feat: add 1password module under bpmct namespace (#824)

Adds a 1Password module under the `bpmct` namespace.

## What it does

Installs the [1Password CLI](https://developer.1password.com/docs/cli/)
(`op`) into Coder workspaces at startup. Two auth paths:

- **Service account token** — set `service_account_token` and
`OP_SERVICE_ACCOUNT_TOKEN` is injected automatically. Fully headless.
- **Personal account** — set `account_address`, `account_email`,
`account_secret_key` to pre-register the account. User runs `op signin`
in their terminal.

Optionally installs the [1Password VS Code
extension](https://marketplace.visualstudio.com/items?itemName=1Password.op-vscode)
(`1Password.op-vscode`) for code-server and VS Code with
`install_vscode_extension = true`.

Supports `pre_install_script` and `post_install_script` for custom
orchestration.

## What's included

- `registry/bpmct/` — new namespace (Ben Potter, community)
- `registry/bpmct/modules/1password/` — the module (`main.tf`, `run.sh`,
`README.md`)
- `.icons/1password.svg` — 1Password logo from Simple Icons

## Tested

Spun up a dev Coder instance, pushed the template with a real 1Password
service account token, created a workspace, and confirmed:

- `op` CLI installs and authenticates
- `op vault list` returns vaults
- `1Password.op-vscode` extension installs in code-server

---------

Co-authored-by: DevCats <christofer@coder.com>

Author: bpmct

.icons/1password.svg

@@ -0,0 +1,11 @@
+---
+display_name: Ben Potter
+bio: Tinkerer and Product Manager at Coder
+github: bpmct
+avatar: ./.images/avatar.png
+status: community
+---
+
+# Ben Potter
+
+Tinkerer and Product Manager at Coder. Building modules to make dev environments better.

registry/bpmct/.images/avatar.png

@@ -0,0 +1,95 @@
+---
+display_name: "1Password"
+description: "Install the 1Password CLI and VS Code extension in your Coder workspace"
+icon: ../../../../.icons/1password.svg
+verified: false
+tags: [integration, 1password, secrets]
+---
+
+# 1Password
+
+Install the [1Password CLI](https://developer.1password.com/docs/cli/)
+(`op`) in your Coder workspace and optionally authenticate with a service
+account token. Can also install the
+[1Password VS Code extension](https://marketplace.visualstudio.com/items?itemName=1Password.op-vscode)
+for code-server and VS Code.
+
+```tf
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.0"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+}
+```
+
+## Authentication
+
+### Service Account (recommended)
+
+Create a [1Password service account](https://developer.1password.com/docs/service-accounts/get-started/)
+and pass the token as a Terraform variable. The module sets
+`OP_SERVICE_ACCOUNT_TOKEN` in the workspace so `op` commands work
+immediately.
+
+```tf
+variable "op_service_account_token" {
+  type      = string
+  sensitive = true
+}
+
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.0"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+}
+```
+
+### Personal Account
+
+Pass your account details and the module will pre-register the account.
+You'll be prompted for your password when you run `op signin` in the
+terminal.
+
+```tf
+module "onepassword" {
+  source             = "registry.coder.com/bpmct/onepassword/coder"
+  version            = "1.0.0"
+  agent_id           = coder_agent.main.id
+  account_address    = "myteam.1password.com"
+  account_email      = "you@example.com"
+  account_secret_key = var.op_secret_key
+}
+```
+
+## VS Code Extension
+
+Set `install_vscode_extension = true` to install the 1Password extension
+for code-server and VS Code.
+
+```tf
+module "onepassword" {
+  source                   = "registry.coder.com/bpmct/onepassword/coder"
+  version                  = "1.0.0"
+  agent_id                 = coder_agent.main.id
+  service_account_token    = var.op_service_account_token
+  install_vscode_extension = true
+}
+```
+
+## Custom Scripts
+
+Run custom logic before or after the CLI is installed.
+
+```tf
+module "onepassword" {
+  source                = "registry.coder.com/bpmct/onepassword/coder"
+  version               = "1.0.0"
+  agent_id              = coder_agent.main.id
+  service_account_token = var.op_service_account_token
+  post_install_script   = <<-EOT
+    op read "op://Vault/item/field" > ~/.secret
+  EOT
+}
+```

registry/bpmct/README.md

@@ -0,0 +1,112 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.17"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+variable "service_account_token" {
+  type        = string
+  description = "A 1Password service account token. If set, account-based sign-in is skipped."
+  default     = ""
+  sensitive   = true
+}
+
+variable "account_address" {
+  type        = string
+  description = "The 1Password account sign-in address (e.g. myteam.1password.com)."
+  default     = ""
+}
+
+variable "account_email" {
+  type        = string
+  description = "The email address for the 1Password account."
+  default     = ""
+}
+
+variable "account_secret_key" {
+  type        = string
+  description = "The Secret Key for the 1Password account."
+  default     = ""
+  sensitive   = true
+}
+
+variable "install_dir" {
+  type        = string
+  description = "The directory to install the 1Password CLI to."
+  default     = "/usr/local/bin"
+}
+
+variable "op_cli_version" {
+  type        = string
+  description = "The version of the 1Password CLI to install."
+  default     = "latest"
+  validation {
+    condition     = var.op_cli_version == "latest" || can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+$", var.op_cli_version))
+    error_message = "op_cli_version must be either 'latest' or a semantic version (e.g., '2.30.0')."
+  }
+}
+
+variable "install_vscode_extension" {
+  type        = bool
+  description = "Install the 1Password VS Code extension for both VS Code and code-server."
+  default     = false
+}
+
+variable "pre_install_script" {
+  type        = string
+  description = "Custom script to run before installing the 1Password CLI."
+  default     = null
+}
+
+variable "post_install_script" {
+  type        = string
+  description = "Custom script to run after installing the 1Password CLI."
+  default     = null
+}
+
+data "coder_parameter" "account_password" {
+  count        = var.account_address != "" && var.service_account_token == "" ? 1 : 0
+  type         = "string"
+  name         = "op_account_password"
+  display_name = "1Password Account Password"
+  description  = "Your 1Password account password. Used to sign in to the CLI."
+  mutable      = true
+  default      = ""
+}
+
+resource "coder_script" "1password" {
+  agent_id     = var.agent_id
+  display_name = "1Password CLI"
+  icon         = "/icon/1password.svg"
+  script = templatefile("${path.module}/run.sh", {
+    SERVICE_ACCOUNT_TOKEN    = var.service_account_token
+    ACCOUNT_ADDRESS          = var.account_address
+    ACCOUNT_EMAIL            = var.account_email
+    ACCOUNT_SECRET_KEY       = var.account_secret_key
+    ACCOUNT_PASSWORD         = var.account_address != "" && var.service_account_token == "" ? data.coder_parameter.account_password[0].value : ""
+    INSTALL_DIR              = var.install_dir
+    OP_CLI_VERSION           = var.op_cli_version
+    INSTALL_VSCODE_EXTENSION = var.install_vscode_extension
+    PRE_INSTALL_SCRIPT       = var.pre_install_script != null ? base64encode(var.pre_install_script) : ""
+    POST_INSTALL_SCRIPT      = var.post_install_script != null ? base64encode(var.post_install_script) : ""
+  })
+  run_on_start       = true
+  start_blocks_login = true
+}
+
+resource "coder_env" "op_service_account_token" {
+  count    = var.service_account_token != "" ? 1 : 0
+  agent_id = var.agent_id
+  name     = "OP_SERVICE_ACCOUNT_TOKEN"
+  value    = var.service_account_token
+}