (Apple Silicon) or /usr/local (Intel), and to
# install Xcode command line tools. cache upfront so the installer doesn't
# stall on a password prompt mid-stream.
echo "==> caching sudo credentials (you may be prompted for your password)"
sudo -v
# keep sudo alive in the background while bootstrap runs;
# brew bundle install can exceed sudo's default credential cache window
( while true; do sudo -n true; sleep 60; kill -0 "$$" 2>/dev/null || exit; done ) &
sudo_keepalive=$!
trap 'kill "${sudo_keepalive:-}" 2>/dev/null || true' EXIT
##
##
# step 3: Homebrew (its installer handles Xcode command line tools)
if ! command -v brew >/dev/null 2>&1; then
echo "==> installing Homebrew"
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
fi
# put brew on PATH for this session (covers Apple Silicon + Intel)
if test -x /opt/homebrew/bin/brew; then
eval "$(/opt/homebrew/bin/brew shellenv)"
elif test -x /usr/local/bin/brew; then
eval "$(/usr/local/bin/brew shellenv)"
fi
##
##
# step 4: gh
if ! command -v gh >/dev/null 2>&1; then
echo "==> installing gh"
brew install gh
fi
##
##
# step 5: gh auth (interactive — generates SSH key and uploads to GitHub).
# request admin:public_key upfront so step 5b can manage authentication
# keys without a second browser dance via 'gh auth refresh'.
if test -z "$minimal"; then
if ! gh auth status 2>&1 | grep -q 'admin:public_key'; then
echo "==> authenticating with GitHub (browser will open)"
gh auth login --git-protocol ssh --web -s admin:public_key
fi
fi
##
##
# step 5b: SSH plumbing for github.com. gh auth login --git-protocol ssh
# *prompts* to generate+upload a key but is easy to bypass interactively,
# leaving auth recorded with no key on GitHub — subsequent SSH clones then
# fail with "Permission denied (publickey)". make all three guarantees
# explicit and idempotent here:
# a. known_hosts has github.com (no host-key prompt on first clone)
# b. a local ed25519 key exists and is loaded into the macOS keychain
# c. that key's public half is uploaded to GitHub
if test -z "$minimal"; then
mkdir -p "$HOME/.ssh"
chmod 700 "$HOME/.ssh"
touch "$HOME/.ssh/known_hosts"
chmod 600 "$HOME/.ssh/known_hosts"
# a. known_hosts
if ! ssh-keygen -F github.com -f "$HOME/.ssh/known_hosts" >/dev/null 2>&1; then
echo "==> seeding github.com host keys into ~/.ssh/known_hosts"
ssh-keyscan -t rsa,ecdsa,ed25519 github.com 2>/dev/null >> "$HOME/.ssh/known_hosts"
fi
# b. local ed25519 key + macOS keychain. ssh-add is idempotent —
# loading an already-loaded key is a no-op — so skip the membership
# check and just always run it.
ssh_key="$HOME/.ssh/id_ed25519"
if ! test -f "$ssh_key"; then
echo "==> generating ed25519 SSH key at $ssh_key"
ssh-keygen -t ed25519 -f "$ssh_key" -N "" -C "$(whoami)@$(hostname -s)"
fi
echo "==> loading $ssh_key into ssh-agent (macOS keychain)"
ssh-add --apple-use-keychain "$ssh_key" 2>/dev/null \
|| ssh-add -K "$ssh_key" 2>/dev/null \
|| ssh-add "$ssh_key" 2>/dev/null \
|| echo "warning: ssh-add failed; key generated but not loaded into agent" >&2
# c. upload to GitHub. scope was granted in step 5. match by key body
# (field 2) so a rename on GitHub doesn't cause dupes.
key_body=$(cut -d' ' -f2 "$ssh_key.pub")
if ! gh ssh-key list 2>/dev/null | grep -qF "$key_body"; then
echo "==> uploading $ssh_key.pub to GitHub"
gh ssh-key add "$ssh_key.pub" --title "$(whoami)@$(hostname -s) (bootstrap)"
fi
fi
##
##
# step 5c: python with tomllib. umbrella's bin/_projects.py (invoked by
# `make clone/group/home` in step 6) needs tomllib (Python 3.11+) or tomli;
# Apple's /usr/bin/python3 is 3.9 on fresh Macs and has neither. cli/Brewfile
# installs python@3.13/3.14 but doesn't run until step 10, so install ahead
# of need. minimal mode skips the umbrella+make path entirely.
#
# Install `python3` (the meta alias for the current default, today
# python@3.14), not a pinned `python@3.X`: only the current-default formula
# links `python3` into /opt/homebrew/bin. A pinned older version installs
# its `python3` only into the formula's libexec, leaving Apple's 3.9 first
# on PATH and step 6 still broken. `hash -r` clears bash's command cache
# from the probe above so the next `python3` lookup finds the new binary.
if test -z "$minimal" && ! python3 -c 'import tomllib' 2>/dev/null; then
echo "==> installing python3 (needed by umbrella's make)"
brew install python3
hash -r
fi
##
##
# step 6: clone repos.
# minimal mode: plain git clone of cli (public; gh auth was skipped).
# full mode: clone the umbrella into $GIT_ROOT, then let its own tooling
# (make clone/group/home → bin/clone-one.sh per entry in etc/projects.toml)
# pull cli, cli.private, memory. umbrella is source of truth for membership.
mkdir -p "$(dirname "$GIT_ROOT")"
if test -n "$minimal"; then
if ! test -d "$GIT_ROOT/cli/.git"; then
echo "==> cloning $CLI_REPO into $GIT_ROOT/cli"
mkdir -p "$GIT_ROOT"
git clone "https://github.com/$CLI_REPO" "$GIT_ROOT/cli"
fi
else
if ! test -d "$GIT_ROOT/.git"; then
echo "==> cloning $UMBRELLA_REPO into $GIT_ROOT"
gh repo clone "$UMBRELLA_REPO" "$GIT_ROOT"
fi
echo "==> make -C $GIT_ROOT clone/group/home"
make -C "$GIT_ROOT" clone/group/home
fi
##
##
# step 7: link dotfiles
echo "==> cli/install"
"$GIT_ROOT/cli/install" -b .bak
if test -z "$minimal"; then
echo "==> cli.private/install"
"$GIT_ROOT/cli.private/install" -b .bak
fi
##
##
# step 8: wire ~/.claude memory dirs to the sbaxter/memory repo via mems.
# idempotent — promotes any local memory dirs into the repo, then ensures
# symlinks back. skipped if mems script or memory repo aren't present.
if test -z "$minimal" \
&& test -x "$GIT_ROOT/cli.private/bin/mems" \
&& test -d "$GIT_ROOT/memory"; then
echo "==> cli.private/bin/mems"
"$GIT_ROOT/cli.private/bin/mems"
fi
##
##
# step 9: gitconfig — seed from cli.private only if ~/.gitconfig doesn't
# already exist. preserves local edits on re-runs; to force a refresh,
# remove ~/.gitconfig and re-run bootstrap.
if test -z "$minimal" && ! test -e "$HOME/.gitconfig"; then
echo "==> copying cli.private/gitconfig → ~/.gitconfig"
cp "$GIT_ROOT/cli.private/gitconfig" "$HOME/.gitconfig"
fi
##
##
# step 10: brew bundles
if test -n "$minimal"; then
echo "==> brew bundle: cli/Brewfile.lite"
brew bundle --file="$GIT_ROOT/cli/Brewfile.lite"
else
echo "==> brew bundle: cli/Brewfile"
brew bundle --file="$GIT_ROOT/cli/Brewfile"
echo "==> brew bundle: cli.private/Brewfile"
brew bundle --file="$GIT_ROOT/cli.private/Brewfile"
fi
##
##
# step 11: rust toolchain. install rustup via the upstream installer
# (rust-lang.org's canonical path) rather than brew — the brew formula is
# keg-only and pins a single toolchain, defeating rust-toolchain.toml pinning
# and component management. bootstrap stable + the cargo subcommands the
# dotfiles depend on (cargo-deny is required by the ci() function in
# cli.private/bash_profile). --no-modify-path because bash_profile already
# sources ~/.cargo/env.
if test -z "$minimal" && ! test -x "$HOME/.cargo/bin/rustc"; then
echo "==> initializing rust toolchain"
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
| sh -s -- -y --default-toolchain stable --profile default --no-modify-path
fi
# shellcheck disable=SC1091
test -f "$HOME/.cargo/env" && source "$HOME/.cargo/env"
if test -z "$minimal" && command -v cargo >/dev/null 2>&1; then
for crate in cargo-deny cargo-release cargo-cyclonedx; do
sub="${crate#cargo-}"
if ! cargo --list 2>/dev/null | grep -qE "^[[:space:]]+${sub}([[:space:]]|$)"; then
echo "==> cargo install $crate"
cargo install --locked "$crate"
fi
done
fi
##
##
# step 12: Claude Code (native binary). install script is idempotent and
# also handles updates; binary lands at ~/.local/bin/claude, which may not
# be on PATH yet during bootstrap, so check the file directly.
if ! test -x "$HOME/.local/bin/claude"; then
echo "==> installing Claude Code"
curl -fsSL https://claude.ai/install.sh | bash
fi
##
##
# step 13: apply macOS defaults
echo "==> cli/bin/macos-defaults"
"$GIT_ROOT/cli/bin/macos-defaults"
##
##
# step 14: open iTerm2 (restart if running) so the custom prefs folder
# wired up by macos-defaults takes effect. bootstrap is invoked from
# Terminal.app, so killing iTerm2 won't kill our shell.
if pgrep -q iTerm2; then
echo "==> restarting iTerm2 to pick up custom prefs"
osascript -e 'tell application "iTerm" to quit' >/dev/null 2>&1 || true
# give iTerm a moment to shut down cleanly before relaunching
sleep 1
else
echo "==> opening iTerm2"
fi
open -a iTerm
##
##
# step 15: Netskope CA bundle. nsca writes ~/.config/netskope/ca-bundle.pem
# (Mozilla/system roots + MDM + Netskope) and netskope-ca.pem (bare CA for
# additive use cases like dvcn). gated on STAgent being present so this is
# a no-op on non-corporate Macs. exports the bundle into bootstrap's env so
# subsequent steps that read REQUESTS_CA_BUNDLE etc. inherit it.
if test -z "$minimal" \
&& test -d "/Library/Application Support/Netskope/STAgent" \
&& test -x "$GIT_ROOT/cli.private/bin/nsca"; then
echo
echo "==> cli.private/bin/nsca"
"$GIT_ROOT/cli.private/bin/nsca"
_ns="$HOME/.config/netskope/ca-bundle.pem"
if test -f "$_ns"; then
export REQUESTS_CA_BUNDLE="$_ns"
export CURL_CA_BUNDLE="$_ns"
export NODE_EXTRA_CA_CERTS="$_ns"
fi
unset _ns
fi
##
##
# step 16: gcloud setup via gcs (components + project config + browser auth +
# docker credHelper + ADC quota project). interactive (browser). non-fatal —
# bootstrap continues if the user cancels.
if test -z "$minimal" && test -x "$GIT_ROOT/cli.private/bin/gcs"; then
echo
echo "==> cli.private/bin/gcs"
"$GIT_ROOT/cli.private/bin/gcs" || true
fi
##
##
# step 17: import GPG signing key if missing. gpg-restore auto-detects a
# transferred file in ~/Downloads or prompts. interactive (passphrase).
if test -z "$minimal"; then
signingkey=$(git config --global user.signingkey 2>/dev/null || true)
if test -n "$signingkey" && ! gpg --list-secret-keys "$signingkey" >/dev/null 2>&1; then
echo
echo "==> GPG signing key $signingkey missing — running gpg-restore"
"$GIT_ROOT/cli.private/bin/gpg-restore" || true
fi
fi
##
##
# done
echo
echo "==> bootstrap done."
echo
echo "next step: open a new shell session (or 'source ~/.bash_profile')"
##