A template repository for employee workstation configuration management. Native macOS menu bar apps that keep configurations up to date via 1Password integration.
This repository provides a complete system for automatically distributing and maintaining configurations (AWS CLI, SSH, etc.) across employee MacBooks. Key features:
- Native macOS Apps: Menu bar apps built in Swift, compiled locally
- Automatic Sync: Configuration syncs daily at 8:00 AM Central
- Self-Updating: Apps check for updates and can update themselves from source
- 1Password Integration: Credentials fetched securely on-demand
- Network-Aware: Skips sync when offline, resumes when connected
- Notifications: Alerts for sync failures and available updates
- Launch at Login: Optional automatic startup
| Tool | Status |
|---|---|
| AWS | Ready |
| SSH | Coming soon |
This is a template repository. To use it for your organization:
Fork or use this repository as a template to create your own copy.
Edit docs/config.json with your organization's values:
{
"branding": {
"orgName": "YourCompany",
"appName": "YourCompany Config Sync",
"appNameShort": "Config Sync",
"bundleId": "com.yourcompany.config-sync",
"domain": "config.yourcompany.com",
"localDir": ".yourcompany",
"tagline": "AWS Config Sync • Powered by 1Password",
"asciiLogo": [
"Line 1 of your ASCII art...",
"Line 2...",
"..."
]
},
"github": {
"owner": "your-github-org",
"repo": "your-repo-name"
},
"onepassword": {
"account": "yourcompany.1password.com"
}
}Edit docs/CNAME with your custom domain:
config.yourcompany.com
Edit docs/aws/aws-config with your AWS profiles and 1Password item references.
In your repository Settings → Pages:
- Source: GitHub Actions (not "Deploy from branch")
- Custom domain:
config.yourcompany.com
Point your domain to GitHub Pages:
config.yourcompany.com CNAME your-github-org.github.io
All setup scripts require:
- 1Password desktop app installed
- 1Password CLI integration enabled:
- Open 1Password → Settings → Developer
- Enable "Integrate with 1Password CLI"
- Automation permission for 1Password (one-time approval):
- When you see "op would like to access data from other apps", click Allow
Each tool follows the same pattern:
-
Setup — One-time install via curl command
- Downloads Swift source files
- Compiles natively on your machine
- Creates menu bar app bundle
- Launches and runs initial sync
-
Sync — Menu bar app syncs daily (or manually via menu)
- Downloads latest config template
- Substitutes values from 1Password
- Deploys to appropriate location
-
Updates — App checks for updates every 6 hours
- Notifies when update available
- Downloads new source, compiles, restarts automatically
- Maintains "compile from source" trust model
-
Credentials — Fetched from 1Password on demand
- Never stored on disk
- MFA codes retrieved automatically
docs/ # Served via GitHub Pages
├── index.html # Landing page
├── CNAME # Custom domain config
├── config.json # Centralized branding configuration (single source of truth)
└── [tool]/ # Each tool has its own directory
├── README.md # Tool-specific documentation
├── index.html.template # Setup script template (processed by GitHub Actions)
├── *.swift # Swift source files (compiled during setup)
└── *.icns, *.png # App and menu bar icons
.github/workflows/
└── deploy.yml # Processes templates, generates demo, deploys to GitHub Pages
GitHub Actions (deploy.yml) automatically processes templates before deployment:
- Reads
config.jsonfor all branding values - Replaces
{{PLACEHOLDER}}tokens in*.templatefiles - Generates final HTML files
- Deploys to GitHub Pages
This means you only need to edit config.json — the setup scripts are automatically branded for your organization.
| Placeholder | Source | Description |
|---|---|---|
{{ORG_NAME}} |
config.json |
Your organization name |
{{DOMAIN}} |
config.json |
Your domain |
{{GITHUB_OWNER}} |
config.json |
Your GitHub org |
{{GITHUB_REPO}} |
config.json |
Your repo name |
{{ASCII_LOGO_LINE_XX}} |
config.json |
Your ASCII art logo (lines 01-12) |
{{TAGLINE}} |
config.json |
Your tagline |
| File | What to change |
|---|---|
docs/config.json |
All branding values including ASCII logo (required) |
docs/CNAME |
Your custom domain (required) |
docs/aws/aws-config |
Your AWS profiles and 1Password items |
docs/aws/AppIcon.icns |
Your app icon |
docs/aws/MenuBarIcon.png |
Your menu bar icon |
- Go to patorjk.com/software/taag
- Enter your organization name
- Select the "ANSI Shadow" font
- Copy each line into the
asciiLogoarray inconfig.json - The logo should be 12 lines (pad with empty strings if needed)
- Make changes to Swift source files
- Commit with descriptive message
- Push to main
- GitHub Actions deploys updated files to GitHub Pages
- Users receive update notification within 6 hours (apps check for source changes via
gh api)
See SECURITY.md for:
- Branch protection setup
- Trust model and incident response
- Self-update security considerations
- AWS Configuration
- SSH Configuration (coming soon)
- 1Password Credential Standard