Show HN: Places-env, secure version control of environment files
github.comNow that I have your attention (“Don’t you dare version control environment files!!”, “This can’t be safe.”) and before you tear me and my project to shreds, please allow me to take a moment to celebrate something small but meaningful: I’ve finally released a thing. Thank you.
Motivation tl;dr: The existing tools and libraries for versioning and syncing environment files / secrets across team members and CI machines just didn’t cut it for me. So, I set out to create my own solution — one finally checks all my boxes.
So what is places-env?
(I encourage you to check the readme https://github.com/marckrenn/places-env/tree/develop?tab=rea... over on GitHub – it will all make a lot more sense with the corresponding schematic.)
- places-env is a self-contained, completely free open-source (FOSS) alternative to HashiCorp Vault, Infisical, dotenv-vault and sops.
- Leverages a single source of truth (SSOT) places.yaml for deriving multiple environment files.
- Similar to sops, places-env encrypts only the values in places.yaml, resulting in places.enc.yaml, which can be securely checked into git:
- Congrats, your SSOT is now version-controlled
- Always synchronized with collaborators
- Fully in-sync with the rest of your code, branches and tags (try doing that with Infisical & co.)
- Changes remain 'human-trackable' — even when values are encrypted
- Contrary to sops, encryption keys can be assigned either per environment or on a per-value basis
- places watch start (persistently) tracks changes in places.yaml / places.enc.yaml and automatically handles encryption, decryption, keeps .gitignore up-to-date, and auto-updates environment files. So it's essentially set and forget.
If you’re intrigued, please also check out the readme’s FAQ section https://github.com/marckrenn/places-env/tree/develop?tab=rea....
Feedback, criticism, etc. is, of course, very welcome. First off, congrats on getting this published! It's a big jump from "this kind of works for just me" to "tested, documented, flexible, and ready for others to use", so good on you for seeing it through! Seems like it has some nice DX improvements from sops, dotenvx, and other encrypt-your-secrets-within-your-repo type of tools. While that strategy may not work for every project, it is certainly valid and makes sense in some cases. If you are looking for a tool that solves some of these problems, but also provides a more complete toolkit for dealing with config, check out https://dmno.dev It has a plugin system and while we have an encrypted file plugin that works like places-env, we also support syncing secrets from places like 1Password, Bitwarden, Infisical, with more plugins in the works (aws, gcp, azure). Additionally it handles: - validation and coercion - full type-safety (currently only for TypeScript, but generated types for other languages are coming soon!) - built in documentation for your config - sharing config across projects in a monorepo - composing config any way you want, not just limited to an
env switch and string templates - manage all config, not just sensitive values - better conrol of static/dynamic config (which values can be replaced at build time) - security features (log redaction, leak prevention) for JS/TS - drop in integrations for many frameworks and tools - additional tools for dealing with various platforms (vercel/netlify/cloudflare/etc) that provide pre-built schemas defining env vars they inject, and additional tooling - flexible type system to reuse existing config type definitions that come with built-in validations, docs, etc It's built in TypeScript, and you define your config schema in a TS file, but it is designed to be used in projects in any language, providing a unified config system for your whole stack. Would love to hear what you think. Pop into our discord and say hi :) https://chat.dmno.dev