Idempotent macOS development meta-environment configuration

update.sh

#!/bin/zsh

set -euo pipefail

SOURCE=${BASH_SOURCE:-$0}

start_sudo_session() {
	sudo --validate

	while :; do
		kill -0 $$ &>/dev/null
		sudo --non-interactive --validate
		sleep 5
	done &
	_sudo_session_pid=$!
	trap 'kill $_sudo_session_pid' EXIT INT TERM
}

sudo_touchid_check() {
	local pam_sudo_local=/etc/pam.d/sudo_local

	if ! grep --quiet --no-messages '^auth\>.*\<pam_tid\.so$' "$pam_sudo_local"; then
		echo "Warning: Touch ID not enabled for sudo. To fix, run: $SOURCE sudo_touchid_install" >&2
	fi
}

sudo_touchid_install() {
	local pam_sudo_local=/etc/pam.d/sudo_local
	local pam_sudo_local_template=${pam_sudo_local}.template

	if [[ -f "$pam_sudo_local" ]]; then
		echo "$pam_sudo_local already exists; aborting" >&2
		exit 1
	elif [[ ! -r "$pam_sudo_local_template" ]]; then
		echo "$pam_sudo_local_template does not exist; aborting" >&2
		exit 1
	fi

	start_sudo_session

	echo "Writing the following to $pam_sudo_local:"
	sed -e '/uncomment.*Touch ID/,+1s/^#auth/auth/' "$pam_sudo_local_template" | sudo tee "$pam_sudo_local"
}

append() {
	local out=$1

	while IFS= read -r line; do
		if ! grep --fixed-strings --line-regexp --quiet --no-messages "$line" "$out"; then
			echo "$line" >>"$out"
		fi
	done
}

homebrew_install() {
	local brew=/opt/homebrew/bin/brew
	if [[ ! -x "$brew" ]]; then
		NONINTERACTIVE=1 \
			/bin/bash -c \
			"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

		if [[ ! -x "$brew" ]]; then
			echo "Failed to install homebrew: $brew" >&2
			exit 1
		fi
	fi

	eval "$($brew shellenv zsh)"
	brew doctor --quiet || true
}

bundle_install() {
	brew bundle install --cleanup --file="/dev/stdin" --quiet <<-EOF
		brew 'difftastic'
		brew 'fd'
		brew 'fish'
		brew 'gh'
		brew 'git-delta'
		brew 'git-lfs'
		brew 'git'
		brew 'jj'
		brew 'jjui'
		brew 'mergiraf'
		brew 'mise' # mise is a package manager for my projects
		brew 'rg'
		brew 'starship'
		brew 'uv'
		brew 'yt-dlp'
		brew 'zoxide'

		cask 'appcleaner'
		cask 'aptible'
		cask 'arq'
		cask 'dropbox'
		cask 'firefox'
		cask 'ghostty'
		cask 'hiddenbar'
		cask 'iina'
		cask 'macvim-app'
		cask 'orbstack'
		cask 'secretive'
		cask 'simplenote'
		cask 'steam'
		cask 'transmission'
		cask 'zed'

		brew 'mas'
		mas 'Bitwarden', id: 1352778147
		mas 'XCode', id: 497799835

		# Substrate
		brew 'temporal'

		cask '1password-cli'
		cask '1password'
		cask 'claude-code'
		cask 'dbeaver-community'
		cask 'google-chrome'
		cask 'slack'
		cask 'tailscale-app'

		tap 'oneleet/homebrew-tap'
		cask 'oneleet-agent'
	EOF
}

rc_install() {
	append ~/.zprofile <<-EOF
		eval "\$($(which brew) shellenv)"
	EOF

	append ~/.zshrc <<-'EOF'
		eval "$(mise activate zsh)"
		eval "$(starship init zsh)"
		eval "$(zoxide init zsh)"
	EOF

	append ~/.config/fish/conf.d/homebrew.fish <<-EOF
		$(which brew) shellenv | source
		if status is-interactive
		    starship init fish | source
		    zoxide init fish | source
		end
	EOF

	append ~/.config/fish/conf.d/orbstack.fish <<-EOF
		fish_add_path ~/.orbstack/bin
	EOF
}


main() {
	sudo_touchid_check
	start_sudo_session

	sudo softwareupdate --agree-to-license --background --force

	homebrew_install
	bundle_install

	rc_install
}

"${@:-main}"