Managing secrets is hard. Existing solutions such as Hashicorp Vault is too complicated, especially for personal use. If you think about it, we’re all managing secrets already, with something called password managers (hope you’re using one). Why not manage infrastructure secrets with our password managers?
Ideally, I would like to utilize the password manager to store the secret values, which will then be used to bootstrap config files that will be used by various programs/services throughout the system. Bitwarden, which is my password manager of choice offers a feature called Secret Notes. Secret Notes lets you safely store any aribitrary text, which seems like a good fit to store the secret values. Next, a tool would be needed to replace some placeholder text with the secrets obtained from the password manager. Envsubst seems like a good candidate, where it can substitute bash variables with values defined via environment variables.
Tying it altogether
I wrote a shell script that would bootstrap secrets for a given host:
This script assumes a couple of things:
You run this script on each host to bootstrap the host’s secrets
A secret note named secrets.[hostname] exists with a valid .env format
Config templates (input) are located in ~/.dotfiles/secrets/[hostname]
Bootstrapped configs (output) will be generated in ~/.secrets
You’ve already logged in to Bitwarden via the CLI. If not, run the following command:
$ export BW_SESSION=$(bw login --raw)
This is how the overall system will work:
Commit your config templates in a git repository
Clone the repository to ~/.dotfiles/secrets of the host that you want to boostrap
Login to Bitwarden CLI
Your git repository should have a directory structure like so: