Chezmoi Bootstrap Operator
Use this skill to execute or modify repo bootstrap flows while keeping role behavior and security defaults intact.
Workflow
- •Determine target path:
- •Omarchy machine: use
scripts/bootstrap-omarchy.sh. - •Debian/Ubuntu VPS: use
bootstrap-vps.sh. - •Post-bootstrap server lock-down: use
scripts/server-lockdown-tailscale.sh.
- •
Load command and flag details from
references/bootstrap-matrix.md. - •
Apply the smallest safe change:
- •Keep default-safe behavior (no implicit trust of remote installers).
- •Keep role behavior consistent (
workstationvsserver). - •Preserve private-env pattern (
~/.config/dotfiles/bootstrap-private.env).
- •Keep docs aligned when behavior changes:
- •
README.mdsections for setup profile matrix, bootstrap flags, and role/profile switches. - •
CLAUDE.mdsections for bootstrap and server behavior.
Validation
Run these checks after edits:
bash
bash -n scripts/bootstrap-omarchy.sh bash -n scripts/server-lockdown-tailscale.sh bash -n bootstrap-vps.sh
For behavior checks, run only the relevant command path from references/bootstrap-matrix.md.
Guardrails
- •Keep scripts idempotent and non-interactive by default.
- •Gate remote installers behind
TRUST_ON_FIRST_USE_INSTALLERS=1. - •Avoid committing private bootstrap values; keep them in local env files.
- •For server changes, preserve phased hardening: verify access first, then tighten SSH/firewall rules.