From 2a826d98671262b4c7e7222085b62d84ae604ac4 Mon Sep 17 00:00:00 2001 From: Ryota Ikezawa Date: Tue, 3 Mar 2026 22:36:05 +0900 Subject: [PATCH] feat(chezmoi): add 1Password CLI integration for private environments Read name, email, and npm token from 1Password (Dotfiles vault) when op CLI is available in non-business environments. Falls back to promptStringOnce when op is absent or in business mode. Unify GH Token vault URI to op://Dotfiles/GH Token/token. Co-Authored-By: Claude Opus 4.6 --- .chezmoi.yaml.tmpl | 23 ++++++++++++++++++----- .chezmoiscripts/run_once_setup-gh-auth.sh | 2 +- dot_claude/settings.json.tmpl | 6 ++++-- dot_npmrc.tmpl | 7 +++++-- 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.chezmoi.yaml.tmpl b/.chezmoi.yaml.tmpl index 2908998..f89f2fb 100644 --- a/.chezmoi.yaml.tmpl +++ b/.chezmoi.yaml.tmpl @@ -4,22 +4,35 @@ {{- end -}} {{- $businessUse := env "BUSINESS_USE" | not | not -}} +{{- $hasOp := lookPath "op" | not | not -}} -{{- $name := promptStringOnce . "name" "Your name" -}} -{{- $email := promptStringOnce . "email" "Your email (personal)" -}} +{{- $name := "" -}} +{{- $email := "" -}} {{- $workEmail := "" -}} -{{- if $businessUse -}} -{{- $workEmail = promptStringOnce . "work_email" "Your work email" -}} +{{- $npmToken := "" -}} + +{{- if and (not $businessUse) $hasOp -}} +{{- $name = onepasswordRead "op://Dotfiles/Git/name" -}} +{{- $email = onepasswordRead "op://Dotfiles/Git/email" -}} +{{- $npmToken = onepasswordRead "op://Dotfiles/NPM/credential" -}} +{{- else -}} +{{- $name = promptStringOnce . "name" "Your name" -}} +{{- $email = promptStringOnce . "email" "Your email (personal)" -}} +{{- if $businessUse -}} +{{- $workEmail = promptStringOnce . "work_email" "Your work email" -}} +{{- end -}} {{- end -}} data: osid: {{ $osID | quote }} business_use: {{ $businessUse }} + has_op: {{ $hasOp }} - # User info (prompted on first run) + # User info (prompted on first run, or read from 1Password) name: {{ $name | quote }} email: {{ $email | quote }} work_email: {{ $workEmail | quote }} + npm_token: {{ $npmToken | quote }} # Auto tmux on terminal startup auto_tmux: true diff --git a/.chezmoiscripts/run_once_setup-gh-auth.sh b/.chezmoiscripts/run_once_setup-gh-auth.sh index 94059e0..25a679d 100644 --- a/.chezmoiscripts/run_once_setup-gh-auth.sh +++ b/.chezmoiscripts/run_once_setup-gh-auth.sh @@ -22,6 +22,6 @@ if gh auth status &>/dev/null; then fi echo "Setting up gh authentication via 1Password..." -op read "op://GH Token/token" | gh auth login --with-token +op read "op://Dotfiles/GH Token/token" | gh auth login --with-token echo "gh authentication complete" diff --git a/dot_claude/settings.json.tmpl b/dot_claude/settings.json.tmpl index 29ea5d5..8357d0b 100644 --- a/dot_claude/settings.json.tmpl +++ b/dot_claude/settings.json.tmpl @@ -25,7 +25,9 @@ "Bash(psql:*)", "Bash(mysql:*)", "Bash(mongod:*)", - "Read(.env.*)", + "Read(**/.env)", + "Read(**/.env.*)", + "Read(**/.dev.vars)", "Read(id_rsa)", "Read(id_ed25519)", "Read(**/*token*)", @@ -38,7 +40,7 @@ "Read(**/*secret*)", "Read(**/.netrc)", "Read(**/.npmrc)", - "Write(.env*)", + "Write(**/.env*)", "Write(**/secrets/**)", "Write(**/.ssh/*)", "Write(**/authorized_keys)", diff --git a/dot_npmrc.tmpl b/dot_npmrc.tmpl index 6406ac3..98dd5e3 100644 --- a/dot_npmrc.tmpl +++ b/dot_npmrc.tmpl @@ -38,6 +38,9 @@ color=always engine-strict=true save-exact=true -# Auth (token from environment variable) -//registry.npmjs.org/:_authToken=${NPM_TOKEN} +{{- if ne .npm_token "" }} + +# Auth (from 1Password) +//registry.npmjs.org/:_authToken={{ .npm_token }} +{{- end }}