Prefer reading secrets.json to using pass show

I'm attempting to maintain a top-level secrets.json that defines all of the
sensitive data that I'd like to version-control without exposing everything in
cleartext to the world. To that end, I'm using `git secret`, which will use
`gpg` to encrypt secrets.json everytime I call `git secret hide` and decrypt
everytime I call `git secret reveal`.

I'm going to try this until I don't like it anymore... if that day comes...

I should write a blog post about my setup to solicit useful feedback and share
my ideas with others.
This commit is contained in:
William Carroll 2020-08-20 18:31:37 +01:00
parent 392832a1ca
commit 17c68d654b
5 changed files with 14 additions and 8 deletions

View file

@ -1 +1 @@
secrets.json:9e05ae88de0df720ecc712b8e6bded3301bfd890cd13d0fb34d83bd37d14b594
secrets.json:7d596a3ed16403040d89dd7e033a2af58e7aaabb6f246f44751b80a1863a2949

Binary file not shown.

View file

@ -1,8 +1,8 @@
source_up
use_nix
export monzo_client_id="$(pass show finance/monzo/client-id)"
export monzo_client_secret="$(pass show finance/monzo/client-secret)"
export ynab_personal_access_token="$(pass show finance/youneedabudget.com/personal-access-token)"
export ynab_account_id="$(pass show finance/youneedabudget.com/personal-access-token)"
export ynab_budget_id="$(pass show finance/youneedabudget.com/budget-id)"
export monzo_client_id="$(jq -j '.monzo | .clientId' < ~/briefcase/secrets.json)"
export monzo_client_secret="$(jq -j '.monzo | .clientSecret' < ~/briefcase/secrets.json)"
export ynab_personal_access_token="$(jq -j '.ynab | .personalAccessToken' < ~/briefcase/secrets.json)"
export ynab_account_id="$(jq -j '.ynab | .accountId' < ~/briefcase/secrets.json)"
export ynab_budget_id="$(jq -j '.ynab | .budgetId' < ~/briefcase/secrets.json)"
export store_path="$(pwd)"

View file

@ -1,4 +1,4 @@
source_up
use_nix
export CONTENTFUL_SPACE_ID="$(pass show programming/contentful/space-id)"
export CONTENTFUL_ACCESS_TOKEN="$(pass show programming/contentful/access-token)"
export CONTENTFUL_SPACE_ID="$(jq -j '.contentful | .spaceId' < ~/briefcase/secrets.json)"
export CONTENTFUL_ACCESS_TOKEN="$(jq -j '.contentful | .accessToken' < ~/briefcase/secrets.json)"

View file

@ -0,0 +1,6 @@
source_up
use_nix
export SERVER_PORT=3000
export CLIENT_PORT=8000
export GOOGLE_CLIENT_ID="$(jq -j '.google | .clientId' < ~/briefcase/secrets.json)"
export STRIPE_API_KEY="$(jq -j '.stripe | .apiKey' < ~/briefcase/secrets.json)"