tags: [1password, cli, docker, devops, macos, linux] created: 2026-04-01#

1Password CLI & Docker Deployment Guide#

1. Installation#

1.1. Install 1Password CLI (Linux)#

# 1. Add the key
curl -sS [https://downloads.1password.com/linux/keys/1password.asc](https://downloads.1password.com/linux/keys/1password.asc) | sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg

# 2. Add the repository
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] [https://downloads.1password.com/linux/debian/amd64](https://downloads.1password.com/linux/debian/amd64) stable main' | sudo tee /etc/apt/sources.list.d/1password.list

# 3. Update and Install
sudo apt update && sudo apt install 1password-cli

1.2. Install 1Password CLI (macOS)#

# Install via Homebrew
brew install 1password-cli

2. Authentication & Account Setup#

2.1. Initial Account Setup (One-time)#

op account add --address [https://my.1password.com/](https://my.1password.com/) --email [REDACTED_EMAIL]
eval $(op signin)

2.2. Enable Persistence (Linux)#

# Enable the system keyring
op config edit --device-details on

# Set the account to stay signed in
op account edit --sign-in-address my.1password.com --biometry on

2.3. Enable Biometric Integration (macOS)#

  1. Open the 1Password Desktop App.
  2. Navigate to Settings > Developer.
  3. Check the box for Connect with 1Password CLI.
  4. Run op signin in the terminal to perform the initial handshake.
  5. Verify with op whoami (triggers Touch ID).
# Test
op item get "Gemini-CLI" --vault "Homelab" --format json

3. Secret Management & Deployment#

3.1. Setup 1Password Secret#

  • Create a Secure Note or API Credential in the Homelab vault.
  • Title the note (e.g., Cloudflare).
  • Add a field: Label = TUNNEL_TOKEN, Value = [Your Secret].

3.2. Configure .env File#

Create .env and add the reference:

TUNNEL_TOKEN=op://Homelab/Cloudflared/TUNNEL_TOKEN

3.3. Deployment & Verification#

# In Linux environments without biometric persistence:
eval $(op signin)

# Run deployment
op run --env-file=".env" -- docker compose up
docker logs cloudflared

4. Aliases for Docker and 1Password#

Add these to your .bashrc or .zshrc:

# 1Password & Docker Compose Alias - detach mode
alias 1p='op whoami >/dev/null 2>&1 || eval $(op signin); op run --env-file=".env" -- docker compose up -d && docker compose logs -f'

# Docker Cleanup Alias
alias clean='docker system prune --all --volumes'

# Compose Down/Up Aliases
alias up='docker compose up -d && docker compose logs -f'
alias down='docker compose down --remove-orphans'

5. Reference#

Private Tunnel Token Reference: TUNNEL_TOKEN=op://Homelab/PRIVATE/TUNNEL_TOKEN

6. Proxmox MCP Reference#

To use Proxmox secrets in Gemini-CLI without plain-text exposure: PROXMOX_TOKEN_ID=op://Homelab/Proxmox MCP/token_id PROXMOX_TOKEN_SECRET=op://Homelab/Proxmox MCP/token_secret

If IPV6 Issues with 1Password-CLI#

# Run this in the affected VM
grep -q "^#precedence ::ffff:0:0/96  100" /etc/gai.conf && sudo sed -i 's/^#precedence ::ffff:0:0\/96  100/precedence ::ffff:0:0\/96  100/' /etc/gai.conf || grep -q "^precedence ::ffff:0:0/96  100" /etc/gai.conf || echo "precedence ::ffff:0:0/96  100" | sudo tee -a /etc/gai.conf > /dev/null
# Run this to revert if needed
sudo sed -i 's/^precedence ::ffff:0:0\/96  100/#precedence ::ffff:0:0\/96  100/' /etc/gai.conf
roboot
Backward Gemini CLI AI Forward