Split SSH config fragments and move OpenTofu to Homebrew (#96)

Author: nickromney

.gitignore

@@ -24,6 +24,8 @@ _audit/
 # Local reference repos
 _reference/
 
+skills/.SKILLS_MANAGED_BY_JSM
+
 # Local compiled tools
 bin/browser-tools
 scripts/node_modules/

README.md

@@ -181,7 +181,7 @@ The `setup-ssh-from-1password.sh` script manages SSH configuration with security
 #### Default (Safe) Mode
 
 ```bash
-# Download SSH config + public keys only (private keys stay in 1Password)
+# Download base SSH config + per-profile fragment + public keys only
 ./setup-ssh-from-1password.sh
 
 # Check what's available without downloading
@@ -190,7 +190,8 @@ The `setup-ssh-from-1password.sh` script manages SSH configuration with security
 
 In safe mode:
 
-- Downloads SSH config from 1Password (stored as Secure Note)
+- Downloads base SSH config from 1Password (stored as Secure Note)
+- Downloads a per-profile SSH config fragment from 1Password
 - Downloads **public keys only** for reference
 - Private keys remain in 1Password
 - Uses 1Password SSH Agent for authentication
@@ -252,19 +253,40 @@ This approach:
 
 1. Open 1Password and create new item → SSH Key
 2. Name it exactly as expected by the script:
-   - `github_personal_authentication`
-   - `github_personal_signing`
-   - `aws_work_2024_client_1`
-   - `github_work_2025_client_1`
+   - `personal_github_authentication`
+   - `personal_github_signing`
+   - `work_2024_client_1_aws`
+   - `work_2025_client_1_github`
+   - `work_2025_client_2_github`
+   - `work_2025_client_2_ado`
 3. Paste your private key
-4. Save to "Private" vault (or adjust `VAULT` in script)
+4. Save to the vault expected by the script for that key
 
 #### SSH Config
 
 1. Create new item → Secure Note
-2. Name it: `SSH Config`
-3. Paste your complete SSH configuration
-4. Save to "Private" vault
+2. Name it: `~/.ssh/config`
+3. Add your base SSH configuration, for example:
+
+   ```sshconfig
+   Host *
+     IdentityAgent "~/.1password/agent.sock"
+
+   Include ~/.ssh/config.d/*.conf
+   ```
+
+4. Save it in the vault selected by `SSH_CONFIG_VAULT` or `VAULT`
+
+#### SSH Config Fragments
+
+1. Create new item → Secure Note
+2. Name it as one of:
+   - `~/.ssh/config.d/personal.conf`
+   - `~/.ssh/config.d/work-2024-client-1.conf`
+   - `~/.ssh/config.d/work-2025-client-1.conf`
+   - `~/.ssh/config.d/work-2025-client-2.conf`
+3. Add only the host stanzas for that profile
+4. Save it in the same vault as that profile's SSH keys
 
 #### Git Config
 
@@ -275,6 +297,11 @@ This approach:
    ```ini
    [url "github-work:OrgName/"]
      insteadOf = [email protected]:OrgName/
+     insteadOf = https://github.com/OrgName/
+
+   [url "git@ado-work-2025-client-2:v3/ORG/PROJECT/"]
+     insteadOf = [email protected]:v3/ORG/PROJECT/
+
    [user]
      email = [email protected]
    ```

_configs/focus/infrastructure.yaml

@@ -17,9 +17,9 @@ tools:
     documentation_url: "https://terraform.io"
     category: infrastructure
 
-  tofu:
-    manager: arkade
-    type: get
+  opentofu:
+    manager: brew
+    type: package
     check_command: command -v tofu
     description: "Open-source Terraform fork"
     documentation_url: "https://opentofu.org/"

_test/1password.bats

@@ -73,22 +73,36 @@ if [[ "$1" == "item" ]] && [[ "$2" == "get" ]]; then
         cat <<'CONFIG'
 Host *
   IdentityAgent "~/.1password/agent.sock"
-
-Host github-work
-    HostName github.com
-    User git
-    IdentityFile ~/.ssh/work_key.pub
+Include ~/.ssh/config.d/*.conf
 CONFIG
       else
         echo "~/.ssh/config found"
       fi
       exit 0
       ;;
+    "~/.ssh/config.d/personal.conf")
+      if [[ "$@" == *"--fields"* ]] && [[ "$@" == *"notes"* ]]; then
+        cat <<'CONFIG'
+Host github.com
+  HostName github.com
+  User git
+  IdentityFile ~/.ssh/personal_github_authentication.pub
+  IdentitiesOnly yes
+CONFIG
+      else
+        echo "~/.ssh/config.d/personal.conf found"
+      fi
+      exit 0
+      ;;
     "work .gitconfig_include")
       if [[ "$@" == *"--fields"* ]] && [[ "$@" == *"notes"* ]]; then
         cat <<'GITCONFIG'
 [url "github-work:OrgName/"]
   insteadOf = [email protected]:OrgName/
+  insteadOf = https://github.com/OrgName/
+
+[url "git@ado-work-2025-client-2:v3/ORG/PROJECT/"]
+  insteadOf = [email protected]:v3/ORG/PROJECT/
 
 [user]
   email = [email protected]
@@ -98,7 +112,7 @@ GITCONFIG
       fi
       exit 0
       ;;
-    "personal_github_authentication"|"personal_github_signing"|"work_aws_2024_client_1"|"work_github_2025_client_1")
+    "personal_github_authentication"|"personal_github_signing"|"work_2024_client_1_aws"|"work_2025_client_1_github")
       echo "$item_name found"
       exit 0
       ;;
@@ -132,7 +146,8 @@ EOF
   [ "$status" -eq 0 ]
   [[ "$output" == *"SSH Config Dry Run"* ]]
   [[ "$output" == *"Found in 1Password:"* ]]
-  [[ "$output" == *"~/.ssh/config (Secure Note)"* ]]
+  [[ "$output" == *"~/.ssh/config (Secure Note, vault: Private)"* ]]
+  [[ "$output" == *"~/.ssh/config.d/personal.conf"* ]]
   [[ "$output" == *"personal_github_authentication"* ]]
   [[ "$output" == *"No files were modified"* ]]
 }
@@ -152,9 +167,19 @@ if [[ "$1" == "account" ]] && [[ "$2" == "list" ]]; then
 fi
 
 if [[ "$1" == "item" ]] && [[ "$2" == "get" ]]; then
-  if [[ "$@" == *"--fields notes"* ]]; then
+  if [[ "$3" == "~/.ssh/config" ]] && [[ "$@" == *"--fields notes"* ]]; then
     echo "Host *"
     echo "  IdentityAgent ~/.1password/agent.sock"
+    echo "Include ~/.ssh/config.d/*.conf"
+    exit 0
+  fi
+
+  if [[ "$3" == "~/.ssh/config.d/personal.conf" ]] && [[ "$@" == *"--fields notes"* ]]; then
+    echo "Host github.com"
+    echo "  HostName github.com"
+    echo "  User git"
+    echo "  IdentityFile ~/.ssh/personal_github_authentication.pub"
+    echo "  IdentitiesOnly yes"
     exit 0
   fi
 
@@ -179,6 +204,9 @@ EOF
   grep -q "public key" "$TEST_DIR/op-calls.log"
   run grep -q "private key" "$TEST_DIR/op-calls.log"
   [ "$status" -ne 0 ]
+  [ -f "$HOME/.ssh/config.d/personal.conf" ]
+  run grep -q "Host github.com" "$HOME/.ssh/config.d/personal.conf"
+  [ "$status" -eq 0 ]
 }
 
 @test "SSH setup: unsafe mode requires confirmation" {

_test/shell-configs.bats

@@ -181,6 +181,20 @@ EOF
   [ "$status" -eq 0 ]
 }
 
+@test "zshrc: prepends docker completions directory to fpath when present" {
+  mkdir -p "$HOME/.docker/completions"
+  touch "$HOME/.docker/completions/_docker"
+
+  result=$(/bin/zsh -c "
+    export HOME='$HOME'
+    export DOTFILES_DIR='$DOTFILES_DIR'
+    source $DOTFILES_DIR/zsh/.zshrc 2>/dev/null
+    print -r -- \$fpath[1]
+  ")
+
+  [ "$result" = "$HOME/.docker/completions" ]
+}
+
 @test "zshrc: direnv only initialized when direnv exists" {
   # Test without direnv - should not error
   run zsh -c "
@@ -276,11 +290,18 @@ EOF
     skip "No suitable 'time' command with -p flag available"
   fi
 
+  local zdotdir="$HOME/zdotdir"
+  mkdir -p "$zdotdir"
+  ln -sf "$DOTFILES_DIR/zsh/.zshrc" "$zdotdir/.zshrc"
+  if [ -f "$DOTFILES_DIR/zsh/.zshenv" ]; then
+    ln -sf "$DOTFILES_DIR/zsh/.zshenv" "$zdotdir/.zshenv"
+  fi
+
   local -a zsh_cmd=(
     env
     HOME="$HOME"
     DOTFILES_DIR="$DOTFILES_DIR"
-    ZDOTDIR="$DOTFILES_DIR/zsh"
+    ZDOTDIR="$zdotdir"
     TERM="xterm-256color"
     zsh -i -c exit
   )

claude/.claude/settings.json

@@ -1,4 +1,5 @@
 {
+  "model": "opus[1m]",
   "statusLine": {
     "type": "command",
     "command": "bash -c 'input=$(cat); cwd=$(echo \"$input\" | jq -r \".workspace.current_dir // .cwd\"); display_dir=\"${cwd/#$HOME/\\~}\"; printf \"\\033[38;5;85m\\033[1m%s\\033[0m\" \"$display_dir\"; if git -C \"$cwd\" rev-parse --git-dir >/dev/null 2>&1; then branch=$(git -C \"$cwd\" --no-optional-locks branch --show-current 2>/dev/null || echo \"detached\"); printf \" \\033[1mgit\\033[0m \\033[0;32m\\033[1m%s\\033[0m\" \"$branch\"; status=$(git -C \"$cwd\" --no-optional-locks status --porcelain 2>/dev/null); if [ -n \"$status\" ]; then modified=$(echo \"$status\" | grep -c \"^ M\" || true); untracked=$(echo \"$status\" | grep -c \"^??\" || true); staged=$(echo \"$status\" | grep -c \"^M\" || true); status_info=\"\"; [ \"$staged\" -gt 0 ] && status_info+=\"$(printf \"\\033[0;32m✓%s\\033[0m \" \"$staged\")\"; [ \"$modified\" -gt 0 ] && status_info+=\"$(printf \"\\033[0;34m!%s\\033[0m \" \"$modified\")\"; [ \"$untracked\" -gt 0 ] && status_info+=\"$(printf \"\\033[0;36m?%s\\033[0m \" \"$untracked\")\"; [ -n \"$status_info\" ] && printf \" %s\" \"$status_info\"; fi; fi; if [ -f \"$cwd/package.json\" ] && command -v node >/dev/null 2>&1; then node_version=$(node --version 2>/dev/null | sed \"s/v//\"); printf \" \\033[0;32m\\033[1m󰎙 %s\\033[0m\" \"$node_version\"; fi; if ls \"$cwd\"/*.tf >/dev/null 2>&1; then printf \" \\033[1mterraform\\033[0m\"; fi; current_time=$(date \"+%H:%M\"); printf \" [%s]\" \"$current_time\"; echo'"
@@ -8,6 +9,5 @@
     "frontend-design@claude-code-plugins": true,
     "pr-review-toolkit@claude-code-plugins": true
   },
-  "alwaysThinkingEnabled": true,
-  "model": "opus"
+  "alwaysThinkingEnabled": true
 }

setup-gitconfig-from-1password.sh

@@ -283,6 +283,8 @@ if [ ${#failed_configs[@]} -gt 0 ]; then
   echo '  [url "github-work-alias:OrgName/"]'
   echo '    insteadOf = [email protected]:OrgName/'
   echo '    insteadOf = https://github.com/OrgName/'
+  echo '  [url "git@ado-work-2025-client-2:v3/ORG/PROJECT/"]'
+  echo '    insteadOf = [email protected]:v3/ORG/PROJECT/'
   echo '  [user]'
   echo '    email = [email protected]'
 fi