run_first_once script not running before template evaluation

[peterjuras]

Describe the bug

First of all thanks for creating chezmoi, it's really amazing and my favorite dotfile manager! 🙌

I'm trying to set up my machine with chezmoi, which includes templated files that read secrets from 1Password.
Given the following setup, it does not run the script first but immediately tries to evaluate the template, which fails:

To reproduce

Repository:

- dot_aws
----> executable_credentials.tmpl
- run_first_once_+00_install_1password_cli.sh # Install 1Password CLI

Running chezmoi apply fails with:

chezmoi: template: dot_aws/executable_credentials.tmpl:2:21: executing "dot_aws/executable_credentials.tmpl" at <onepasswordRead "op://XXX/XXXX/XXXX">: error calling onepasswordRead: op signin --raw: exec: "op": executable file not found in $PATH

Expected behavior

The script should run first, even before any template is read or evaluated.

Output of command with the --verbose flag

$ chezmoi --verbose apply
chezmoi: template: dot_aws/executable_credentials.tmpl:2:21: executing "dot_aws/executable_credentials.tmpl" at <onepasswordRead "op://XXX/XXXX/XXXX">: error calling onepasswordRead: op signin --raw: exec: "op": executable file not found in $PATH

Output of chezmoi doctor

$ chezmoi doctor
RESULT    CHECK                MESSAGE
ok        version              v2.21.1, commit 9f207f4f92429377387177d07e2eb55dcbc5ded5, built at 2022-08-29T21:16:43Z, built by goreleaser
ok        latest-version       v2.21.1
ok        os-arch              linux/amd64 (Ubuntu 22.04.1 LTS (Jammy Jellyfish))
ok        uname                Linux Peters-SurfacePro8 5.15.57.1-microsoft-standard-WSL2 #1 SMP Wed Jul 27 02:20:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
ok        go-version           go1.19 (gc)
ok        executable           /usr/bin/chezmoi
ok        upgrade-method       sudo-upgrade-package
ok        config-file          ~/.config/chezmoi/chezmoi.toml, last modified 2022-08-30T06:34:02+02:00
warning   source-dir           ~/.local/share/chezmoi is a git working tree (dirty)
ok        suspicious-entries   no suspicious entries
warning   working-tree         ~/.local/share/chezmoi is a git working tree (dirty)
ok        dest-dir             ~ is a directory
ok        shell-command        found /bin/zsh
ok        shell-args           /bin/zsh
ok        cd-command           found /bin/zsh
ok        cd-args              /bin/zsh
ok        edit-command         found /usr/bin/vi
ok        edit-args            /usr/bin/vi
info      diff-command         not set
ok        umask                022
ok        git-command          found /usr/bin/git, version 2.34.1
ok        merge-command        found /usr/bin/vimdiff
info      age-command          age not found in $PATH
ok        gpg-command          found /usr/bin/gpg, version 2.2.27
info      pinentry-command     not set
info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keeper-command       keeper not found in $PATH
info      keepassxc-db         not set
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set

[twpayne]

Thanks for the kind words :)

The script is failing because the 1Password CLI (op) is not found. What's the output of the following command?

$ which op

[twpayne]

Note that chezmoi can't find op. In the output of chezmoi doctor there is the line:

info      1password-command    op not found in $PATH

[peterjuras]

Thanks for the quick support!

Yes that's the issue, the script is actually not run yet, but the template is already evaluated. The command op would be installed by the run_first_once_... script, it's a chicken and egg problem.

This is related to #664, my understanding would be that we can have initialization scripts that install dependencies (like a password manager) before anything else happens.

[bradenhilton]

run_first_once_ isn't a valid attribute prefix. This evaluates to a run_ script named first_once_00_install_1password_cli.sh.

You can make the script run first by prepending characters (00 in your case) to its name so it comes first when entries (minus their attributes) are sorted alphabetically: run_once_00_install_1password_cli.sh. This evaluates to a run_once_ script named 00_install_1password_cli.sh.

If you are installing a dependency, you can also add the before attribute: run_once_before_00_install_1password_cli.sh.

Sources: One, Two

[twpayne]

Thank you so much @bradenhilton ! I'd totally missed the first_ / before_ attribute mix up.

#2316 adds a test for the issue reported here, verifying that it works.

[peterjuras]

Thanks! run_once_before worked. It might be worth updating the script docs, the before syntax is not mentioned there.

[twpayne]

Good idea, done in 097a88c.