Go back to the list

March 09, 2023

4 min read

Using 1Password to store secret dotfiles with Chezmoi

Every so often, you might need to bootstrap a new machine. And with that comes tranferring your existing data, and reconfiguring your dotfiles. Personally, I can't bring myself to use zip files and other things, so I'm left with one real option: Use a dotfile manager.

I chose to use chezmoi as the manager for these, primarily because of the integrations it has with password managers, such as the one I use - 1Password. There are plenty of other useful features (templates, script running, etc.) but I'll cover them at a later date.


You'll need the following things for this...

  1. chezmoi - Instructions for your OS can be found on the chezmoi site
  2. 1Password's Desktop App - Available here
  3. 1Password CLI - Available here

You'll also need to configure 1Password to use the CLI - check that out here


Initializing chezmoi

After you have install chezmoi, initialize a blank working space with

chezmoi init

On MacOS, this will create a directory at ~/.local/share/chezmoi, and managed dotfiles will reside here. The folder is actually configured as a git repository by default, so you can add your remote and keep your dotfiles in git. The folder, and files, here are referred to as the source files, whereas the files in your home directory are referred to as the target.

The Basics

Once you've initialized chezmoi, you can then add files you care about - like so:

chezmoi add .zshrc
chezmoi add aliases.zsh

Then, when ready, you can commit the files to your repo. To do that, you'll need to do the following:

chezmoi cd
git add .
git commit -m "Add base dotfiles"

This repo can then be synced to a remote - something I'd highly recommend.

Handing secrets with 1Password

Now we have a pretty basic setup with chezmoi, let's manage some of our files which contain secrets. I have a fair number of files which I'd rather keep protected, but that I need to use on multiple machines where my dotfiles already exist. To keep these files, or individual values, secret, we can make use of file templates and 1Password's CLI. chezmoi supports multiple different password managers (Bitwarden, Dashlane, KeePass, etc), so choose your poison - I'm just using 1Password here as it's what I already use. Check out the Password managers docs for more information.

To add a file as a template, we'll do the following (In this example, I'm using ~/.ssh/config)

chezmoi add --template .ssh/config

With this command, I'm telling chezmoi to store config as a template - however this does not overwrite the target. Instead, with template files, chezmoi will create a file in it's source with the following path dot_ssh/config.tmpl

In order for chezmoi to be aware of where the contents of this file is stored in 1Password, we'll first need to store the actual document contents in 1Password. Firstly, sign in to 1Password CLI:

eval $(op signin --account my)

Then, store the documents using the CLI tool

op document create .ssh/config --tags chezmoi --title .ssh/config

This will return an object which containes a uuid, amongst other things. Once you have created the document in 1Password, you'll need to add the uuid value to your template, like so...

echo -n '{{- onepasswordDocument "<UUID>" -}}' > dot_ssh/config.tmpl

And that's it - it's as simple as that! There are plenty of cool things you can do with templates - some of which I'll explore in later posts - such as machine-specific files, architecture specific configuration, etc.