Your Workstation as Code

A 4-Hour Workshop for cfgmgmtcamp 2026

Define your entire computing environment as code. No manual configuration. No "I think I installed this package." No hunting for that config file you tweaked six months ago. Everything—from the base operating system to your shell prompt—declared, versioned, and reproducible.

Workshop Overview

Learn to manage your entire workstation as infrastructure as code using:

• Bluefin + BlueBuild: Your OS definition in a Containerfile
• Gopass: Encrypted secrets in Git, decrypted on-demand
• Chezmoi: Dotfiles as templated, version-controlled code

By the end of this workshop, you'll have:

• A custom operating system defined in Git
• Encrypted secrets safely backed up
• Dotfiles that deploy automatically
• The ability to recreate your environment in under an hour

Who This Is For

This workshop is for you if you:

• Manually configure workstations and want to automate
• Fear breaking your system because you can't reproduce it
• Spend days setting up new machines
• Want the same confidence in your laptop as your production infrastructure
• Are comfortable with Git, terminals, and basic shell commands

What You'll Build

Three Git repositories that contain your entire computing environment:

your-github-username/
├── bluefin-custom/          # Your OS definition
│   ├── recipes/recipe.yml   # Packages and configuration
│   └── config/files/        # System files
│
├── gopass-store/            # Encrypted secrets
│   ├── ssh/                 # SSH keys (encrypted)
│   ├── github/              # Tokens (encrypted)
│   └── .gpg-id              # AGE public key
│
└── dotfiles/                # User configuration
    ├── dot_zshrc.tmpl       # Shell configuration
    ├── dot_gitconfig.tmpl   # Git configuration
    └── private_dot_ssh/     # SSH config + keys from Gopass

Prerequisites

Before the workshop, complete Lab 0: Prerequisites and Setup:

• GitHub account (free)
• Virtualization software (VirtualBox, VMware, libvirt/qemu)
• At least 50GB free disk space
• At least 4GB RAM available
• Git installed locally

Workshop Structure

Lab 0: Prerequisites and Setup (Pre-Workshop)

Set up your GitHub account, VM software, and development tools.

Time: 15-20 minutes

Lab 1: Introduction and Concepts (~15 minutes)

Understand "Workstation as Code" and how the three technologies work together.

What you'll learn:

• The problems with manual configuration
• How Bluefin, Gopass, and Chezmoi complement each other
• The workflow you'll implement

Lab 2: Building Your Custom OS with BlueBuild (~80 minutes)

Create a custom Fedora Atomic Desktop image with your packages and configuration.

What you'll build:

• A BlueBuild repository from template
• recipe.yml defining your OS
• Custom system files (MOTD, bashrc)
• GitHub Actions automated builds

What you'll learn:

• How atomic/immutable operating systems work
• Declarative OS configuration
• Container-based OS image building
• Debugging build failures

Lab 3: Installing and Running Your Custom Image (~35 minutes)

Install your custom image in a VM and verify customizations.

What you'll do:

• Create a VM and install your custom OS
• Verify packages and files are present
• Understand atomic updates and rollbacks
• Test the update workflow

What you'll learn:

• How atomic updates work
• How to rebase to your custom image
• Rollback capabilities
• The update lifecycle

Lab 4: Managing Secrets with Gopass (~50 minutes)

Set up secure, encrypted secret management with AGE encryption.

What you'll build:

• AGE key pair for encryption
• Gopass password store
• Encrypted SSH keypair
• Git backup of encrypted secrets

What you'll learn:

• Modern encryption with AGE
• Secret management best practices
• Git-based password stores
• Disaster recovery for secrets

Lab 5: Managing Dotfiles with Chezmoi (~50 minutes)

Manage your user configuration as templated code with Gopass integration.

What you'll build:

• Chezmoi dotfiles repository
• .zshrc with template variables
• .ssh/config configuration
• SSH keys deployed from Gopass
• .gitconfig with templates

What you'll learn:

• Template-based configuration
• Secret integration with Gopass
• Machine-specific configurations
• One-command environment deployment

Lab 6: Putting It All Together (~30 minutes)

Demonstrate the complete workflow and disaster recovery.

What you'll do:

• Make changes at each layer (OS, Secrets, Dotfiles)
• Practice the update workflow
• Simulate disaster recovery
• Understand maintenance patterns

What you'll learn:

• The complete workflow
• Best practices for each layer
• Disaster recovery procedures
• How to maintain the system

Appendix: Going Further (Take-Home)

Advanced topics and ideas for extending your setup.

Topics covered:

• Advanced BlueBuild (multiple images, custom modules)
• Advanced Gopass (team sharing, multiple stores)
• Advanced Chezmoi (encryption, complex templates)
• Real-world examples
• Security hardening
• Additional tools and integrations

Lab Files

.
├── README.md                          # This file
├── lab-0-prerequisites.md             # Pre-workshop setup
├── lab-1-introduction.md              # Concepts and overview
├── lab-2-bluebuild.md                 # Custom OS image building
├── lab-3-installation.md              # Installing and running custom image
├── lab-4-gopass.md                    # Secret management
├── lab-5-chezmoi.md                   # Dotfiles management
├── lab-6-conclusion.md                # Complete workflow
└── appendix-going-further.md          # Advanced topics

Time Allocation

Total: 4 hours

• Lab 1 (Introduction): 15 minutes
• Lab 2 (BlueBuild): 80 minutes
• Lab 3 (Installation): 35 minutes
• Lab 4 (Gopass): 50 minutes
• Lab 5 (Chezmoi): 50 minutes
• Lab 6 (Integration): 30 minutes
• Breaks: 20 minutes

Attendees can work at their own pace. Faster attendees can explore advanced topics in the appendix.

What You'll Learn

Technical Skills

• Container-based OS image building
• Modern encryption (AGE)
• Password management
• Dotfile templating
• Git-based configuration management
• GitHub Actions automation

Concepts

• Declarative system configuration
• Atomic updates and rollbacks
• Secret management best practices
• Template-based configuration
• Infrastructure as Code principles
• Disaster recovery planning

Mindset Shift

• From "pets" to "cattle"
• From imperative to declarative
• From fear to confidence
• From manual to automated
• From undocumented to version-controlled

After the Workshop

You'll leave with:

1. Working System: A fully configured VM running your custom OS
2. Three Repositories: All your configuration in Git
3. Skills: Knowledge to maintain and extend your setup
4. Confidence: Ability to recover from disasters in < 1 hour
5. Resources: Documentation and community links

Common Questions

Q: Do I need to know Docker/containers? A: Basic understanding helps but isn't required. We'll explain as we go.

Q: Can I use this on my main machine? A: Yes, but we recommend testing in a VM first (which is what we do in the workshop).

Q: What if I use macOS/Windows? A: The concepts apply, but Bluefin is Linux-specific. Gopass and Chezmoi work on all platforms.

Q: Is this suitable for team environments? A: The workshop focuses on personal use, but team patterns are discussed in the appendix.

Q: What if I already use dotfiles/password managers? A: You'll learn how to integrate these tools and potentially enhance your current setup.

Q: Can I use different tools (GPG, pass, etc.)? A: Yes! The principles apply. We use AGE/Gopass/Chezmoi for simplicity, but alternatives exist.

Prerequisites Checklist

Before starting Lab 1, ensure you have:

• GitHub account with verified email
• GitHub Personal Access Token created
• Virtualization software installed and working
• At least 50GB free disk space
• At least 4GB RAM available
• Git installed and configured
• Text editor available
• Enthusiasm for automation!

Getting Help

During the workshop:

• Raise your hand for instructor help
• Ask in the workshop chat/Discord
• Help your neighbors!

After the workshop:

• GitHub Issues: Report problems with lab materials
• Community Discord: Bluefin, Universal Blue communities
• Documentation: Links provided in each lab

About the Tools

Bluefin

An OCI-based Fedora Desktop image with developer tools, built by the Universal Blue community.

• Website: https://universal-blue.org/images/bluefin/
• GitHub: https://github.com/ublue-os/bluefin

BlueBuild

A tool for building custom Fedora Atomic Desktop images.

• Website: https://blue-build.org/
• GitHub: https://github.com/blue-build

Gopass

A password manager for teams and individuals with multiple backend support.

• GitHub: https://github.com/gopasspw/gopass
• Docs: https://github.com/gopasspw/gopass/tree/master/docs

Chezmoi

A dotfile manager with templating, secret integration, and multi-machine support.

• Website: https://www.chezmoi.io/
• GitHub: https://github.com/twpayne/chezmoi

AGE

A simple, modern, and secure file encryption tool.

• Website: https://age-encryption.org/
• GitHub: https://github.com/FiloSottile/age

Credits

Workshop developed for cfgmgmtcamp 2026, Ghent, Belgium.

Built on the shoulders of giants:

• Universal Blue community
• BlueBuild developers
• Gopass maintainers
• Chezmoi creator and community
• AGE developers
• Fedora Project

License

This workshop material is provided as-is for educational purposes.

Individual tools have their own licenses:

• Bluefin: Apache 2.0
• BlueBuild: Apache 2.0
• Gopass: MIT
• Chezmoi: MIT
• AGE: BSD 3-Clause

Feedback

We'd love to hear from you!

• What worked well?
• What was confusing?
• What would you like to see added?
• Will you use this in production?

Please open an issue or discussion on GitHub.

Let's Begin!

Ready to turn your workstation into code?

Start with: Lab 0: Prerequisites and Setup

See you at cfgmgmtcamp 2026!

---

"Your laptop is cattle, not a pet. And that's a good thing."