chirag127/backup is the new-laptop bootstrap + disaster recovery repo
Setup repo — chirag127/backup (private)
Rule
The private repo chirag127/backup (submodule at repos/own/backup/) is the canonical place for:
- New-laptop bootstrap —
bootstrap.ps1clones the umbrella + installs all software + wires MCPs + decrypts env + starts Hr - Disaster recovery —
RECOVERY.md+ restic config + recovery keys - Encrypted secrets — sops+age encrypted env vars, API keys, recovery seeds
- Setup scripts — Hr watchdog, install-mcps, decrypt-secrets, restic-init
What goes where
| Content | Repo | Visibility |
|---|---|---|
| Public docs (architecture, decisions, rules) | umbrella knowledge/ |
PUBLIC |
| Public MCP no-key configs | umbrella .mcp.json |
PUBLIC |
| Software install steps | chirag127/backup winget-packages.txt |
PRIVATE |
| Encrypted env vars | chirag127/backup secrets/*.enc |
PRIVATE |
| age key recovery instructions (NOT the key) | chirag127/backup secrets/age-key-instructions.md |
PRIVATE |
| The age key itself | Bitwarden / hardware key | NEVER COMMITTED |
| Bootstrap script | chirag127/backup bootstrap.ps1 |
PRIVATE |
| Watchdog scripts | umbrella scripts/ (no secrets) OR backup repo scripts/ (sensitive) |
depends |
| Hr Docker compose / Dockerfile | umbrella .staging/headroom-extras/ |
PUBLIC |
| restic config + retention policy | chirag127/backup |
PRIVATE |
| RECOVERY.md | chirag127/backup |
PRIVATE |
New-laptop bootstrap flow
# Pre-req: Windows 11, gh auth login
git clone https://github.com/chirag127/workspace.git C:\D\oriz --recurse-submodules
cd C:\D\oriz\repos\own\backup
.\bootstrap.ps1
The script:
- winget installs (Docker, Python, Node, VS Code, gh, age, sops, etc.)
- Docker Desktop config + start
- Hr image pull + container create
- Smithery CLI install + keyed MCP setup prompts
- sops+age decrypt of
secrets/env.enc - Windows env var hydration (
setxfor each decrypted var) - restic init + first backup dry-run
Why NOT rename the slug
Keep slug backup even though scope expanded. Reasons:
- Renaming breaks submodule URLs and GitHub auto-redirect adds confusion
chirag127/setupwould imply ONLY new-laptop work, dropping disaster-recovery framing- The combined name is unusual but the function is clear from the README
Cross-refs
mcp-no-key-in-repo-keyed-in-smithery— no keys in PUBLIC repoheadroom-027-docker-2026-06-27— Hr image is in public umbrella, container config in backuptask-scheduler-at-login-2026-06-26— watchdog tasks documented in backup