An opinionated Ansible playbook to provision a fresh macOS Tahoe installation on Apple Silicon from scratch β without the cruft of a migration or update.
Philosophy: complexity is the enemy of security. Clean slate, automated, reproducible.
| Phase | What happens |
|---|---|
| Bootstrap | Xcode CLT β Rosetta 2 β Homebrew β core tools β 1Password CLI |
| Packages | Homebrew formulae, casks (GUI apps), Mac App Store apps via mas |
| Fonts | Homebrew cask fonts + private bundled fonts |
| macOS defaults | Finder, Dock, UX, security, Safari, Mail, BBEdit, Office, and more |
| dotFiles | chezmoi init + apply from bhdicaire/dotFiles with macOS extensions |
| Services | Login items, Automator workflows, GPG agent, file-type associations |
On Hal9000 (before wiping):
- make capture # snapshot everything
- make age-setup # generate age key β 1Password
- chezmoi add --encrypt # encrypt private dotfiles
- git push # push encrypted dotFiles
- make nas-setup # fonts + prefs β NAS
On Dogbert (fresh Tahoe install):
- scripts/bootstrap.sh # Xcode CLT, Homebrew, op
- eval $(op signin) # authenticate 1Password CLI
- make build # full playbook βββ bootstrap # tools βββ packages # brew, cask, mas βββ fonts # bundled fonts βββ nas # pull from NAS βββ macos # defaults, Dock βββ dotfiles # chezmoi public βββ private-dotfiles # age key from 1P β decrypt Tier 3 βββ services # login items, Karabiner, SetApp
- make setapp # guided SetApp install
- doc/manual-tasks.md # remaining manual steps
## Before you wipe your current Mac
Run the capture script on your **Sonoma machine**:
```bash
./scripts/capture.sh
This snapshots your Brew list, MAS apps, key preferences, SSH config (public keys only), GPG public keys, Karabiner config, and shell history into a timestamped archive on your Desktop.
Review doc/manual-tasks.md for the checklist of things to handle manually (licence deallocation, private keys into 1Password, etc.).
- Language: English
- Country: Canada
- Accessibility: not now
- Migration Assistant: skip β this is the point
- Sign in with your Apple ID
- Create your account
Open Terminal and run:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/bhdicaire/macSetup/main/scripts/bootstrap.sh)"This installs Xcode CLT, Homebrew, Ansible, chezmoi, mas, and other prerequisites. It will prompt you to authenticate the 1Password CLI.
Edit machine-specific settings:
cd ~/Developer/macSetup
$EDITOR host_vars/localhost/main.yml # computer name, Dock layout, directories
$EDITOR group_vars/all/packages.yml # add/remove softwaremake buildGrab a coffee. When it finishes, log out and back in for all defaults to take effect.
Follow doc/manual-tasks.md for the remaining manual steps (SetApp, licences, FileVault, etc.).
make build TAGS=brew # only Homebrew formulae + casks
make build TAGS=mas # only App Store apps
make build TAGS=defaults # only macOS system defaults
make build TAGS=dock # only Dock layout
make build TAGS=dotfiles # only chezmoi / dotfiles
make build TAGS=security # only security settings
make build TAGS=fonts # only font installationNo secrets are stored in this repository. All sensitive values are pulled from 1Password at runtime via the op CLI.
# Inject secrets before running (handled automatically by `make build`)
op inject -i group_vars/secrets.yml.tmpl -o group_vars/secrets.ymlSee group_vars/secrets.yml.example for the shape of the secrets file.
macSetup/
βββ macSetup.yml # Main playbook
βββ ansible.cfg
βββ inventory
βββ Makefile
βββ requirements.yml # Ansible Galaxy collections
β
βββ group_vars/
β βββ all/
β βββ defaults.yml # Machine-agnostic defaults
β βββ packages.yml # All software: brew, cask, mas
β βββ macos.yml # All osx_defaults by domain
β
βββ host_vars/
β βββ localhost/
β βββ main.yml # THIS machine: name, Dock, dirs
β
βββ roles/
β βββ bootstrap/ # Xcode CLT, Rosetta, Homebrew
β βββ packages/ # brew, cask, mas installs
β βββ macos/ # defaults, Dock, Finder, security
β βββ dotfiles/ # chezmoi init + apply
β βββ fonts/ # private/bundled fonts
β βββ services/ # login items, Automator, GPG
β
βββ scripts/
β βββ capture.sh # Run on OLD machine before wiping
β βββ bootstrap.sh # Run on NEW machine before Ansible
β
βββ doc/
βββ manual-tasks.md # What can't be automated
βββ chezmoi-macos.md # Extending dotFiles for macOS
The chezmoi dotFiles role initialises bhdicaire/dotFiles and adds macOS-specific configuration via {{ if eq .chezmoi.os "darwin" }} template guards. See doc/chezmoi-macos.md for details on what to add to the dotFiles repo.
- bhdicaire/dotFiles β chezmoi-managed dotfiles (Linux + macOS)
- Homebrew
- chezmoi
- mas-cli
MIT β see LICENSE.