README
¶
op-deploy
A SSH deployer for Docker Compose, designed to securely sync files, inject secrets from 1Password, and run deployments without the overhead of traditional DevOps tooling.
Features
- 🔐 1Password integration
- Fetch secrets from one or more vaults
- Automatically convert item fields into environment variables
- 🚀 SSH-based deployment
- Supports password, SSH key, or SSH keys stored in 1Password
- 📂 File synchronization
- Uploads your local project directory to a remote destination
- Only updates files when modified
- 🐳 Docker Compose support
- Runs docker compose up -d remotely
- 🌱 Environment variable injection
- Pass env vars via CLI flags
- Merge CLI envs with 1Password secrets
- 🔁 Optional Git checkout
- Deploy a specific branch, tag, or commit before running Compose
Requirements
On the local machine:
- Docker or Go (depending on install method)
- 1Password Service Account token (optional but recommended)
On the remote server:
- Docker
- Docker Compose (v2: docker compose)
- SSH access
- Enough user permissions to run Docker
Installation
a) Docker
docker pull ghcr.io/archsocket/op-deploy:latest
b) Go Install
go install github.com/archsocket/op-deploy@latest
c) Direct Binary Download
https://github.com/archsocket/op-deploy/releases/download/{VERSION}/op-env_{OS}_{ARCH}
Usage
op-deploy run [flags]
Required flags
| Flag | Env Var | Description |
|---|---|---|
--local-dir |
SOURCE |
Local project directory |
--remote-dir |
DESTINATION |
Remote destination directory |
--address |
SSH_ADDRESS |
SSH host |
--user |
SSH_USER |
SSH username |
Flags
SSH Configuration
| Flag | Env Var | Description |
|---|---|---|
--address, -a |
SSH_ADDRESS |
SSH address |
--port, -p |
SSH_PORT |
SSH port (default: 22) |
--user, -u |
SSH_USER |
SSH username |
--pass, -i |
SSH_PASSWORD |
SSH password |
--key-file, -k |
SSH_KEY_FILE |
SSH private key path |
--key-passphrase |
SSH_KEY_PASSPHRASE |
SSH key passphrase |
--ignore-host-key |
— | Insecurely ignore SSH host key verification (default: false) |
--threads |
— | Thread count limit for remote file operations (default: 1) |
If no SSH credentials are provided,
op-deploywill attempt to load an SSH key from 1Password.
1Password
| Flag | Env Var | Description |
|---|---|---|
--token, -t |
OP_SERVICE_ACCOUNT_TOKEN |
1Password service account token |
--vault, -v |
— | Limit secrets to specific vaults (repeatable) |
Secret Mapping
Secrets are converted into environment variables using this format:
<ITEM_TITLE>_<FIELD_TITLE>
Example:
| Item | Field | Env Var |
|---|---|---|
db |
password |
DB_PASSWORD |
All keys are uppercased and sanitized.
Deployment Options
| Flag | Env Var | Description |
|---|---|---|
--ref, -r |
GIT_REF |
Git branch, tag, or commit |
--env, -e |
— | Extra env vars (KEY=value) |
You can specify --env multiple times.
Example
op-deploy run \
--local-dir ./app \
--remote-dir /srv/app \
--address example.com \
--user deploy \
--vault production \
--env APP_ENV=production \
--ref main
How It Works
- Connects to the remote host via SSH
- Loads secrets from:
- CLI --env flags
- Selected 1Password vaults
- Syncs the local project directory to the remote destination
- (Optional) Checks out the specified Git reference
- Runs:
docker compose up -d
Secrets are streamed securely via stdin using --env-file /dev/stdin.
Security Notes
- Secrets are never written to disk on the remote server
- SSH keys can be sourced directly from 1Password
- Uses your system’s known_hosts file for SSH verification
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.