Secret environment variables with Hermit and 1Password
This post is a quick (sidenote: “Today I Learned”) for posterity.
I’m building a
(sidenote: It’s called FeedSync, and it solves a very niche problem: subscribing to RSS feeds, and piping new entries into Discord.
I’d love it if you tried it out ❤️), and I’m contributing from two machines: my MacBook Pro, and my Linux desktop.
The problem
- I need secrets on both machines.
- I don’t want to over-engineer by committing encrypted secrets to the git repository.
- I don’t want to store secrets somewhere like
~/.zshrcunencrypted.
The solution
Hermit initialises the environment, and 1Password injects the secrets.
In 1Password Desktop, I created a new vault called Development, a new document called FooService, a section called dev, and a
(sidenote: I used a password because it’s a secret value, but you can use other types as well.) called FOO_SECRET. The 1Password documentation goes into more detail.
In the terminal, I installed 1Password CLI, ran hermit init, and updated bin/hermit.hcl to:
env = {
"FOO_SECRET": "op://Development/FooService/dev/FOO_SECRET"
}My app already makes use of environment variables like FOO_SECRET, so there’s no change there.
To run my application with injected secrets on either of my machines, I can use this command:
op run -- iex -S mix phx.serverOn the web
I wanna do it but then I don't
Thu Oct 16 2025 by joelchrono's blogCompiling a Forth
Mon Oct 6 2025 by Andrew Healey's BlogMounting The Atmosphere
Thu Jul 31 2025 by oppiliappan's μblogPets have names, livestock is tagged
Sat Jul 12 2025 by nicholas.cloudDoing my cloud exit (kind of)
Fri Jun 13 2025 by Stan's blog
Generated by openring