diff --git a/config/ansible/tasks/global/global.yml b/config/ansible/tasks/global/global.yml
index 51fccb6..aa1f313 100644
--- a/config/ansible/tasks/global/global.yml
+++ b/config/ansible/tasks/global/global.yml
@@ -26,6 +26,10 @@
   ansible.builtin.import_tasks: tasks/global/openssh-server.yml
   become: true
 
+- name: Include 1Password tasks
+  ansible.builtin.import_tasks: tasks/global/onepassword.yml
+  become: true
+
 - name: Ensure common packages are installed
   ansible.builtin.package:
     name:
diff --git a/config/ansible/tasks/global/onepassword.yml b/config/ansible/tasks/global/onepassword.yml
new file mode 100644
index 0000000..d7cf69e
--- /dev/null
+++ b/config/ansible/tasks/global/onepassword.yml
@@ -0,0 +1,56 @@
+---
+- name: Install 1Password CLI
+  block:
+    - name: Add 1Password GPG key
+      ansible.builtin.get_url:
+        url: https://downloads.1password.com/linux/keys/1password.asc
+        dest: /tmp/1password.asc
+        mode: '0644'
+
+    - name: Import 1Password GPG key
+      ansible.builtin.shell: cat /tmp/1password.asc | gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg
+      args:
+        creates: /usr/share/keyrings/1password-archive-keyring.gpg
+      become: true
+
+    - name: Add 1Password repository
+      ansible.builtin.apt_repository:
+        repo: deb [arch={{ ansible_architecture }} signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/{{ ansible_architecture }} stable main
+        filename: 1password
+        state: present
+      become: true
+
+    - name: Create debsig policies directory
+      ansible.builtin.file:
+        path: /etc/debsig/policies/AC2D62742012EA22/
+        state: directory
+        mode: '0755'
+      become: true
+
+    - name: Download and install 1Password policy file
+      ansible.builtin.get_url:
+        url: https://downloads.1password.com/linux/debian/debsig/1password.pol
+        dest: /etc/debsig/policies/AC2D62742012EA22/1password.pol
+        mode: '0644'
+      become: true
+
+    - name: Create debsig keyrings directory
+      ansible.builtin.file:
+        path: /usr/share/debsig/keyrings/AC2D62742012EA22
+        state: directory
+        mode: '0755'
+      become: true
+
+    - name: Download and install debsig GPG key
+      ansible.builtin.shell: curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg
+      args:
+        creates: /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg
+      become: true
+
+    - name: Install 1Password CLI
+      ansible.builtin.apt:
+        name: 1password-cli
+        state: present
+        update_cache: true
+      become: true
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'