Skip to content

mmercurio/dotfiles

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

169 Commits
home
home
 
 
images
images
 
 
.chezmoiroot
.chezmoiroot
 
 
.chezmoiversion
.chezmoiversion
 
 
README.md
README.md
 
 
chezmoi_scriptState_set.sh
chezmoi_scriptState_set.sh
 
 
install.ps1
install.ps1
 
 
install.sh
install.sh
 
 

Repository files navigation

dotfiles

My collection of dotfiles, managed with chezmoi.

Inspired by Tom Payne, renemarc, Mathias Bynens, and others.

Install dotfiles with:

chezmoi init --apply mmercurio

Or to start from scratch and also install chezmoi:

sh -c "$(curl -fsLS git.io/chezmoi)" -- init --apply mmercurio

1Password, SSH, and tmux

This repo includes customization to support 1Password + SSH + tmux use cases I have.

Although I don't yet use Chezmoi's support for 1Password, I make heavy use of 1Password, including 1Password SSH Agent and accessing secrets from scripts using the 1Password CLI. I also tend to login remotely via SSH to both Linux and macOS systems, including sessions managed by tmux.

I've found that out of the box, 1Password SSH Agent and CLI don't provide the best user experience over SSH, especially when long-lived tmux sessions are involved.

Use Case

Assume I have 1Password installed on all of my macOS and Linux desktop systems, and I SSH from a Linux desktop into a macOS system. SSH agent forwarding will mostly take care of using 1Password SSH Agent over SSH with a carefully configured tmux.

However, trying to use scripts that rely on 1Password CLI while logged in remotely over SSH will not work very well because the 1Password CLI communicates with the 1Password app running on the same host. In this example, the authorization prompt for CLI access goes to a the macOS desktop (i.e., the system I'm logged in remotely to) instead of the Linux desktop where I'm logged in locally and have access to the 1Password desktop app.

Solution

I'd like to proxy the 1Password CLI (op) command back over the SSH session to the local desktop where I'm running 1Password, similarly to how SSH agent forwarding behaves.

Out of the box, 1Password doesn't support this, but nothing stops me from running op over SSH (e.g., to read a secret ACCESS_TOKEN stored in a 1Password vault):

ssh desktop-host op read op://dev/ACCESS_TOKEN

This works well enough, but I want to proxy the 1Passwrord CLI op command over SSH automatically so that scripts that use op work without modification.

In order to accomplish this I set up a wrapper for the op command when I'm logged in remotely over SSH and I keep track of the desktop host where I'm logged in locally with an environment variable (LC_DESKTOP_HOST) which is forwarded to remote SSH sessions.

Note

It's important to use a variable name beginning with LC_ because the SSH server must be configured to accept environment variables from the client. Most OpenSSH server configurations (/etc/ssh/sshd_config) accept environment variable names beginning with LC_ to support localization across SSH sessions. Likewise, by default, OpenSSH clients are typically configured (/etc/ssh/ssh_config) to send all environment variables beginning with LC_.

Most of this is accomplished via ~/.ssh/env_1password which is sourced by the login shell.

Additionally:

  • on macOS, ~/.1password/agent.sock is symlinked to the 1Password SSH Agent socket so that this is consistent between macOS and Linux.
  • ~/bin/op is symlinked to 1Password CLI executable so this is consistent across all SSH sessions on all macOS and Linux hosts.
  • ~/.tmux.conf is configured to add LC_DESKTOP_HOST to the list of environment variables copied into the session via update-environment, so this works properly over tmux when reattaching to a session from a different desktop.

Now scripts using op to read secrets will continue to work as expected and the authorization will be sent to the 1Password app running on the desktop where I'm logged in locally. This has the added benefit of allowing op to work via SSH on remote systems where 1Password is not installed.

Windows

For best results on Windows, first ensure the latest version of PowerShell (7.x) is installed:

(iwr https://git.io/chezmoi.ps1).Content | pwsh -c -

Windows Todos

My use of Microsoft Windows has declined, so Windows support is not as complete as macOS and Linux. Some missing features and TODOs:

  • Install additional Nerd Fonts (downloaded, but not yet installed)
  • Configure PowerShell profile and prompt, including upgrading to pwsh Core
  • Install and configure git
  • Use winget on Windows 11
  • Configure Windows Terminal
  • Install extra apps (winget with fallback to Chocolately)
  • One-line install from GitHub repo
  • Configure Windows defaults (themes, fonts, default apps, etc.)

About

My dotfiles, managed with chezmoi

Topics

dotfiles tmux ssh 1password chezmoi

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages