Using 1Password to store secret dotfiles with Chezmoi
March 09, 2023
Every so often, you might need to bootstrap a new machine. And with that comes tranferring your existing data, and reconfiguring your dotfiles. Personally, I can't bring myself to use zip files and other things, so I'm left with one real option: Use a dotfile manager.
I chose to use chezmoi as the manager for these, primarily because of the integrations it has with password managers, such as the one I use - 1Password. There are plenty of other useful features (templates, script running, etc.) but I'll cover them at a later date.
You'll need the following things for this...
- chezmoi - Instructions for your OS can be found on the chezmoi site
- 1Password's Desktop App - Available here
- 1Password CLI - Available here
You'll also need to configure 1Password to use the CLI - check that out here
After you have install chezmoi, initialize a blank working space with
On MacOS, this will create a directory at
~/.local/share/chezmoi, and managed dotfiles will reside here. The folder is actually configured as a git repository by default, so you can add your remote and keep your dotfiles in git.
The folder, and files, here are referred to as the source files, whereas the files in your home directory are referred to as the target.
Once you've initialized chezmoi, you can then add files you care about - like so:
Then, when ready, you can commit the files to your repo. To do that, you'll need to do the following:
This repo can then be synced to a remote - something I'd highly recommend.
Handing secrets with 1Password#
Now we have a pretty basic setup with chezmoi, let's manage some of our files which contain secrets. I have a fair number of files which I'd rather keep protected, but that I need to use on multiple machines where my dotfiles already exist. To keep these files, or individual values, secret, we can make use of file templates and 1Password's CLI. chezmoi supports multiple different password managers (Bitwarden, Dashlane, KeePass, etc), so choose your poison - I'm just using 1Password here as it's what I already use. Check out the Password managers docs for more information.
To add a file as a template, we'll do the following (In this example, I'm using
With this command, I'm telling chezmoi to store
config as a template - however this does not overwrite the target. Instead, with template files, chezmoi will create a file in it's source with the following path
In order for chezmoi to be aware of where the contents of this file is stored in 1Password, we'll first need to store the actual document contents in 1Password. Firstly, sign in to 1Password CLI:
Then, store the documents using the CLI tool
This will return an object which containes a
uuid, amongst other things. Once you have created the document in 1Password, you'll need to add the
uuid value to your template, like so...
And that's it - it's as simple as that! There are plenty of cool things you can do with templates - some of which I'll explore in later posts - such as machine-specific files, architecture specific configuration, etc.