Secret environment variables with Hermit and 1Password
This post is a quick (sidenote: “Today I Learned”) for posterity.
I’m building a
(sidenote: It’s called FeedSync, and it solves a very niche problem: subscribing to RSS feeds, and piping new entries into Discord.
I’d love it if you tried it out ❤️), and I’m contributing from two machines: my MacBook Pro, and my Linux desktop.
The problem
- I need secrets on both machines.
- I don’t want to over-engineer by committing encrypted secrets to the git repository.
- I don’t want to store secrets somewhere like
~/.zshrcunencrypted.
The solution
Hermit initialises the environment, and 1Password injects the secrets.
In 1Password Desktop, I created a new vault called Development, a new document called FooService, a section called dev, and a
(sidenote: I used a password because it’s a secret value, but you can use other types as well.) called FOO_SECRET. The 1Password documentation goes into more detail.
In the terminal, I installed 1Password CLI, ran hermit init, and updated bin/hermit.hcl to:
env = {
"FOO_SECRET": "op://Development/FooService/dev/FOO_SECRET"
}My app already makes use of environment variables like FOO_SECRET, so there’s no change there.
To run my application with injected secrets on either of my machines, I can use this command:
op run -- iex -S mix phx.serverOn the web
Migrating my web analytics from Matomo to Umami
Mon Dec 22 2025 by Stan's blogA Fair, Cancelable Semaphore in Go
Sun Dec 21 2025 by Andrew Healey's BlogIs Firefox Firefucked?
Fri Dec 19 2025 by Kev QuirkChristmas shopping, burgers and recaps - W50
Tue Dec 16 2025 by joelchrono's blogAn average new Dad's approach to training with kettlebells (and other tools) to develop General Physical Preparedness (GPP) at home
Mon Nov 24 2025 by Nicholas A. Danes, PhD
Generated by openring