Secret environment variables with Hermit and 1Password
This post is a quick (sidenote: “Today I Learned”) for posterity.
I’m building a
(sidenote: It’s called FeedSync, and it solves a very niche problem: subscribing to RSS feeds, and piping new entries into Discord.
I’d love it if you tried it out ❤️), and I’m contributing from two machines: my MacBook Pro, and my Linux desktop.
The problem
- I need secrets on both machines.
- I don’t want to over-engineer by committing encrypted secrets to the git repository.
- I don’t want to store secrets somewhere like
~/.zshrcunencrypted.
The solution
Hermit initialises the environment, and 1Password injects the secrets.
In 1Password Desktop, I created a new vault called Development, a new document called FooService, a section called dev, and a
(sidenote: I used a password because it’s a secret value, but you can use other types as well.) called FOO_SECRET. The 1Password documentation goes into more detail.
In the terminal, I installed 1Password CLI, ran hermit init, and updated bin/hermit.hcl to:
env = {
"FOO_SECRET": "op://Development/FooService/dev/FOO_SECRET"
}My app already makes use of environment variables like FOO_SECRET, so there’s no change there.
To run my application with injected secrets on either of my machines, I can use this command:
op run -- iex -S mix phx.serverOn the web
Kids and Smartphones
Thu Feb 19 2026 by Kev QuirkMovie Recap 2025
Wed Feb 18 2026 by joelchrono's blogBuilding a self-hosted cloud coding agent
Tue Feb 3 2026 by Stan's blogRecap 2025
Wed Dec 31 2025 by stefanzweifel.devA Fair, Cancelable Semaphore in Go
Sun Dec 21 2025 by Andrew Healey's Blog
Generated by openring