about summary refs log tree commit diff
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2020-08-20T17·31+0100
committerWilliam Carroll <wpcarro@gmail.com>2020-08-20T17·31+0100
commit17c68d654ba7c4f01b730ceb804bdfa16c041174 (patch)
tree99984df70daf27730b2bf7cbbaf99c58e1e3e98f
parent392832a1ca492041bf9af4223b7049580e104bf3 (diff)
Prefer reading secrets.json to using pass show
I'm attempting to maintain a top-level secrets.json that defines all of the
sensitive data that I'd like to version-control without exposing everything in
cleartext to the world. To that end, I'm using `git secret`, which will use
`gpg` to encrypt secrets.json everytime I call `git secret hide` and decrypt
everytime I call `git secret reveal`.

I'm going to try this until I don't like it anymore... if that day comes...

I should write a blog post about my setup to solicit useful feedback and share
my ideas with others.
-rw-r--r--.gitsecret/paths/mapping.cfg2
-rw-r--r--secrets.json.secretbin631 -> 1142 bytes
-rw-r--r--tools/monzo_ynab/.envrc10
-rw-r--r--website/sandbox/contentful/.envrc4
-rw-r--r--website/sandbox/learnpianochords/src/server/.envrc6
5 files changed, 14 insertions, 8 deletions
diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
index 2f89bb552ee8..fda2c84fb3d8 100644
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@@ -1 +1 @@
-secrets.json:9e05ae88de0df720ecc712b8e6bded3301bfd890cd13d0fb34d83bd37d14b594
+secrets.json:7d596a3ed16403040d89dd7e033a2af58e7aaabb6f246f44751b80a1863a2949
diff --git a/secrets.json.secret b/secrets.json.secret
index 9c3883238d85..d4c02bf69365 100644
--- a/secrets.json.secret
+++ b/secrets.json.secret
Binary files differdiff --git a/tools/monzo_ynab/.envrc b/tools/monzo_ynab/.envrc
index 9b234477352d..f368d0b7e813 100644
--- a/tools/monzo_ynab/.envrc
+++ b/tools/monzo_ynab/.envrc
@@ -1,8 +1,8 @@
 source_up
 use_nix
-export monzo_client_id="$(pass show finance/monzo/client-id)"
-export monzo_client_secret="$(pass show finance/monzo/client-secret)"
-export ynab_personal_access_token="$(pass show finance/youneedabudget.com/personal-access-token)"
-export ynab_account_id="$(pass show finance/youneedabudget.com/personal-access-token)"
-export ynab_budget_id="$(pass show finance/youneedabudget.com/budget-id)"
+export monzo_client_id="$(jq -j '.monzo | .clientId' < ~/briefcase/secrets.json)"
+export monzo_client_secret="$(jq -j '.monzo | .clientSecret' < ~/briefcase/secrets.json)"
+export ynab_personal_access_token="$(jq -j '.ynab | .personalAccessToken' < ~/briefcase/secrets.json)"
+export ynab_account_id="$(jq -j '.ynab | .accountId' < ~/briefcase/secrets.json)"
+export ynab_budget_id="$(jq -j '.ynab | .budgetId' < ~/briefcase/secrets.json)"
 export store_path="$(pwd)"
diff --git a/website/sandbox/contentful/.envrc b/website/sandbox/contentful/.envrc
index 98e1d2c821f9..848d74e8b5e6 100644
--- a/website/sandbox/contentful/.envrc
+++ b/website/sandbox/contentful/.envrc
@@ -1,4 +1,4 @@
 source_up
 use_nix
-export CONTENTFUL_SPACE_ID="$(pass show programming/contentful/space-id)"
-export CONTENTFUL_ACCESS_TOKEN="$(pass show programming/contentful/access-token)"
+export CONTENTFUL_SPACE_ID="$(jq -j '.contentful | .spaceId' < ~/briefcase/secrets.json)"
+export CONTENTFUL_ACCESS_TOKEN="$(jq -j '.contentful | .accessToken' < ~/briefcase/secrets.json)"
diff --git a/website/sandbox/learnpianochords/src/server/.envrc b/website/sandbox/learnpianochords/src/server/.envrc
new file mode 100644
index 000000000000..db08eac38e8e
--- /dev/null
+++ b/website/sandbox/learnpianochords/src/server/.envrc
@@ -0,0 +1,6 @@
+source_up
+use_nix
+export SERVER_PORT=3000
+export CLIENT_PORT=8000
+export GOOGLE_CLIENT_ID="$(jq -j '.google | .clientId' < ~/briefcase/secrets.json)"
+export STRIPE_API_KEY="$(jq -j '.stripe | .apiKey' < ~/briefcase/secrets.json)"