From 17c68d654ba7c4f01b730ceb804bdfa16c041174 Mon Sep 17 00:00:00 2001
From: William Carroll <wpcarro@gmail.com>
Date: Thu, 20 Aug 2020 18:31:37 +0100
Subject: [PATCH] Prefer reading secrets.json to using pass show

I'm attempting to maintain a top-level secrets.json that defines all of the
sensitive data that I'd like to version-control without exposing everything in
cleartext to the world. To that end, I'm using `git secret`, which will use
`gpg` to encrypt secrets.json everytime I call `git secret hide` and decrypt
everytime I call `git secret reveal`.

I'm going to try this until I don't like it anymore... if that day comes...

I should write a blog post about my setup to solicit useful feedback and share
my ideas with others.
---
 .gitsecret/paths/mapping.cfg                   |   2 +-
 secrets.json.secret                            | Bin 631 -> 1142 bytes
 tools/monzo_ynab/.envrc                        |  10 +++++-----
 website/sandbox/contentful/.envrc              |   4 ++--
 .../sandbox/learnpianochords/src/server/.envrc |   6 ++++++
 5 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 website/sandbox/learnpianochords/src/server/.envrc

diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
index 2f89bb552..fda2c84fb 100644
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@@ -1 +1 @@
-secrets.json:9e05ae88de0df720ecc712b8e6bded3301bfd890cd13d0fb34d83bd37d14b594
+secrets.json:7d596a3ed16403040d89dd7e033a2af58e7aaabb6f246f44751b80a1863a2949
diff --git a/secrets.json.secret b/secrets.json.secret
index 9c3883238d8597a5a590f484e2e732eca48d556c..d4c02bf693658a4e08f9335817d51a606bbcd9e6 100644
GIT binary patch
literal 1142
zcmZo=;$fDGOnoU@I?a!f|9{c*<+8_)@FrNsFS@|R@^AHDk7>8nt~1E}`F^7LRp^?J
z6E57+d63Oul(1-ZyuQt)^l5sk{gO-#a!Xby&vcgDar{=0-+>+H7>crVsy649?}(0C
z&K&nBrvJnBw+k=L_;+?PlWK9C%ct3&zi}26{ajVMLa^x3?fwk0pr>`E+)FtZYDRK<
z<xjfgefJ&DmE-Ss=bB^*cLpd|S?o))I<Rxvy#1cD^OoJ2y6#DG`Q_(xnDWh1!t70X
z!d8BZp87BFqig30c~icdYmd$mzMucP-zrA#!m8`bKH1%E_!p6#@g|jPPjTHbzNDj-
zf2Gs68?F4A?sN96uhSdJ{mnlWA6BzkwG}<yEPghQA#!Qvqi?psnG#N?S1p&)*s=JA
zw4AJXLe2alZ>^IXcoNoa|6T7PsujHSh?uyLn5cF^zI=Vk;cvC}!D@l)IK{Whf2{8^
zW8yUYcrJVKmT%qdQ9>8%IhmRMAJp@l%C*Dt#TU^lFKqZvd@ncbO!f76Yu?h3RLgiU
zUQ4$7VYAqg!c9j`@g#6^cj?W#J~`k@Qg_VmTd!me-nskpa@*+un-dZ;6J@Wg;W+o!
zLd&b7r{@ZDP$skDT+Kg|X7@_AdM0;C8f9}h-nklaF=TO4-N`o@Jy&1UuXwRl+H74?
zp~my=Ykz43zDa2*pBP$m)%<N>%ExQjhZgBPF{;`7zdkCi?9xldl)@WTl^--zMO6>~
zJ(v?ybV{b<J=>}8>;DM+G_ldn({26W`z7qYDRcKbgJ+lit2WKk`Cs(NU}5S8xgDik
zem;haqCd#bHZNJVRPoj2J9iGfO`5N(+0T6LgK@&G#Pcyvsw@rXX`9afo1}2~^YSZ?
zHvg}z%)asS<OXBrNprvR-cjK)O6!#MV7hH(qWnv+$0<R9FDIro+`m42!`wqpuG}o2
z+`UtxXIK6w<F8s5a^L*(o+v-%ckhBX8VwcNFG{wo@|I>?;iJya|7t^U@RO>2r>0vy
zTOgRq>6oiuv{gYidH2zsauVzB%wGJsv48HHfLCV9k2QH^7gn$NKdb9Q{ZsWURSDjo
zS~W{vR{6MBw#u*D85=Zzm7e%A8~GlM4wpk0g&0IX^&L!Io$}^$!jnP;#x>q=o%a7e
zEVb=u%|4CG31^K}b|=U;tZZjX7B$&v@b*^XF_EO#GW?I`ZA%b|)vVR-({gh-yv2LI
z!1UJ<T}tJBnqmnoh1DK!w)A$L;rtNASQ8&m8kHciVei@w8Raj2ciN=Z+L@@{zjY};
zcDHbUO$1AR=b_M--~9D5Yc*fI5IEKNTr<QlQNr-tqfptmTzlj=E~p)yyx`2Gw?SLH
z=bfsZ-{$pSfBnj$iDwt~{JQwy&tc`u{wvS(MLHj~mcH>ZA;fRl2ivcIqo>!|s^qP#
zo8SJhd}7L*pw<$T7ksttXKys!`to&)R{gAvnaxHa_K)utbI&|{RaV6Ads2_omK(=+
zS$FN--5t~TH{(y6q+gx<@=o4q^Dq82el(Bm>qey&{14Xc+V8K#5PMcu;3T6Wht*ZT
NtG)B2T6aG^2>=RpHHZKJ

literal 631
zcmZo=;$fDGOnoU@I?a!f|F7INeIEn25<BmnxD~I@HM0Cmxcj2&j)Ka{@a}a7cj`Rq
zdvYL8Wsl_EWAiQBO0Aq+Q%=VfyB*$pF8Htu$AnVFO+MXR!p-;mGbU}(;B`-*6nQs!
zdRxPL<=6+ZJGB$PY<S4*HP_T(S%clh{Qth}UpJV}ckJEj{&`i^(VmhhS&8U<i_;I@
zRm%2zQO&(pZ<a-2s@&{O*4;}@C2HSYTf2KoTbbot4cGJsGk#~SE^4;@yXQz7<2h%p
z0`}5s1;^?~v$x&eFW|_LoxrbLzRq>m6-TS}m2H{UM)~{+cRzIL1hSmr`T1hvs%C>u
zzmih|RvqhqN1tR_`a)pOf^YJQ)s4?HYkqRN)Vx1cEv<d)U`g}$oL;|I3psd0qFA@=
zy_Y{z(LLZ{??KVbEt`e4SG+qLSo56w{^T?dgXN_j4|&zHi(mEb4ZFQMPT<bn4H8Zj
zFM2Pgw7m;`J0<S6s`P2LML(6KX4LdXx;Zhf)VdQ?&bB=>IZQOdr$0)WugBk9>yYr&
z(8*K!`Sxb)EjYh?GUEcJ20IJghU?Z5F)CHJIw!_O{$9JEapUz_Zu{EzMK~UR*)*fH
zJ^d1Ua@vtx+YKM>;sd0Q9#&nW#W9WdIltFj-Ko!R*tu~sHbnW#uh+ZzRc*U=(WdNU
z{mY8>Z)#UN@@*~e+MQtxT<g9EC-G*ih<I~4v%lvJgLKZNG{zaP^KK|g%g49rDnz-T
z@n0J1?_tGZ|1;#d<Z*ZLXUTH$q9U!#%cuSGYWd0D8GKaqmdyGkH~3CHz1nqg#vH4o
su}1?+TP<cJlzozMP*eNiyX55?iPP0#H?*~Pyq?+{yG68IZXc^90R4R_LjV8(

diff --git a/tools/monzo_ynab/.envrc b/tools/monzo_ynab/.envrc
index 9b2344773..f368d0b7e 100644
--- a/tools/monzo_ynab/.envrc
+++ b/tools/monzo_ynab/.envrc
@@ -1,8 +1,8 @@
 source_up
 use_nix
-export monzo_client_id="$(pass show finance/monzo/client-id)"
-export monzo_client_secret="$(pass show finance/monzo/client-secret)"
-export ynab_personal_access_token="$(pass show finance/youneedabudget.com/personal-access-token)"
-export ynab_account_id="$(pass show finance/youneedabudget.com/personal-access-token)"
-export ynab_budget_id="$(pass show finance/youneedabudget.com/budget-id)"
+export monzo_client_id="$(jq -j '.monzo | .clientId' < ~/briefcase/secrets.json)"
+export monzo_client_secret="$(jq -j '.monzo | .clientSecret' < ~/briefcase/secrets.json)"
+export ynab_personal_access_token="$(jq -j '.ynab | .personalAccessToken' < ~/briefcase/secrets.json)"
+export ynab_account_id="$(jq -j '.ynab | .accountId' < ~/briefcase/secrets.json)"
+export ynab_budget_id="$(jq -j '.ynab | .budgetId' < ~/briefcase/secrets.json)"
 export store_path="$(pwd)"
diff --git a/website/sandbox/contentful/.envrc b/website/sandbox/contentful/.envrc
index 98e1d2c82..848d74e8b 100644
--- a/website/sandbox/contentful/.envrc
+++ b/website/sandbox/contentful/.envrc
@@ -1,4 +1,4 @@
 source_up
 use_nix
-export CONTENTFUL_SPACE_ID="$(pass show programming/contentful/space-id)"
-export CONTENTFUL_ACCESS_TOKEN="$(pass show programming/contentful/access-token)"
+export CONTENTFUL_SPACE_ID="$(jq -j '.contentful | .spaceId' < ~/briefcase/secrets.json)"
+export CONTENTFUL_ACCESS_TOKEN="$(jq -j '.contentful | .accessToken' < ~/briefcase/secrets.json)"
diff --git a/website/sandbox/learnpianochords/src/server/.envrc b/website/sandbox/learnpianochords/src/server/.envrc
new file mode 100644
index 000000000..db08eac38
--- /dev/null
+++ b/website/sandbox/learnpianochords/src/server/.envrc
@@ -0,0 +1,6 @@
+source_up
+use_nix
+export SERVER_PORT=3000
+export CLIENT_PORT=8000
+export GOOGLE_CLIENT_ID="$(jq -j '.google | .clientId' < ~/briefcase/secrets.json)"
+export STRIPE_API_KEY="$(jq -j '.stripe | .apiKey' < ~/briefcase/secrets.json)"