A hacky proof of concept for getting 1Password and its browser extension working on KDE Linux (an immutable Arch-based distro) with Flatpak browsers.
Immutable distros make /opt, /usr/bin, and /usr/share read-only, which breaks 1Password's default installation assumptions. These scripts work around those constraints by installing to user-writable paths while preserving the root-ownership requirements that 1Password's browser extension verification demands.
A modified version of 1Password's official post-install script adapted for immutable distros. Key changes from the upstream script:
- Installs to
~/.local/share/1password/instead of/opt/1Password/ - Places the polkit policy in
/etc/polkit-1/actions/(writable via overlayfs) instead of/usr/share/polkit-1/actions/ - Symlinks the binary to
~/.local/bin/instead of/usr/local/bin/ - Installs desktop file and icons to
~/.local/share/instead of/usr/share/
Based on the official 1Password Linux install instructions: https://support.1password.com/install-linux/
Usage:
# First, extract the 1Password tarball:
mkdir -p ~/.local/share/1password
tar xzf 1password-*.tar.gz -C ~/.local/share/1password --strip-components=1
# Then run the post-install script:
sudo ./after-install-immutable.shSets up the native messaging host so the 1Password browser extension can communicate with the desktop app through Flatpak's sandbox. It creates a wrapper script that uses flatpak-spawn --host to bridge the sandbox boundary and configures the browser to use it.
Modified from FlyinPancake/1password-flatpak-browser-integration.
Usage:
# Run AFTER after-install-immutable.sh, as your normal user (not root):
./1password-flatpak-browser-integration.shThere are better ways to run 1Password on KDE Linux:
| Method | System Auth | Browser Extension | SSH Agent |
|---|---|---|---|
| Distrobox | Yes | Yes (if browser is in the same container) | Yes |
| Nix | No | No | Yes |
| Flatpak | No | No | No |
Distrobox is likely the best option, as it supports system authentication, browser integration (when the browser runs in the same container), and SSH agents. Nix supports SSH agents but may require additional work for other features. The 1Password Flatpak doesn't support any of these out of the box.
- ublue-os/homebrew-tap - How other immutable OSes (Universal Blue) approach this problem