type: rule
status: active
timestamp: 2026-06-27
tags: [setup, bootstrap, backup, disaster-recovery, sops, age, secrets, private]

chirag127/backup is the new-laptop bootstrap + disaster recovery repo

Private repo. Bootstrap: one-command new-laptop setup + restic recovery + encrypted secrets (sops+age)

Setup repo — chirag127/backup (private)

Rule

The private repo chirag127/backup (submodule at repos/own/backup/) is the canonical place for:

  1. New-laptop bootstrapbootstrap.ps1 clones the umbrella + installs all software + wires MCPs + decrypts env + starts Hr
  2. Disaster recoveryRECOVERY.md + restic config + recovery keys
  3. Encrypted secrets — sops+age encrypted env vars, API keys, recovery seeds
  4. Setup scripts — Hr watchdog, install-mcps, decrypt-secrets, restic-init

What goes where

ContentRepoVisibility
Public docs (architecture, decisions, rules)umbrella knowledge/PUBLIC
Public MCP no-key configsumbrella .mcp.jsonPUBLIC
Software install stepschirag127/backup winget-packages.txtPRIVATE
Encrypted env varschirag127/backup secrets/*.encPRIVATE
age key recovery instructions (NOT the key)chirag127/backup secrets/age-key-instructions.mdPRIVATE
The age key itselfBitwarden / hardware keyNEVER COMMITTED
Bootstrap scriptchirag127/backup bootstrap.ps1PRIVATE
Watchdog scriptsumbrella scripts/ (no secrets) OR backup repo scripts/ (sensitive)depends
Hr Docker compose / Dockerfileumbrella .staging/headroom-extras/PUBLIC
restic config + retention policychirag127/backupPRIVATE
RECOVERY.mdchirag127/backupPRIVATE

New-laptop bootstrap flow

# Pre-req: Windows 11, gh auth login
git clone https://github.com/chirag127/workspace.git C:\D\oriz --recurse-submodules
cd C:\D\oriz\repos\own\backup
.\bootstrap.ps1

The script:

  1. winget installs (Docker, Python, Node, VS Code, gh, age, sops, etc.)
  2. Docker Desktop config + start
  3. Hr image pull + container create
  4. Smithery CLI install + keyed MCP setup prompts
  5. sops+age decrypt of secrets/env.enc
  6. Windows env var hydration (setx for each decrypted var)
  7. restic init + first backup dry-run

Why NOT rename the slug

Keep slug backup even though scope expanded. Reasons:

Cross-refs


Edit on GitHub · Back to index