diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 05dcf6fbacf..8e3a0f401f3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,8 @@
 name: Build and Push Image
 on:
   push:
-  schedule:
-    - cron: '15 09 * * *'  # 9:15am everyday
+#  schedule:
+#    - cron: '15 09 * * *'  # 9:15am everyday
   merge_group:
   pull_request:
   workflow_dispatch:
diff --git a/scripts/1password.sh b/scripts/1password.sh
index 92d2f83cce7..39e37c60126 100755
--- a/scripts/1password.sh
+++ b/scripts/1password.sh
@@ -3,53 +3,83 @@
 set -e
 
 echo "Installing 1Password"
-#cd /usr/lib
-#wget -qO- https://downloads.1password.com/linux/tar/stable/x86_64/1password-latest.tar.gz | tar -zxv
-#ln -s 1Password 1password-*
 
-mkdir /var/opt # temporary storage, will not end up in ostree
-rpm-ostree install https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm
+# On libostree systems, /opt is a symlink to /var/opt,
+# which actually only exists on the live system. /var is
+# a separate mutable, stateful FS that's overlaid onto
+# the ostree rootfs. Therefore we need to install it into
+# /usr/lib/1Password instead, and dynamically create a
+# symbolic link /opt/1Password => /usr/lib/1Password upon
+# boot.
 
-mv /var/opt/1Password /usr/lib/1Password
+ONEPASSWORD_RPM='https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm'
 
-#create symlink /usr/bin/1password pointing to /opt/1Password/1password
+# Prepare staging directory
+mkdir -p /var/opt # -p just in case it exists
+# for some reason...
+
+# Now let's install the package.
+rpm-ostree install "${ONEPASSWORD_RPM}"
+
+# And then we do the hacky dance!
+mv /var/opt/1Password /usr/lib/1Password # move this over here
+
+# Create a symlink /usr/bin/1password => /opt/1Password/1password
 rm /usr/bin/1password
 ln -s /opt/1Password/1password /usr/bin/1password
 
-# hacked from 1password-latest.tar.gz//after-install.sh
+#####
+# The following is a bastardization of "after-install.sh"
+# which is normally packaged with 1password. You can compare with
+# /usr/lib/1Password/after-install.sh if you want to see.
 
 cd /usr/lib/1Password
+
 # chrome-sandbox requires the setuid bit to be specifically set.
 # See https://github.com/electron/electron/issues/17972
 chmod 4755 /usr/lib/1Password/chrome-sandbox
 
-GROUP_NAME="onepassword"
-GID_OP="1500"
-GID_OPCLI="1600"
-
-# Setup the Core App Integration helper binary with the correct permissions and group
-# if [ ! "$(getent group "${GROUP_NAME}")" ]; then
-#   # GID must be > 1000, and I'd prefer GID > highest user GID
-#   groupadd -K GID_MIN=1500 "${GROUP_NAME}"
-# fi
+# Normally, after-install.sh would create a group,
+# "onepassword", right about now. But if we do that during
+# the ostree build it'll disappear from the running system!
+# I'm going to work around that by hardcoding GIDs and
+# crossing my fingers that nothing else steps on them.
+# These numbers _should_ be okay under normal use, but
+# if there's a more specific range that I should use here
+# please submit a PR!
+
+# Specifically, GID must be > 1000, and absolutely must not
+# conflict with any real groups on the deployed system.
+# Normal user group GIDs on Fedora are sequential starting
+# at 1000, so let's skip ahead and set to something higher.
+GID_ONEPASSWORD="1500"
+GID_ONEPASSWORDCLI="1600"
 
 HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper"
 BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport"
 
-chgrp -R "${GID_OP}" /usr/lib/1Password
+# Setup the Core App Integration helper binaries with the correct permissions and group
+chgrp "${GID_ONEPASSWORD}" "${HELPER_PATH}"
 # The binary requires setuid so it may interact with the Kernel keyring facilities
-chmod u+s $HELPER_PATH
-chmod g+s $HELPER_PATH
+chmod u+s "${HELPER_PATH}"
+chmod g+s "${HELPER_PATH}"
 
-# This gives no extra permissions to the binary. It only hardens it against environmental tampering.
-chgrp "${GID_OP}" $BROWSER_SUPPORT_PATH
-chmod g+s $BROWSER_SUPPORT_PATH
+# BrowserSupport binary needs setgid. This gives no extra permissions to the binary.
+# It only hardens it against environmental tampering.
+chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}"
+chmod g+s "${BROWSER_SUPPORT_PATH}"
 
-# Restore previous directory
-cd "$CWD"
+# Dynamically create the required group via sysusers.d
+# and set the GID based on the files we just chgrp'd
+cat >/usr/lib/sysusers.d/onepassword.conf <<EOF
+g     onepassword ${HELPER_PATH}
+EOF
 
 # Register path symlink
-ln -s /usr/lib/1Password /opt/1Password
+# We do this via tmpfiles.d so that it is created by the live system.
+cat >/usr/lib/tmpfiles.d/onepassword.conf <<EOF
+L  /opt/1Password  -  -  -  -  /usr/lib/1Password
+EOF
 
 # Then we install the 1password CLI binary as well
 
@@ -59,8 +89,15 @@ unzip op_linux_amd64_v2.14.0.zip
 
 mv op /usr/bin
 
-groupadd -g ${GID_OPCLI} onepassword-cli
-chown root:onepassword-cli /usr/bin/op
+# it needs its own group and needs setgid, like the other helpers.
+#groupadd -g ${GID_ONEPASSWORDCLI} onepassword-cli
+chown root:${GID_ONEPASSWORDCLI} /usr/bin/op
 chmod g+s /usr/bin/op
 
+# Dynamically create the required group via sysusers.d
+# and set the GID based on the files we just chgrp'd
+cat >/usr/lib/sysusers.d/onepassword.conf <<EOF
+g     onepassword-cli /usr/bin/op
+EOF
+
 op --version