sops
simonwillisonblog-backup
Our great sponsors
sops | simonwillisonblog-backup | |
---|---|---|
150 | 7 | |
15,114 | 15 | |
2.7% | - | |
9.0 | 9.9 | |
4 days ago | 6 days ago | |
Go | ||
Mozilla Public License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sops
-
Pico.sh – Hacker Labs
My script just sets up default .sops.yaml for https://github.com/getsops/sops
You can further edit .sops.yaml(eg have multiple of them) and decide how you split secrets in your directory tree to further customize who can decrypt the secrets.
It works pretty well for prod/dev splits, etc
-
Encrypting your secrets with Mozilla SOPS using two AWS KMS Keys
Mozilla SOPS (Secrets OPerationS) is an open-source command-line tool for managing and storing secrets. It uses secure encryption methods to encrypt secrets at rest and decrypt them at runtime. SOPS supports a variety of key management systems, including AWS KMS, GCP KMS, Azure Key Vault, and PGP. It's particularly useful in a DevOps context where sensitive data like API keys, passwords, or certificates need to be securely managed and seamlessly integrated into application workflows.
-
An opinionated template for deploying a single k3s cluster with Ansible backed by Flux, SOPS, GitHub Actions, Renovate, Cilium, Cloudflare and more!
Encrypted secrets thanks to SOPS and Age
-
Tracking SQLite Database Changes in Git
We do the exact same thing to keep track of some credentials we use sops[1] and AWS KMS to separate credentials by sensitivity, then use the git differ to view the diffs between the encrypted secrets
Definitely not best practice security-wise, but it works well
[1] https://github.com/getsops/sops
-
The Twelve-Factor App
For anyone new to SOPS like I was - https://github.com/getsops/sops
- Storing and managing private keys
-
Show HN: Shello – Wrangle Environment Variables
I've found this is largely solved by strictly separating plain config and secrets, and then having secrets pull from GCP secret manager / vault / whatever.
You can then commit all the config (including the secret identifiers) and it all just works so long as you're authenticated with your secret storage system.
We do this for the live configuration as well in line with Gitops and find it to work well.
If you don't want to use a cloud secret manager you can also use something like https://github.com/getsops/sops to commit the encrypted secrets safely
-
Check your secrets into Git [video]
Basically, the simpler the better --just encrypt your secrets and check them in to version control.
We use SOPS[0] for this, and have found it to be pretty nice.
[0]: https://github.com/getsops/sops
-
How to secure secrets of docker-compose stacks with git?
The answer is that secrets shouldn't be stored in the git repo at all, but somewhere safe like a password manager or Mozilla's SOPS which people seem to love.
-
Is it safe to commit a Terraform file to GitHub?
Unfortunately, the SOPS project is in some sort of a limbo state and there has been quite a long period with limited maintenance and unclear position from Mozilla. Despite the project being accepted into the CNCF, it's still unclear what will happen with it going forward.
simonwillisonblog-backup
-
Tracking SQLite Database Changes in Git
> I’ve been running that for a couple of years in this repo: https://github.com/simonw/simonwillisonblog-backup - which provides a backup of my blog’s PostgreSQL Django database (first converted to SQLite and then dumped out using sqlite-
I'm curious, what is the reason you chose not to use pgdump, but instead opted to convert to to sqlite and then dump the DB using sqlite-diffable?
On a project I'm working on, I'd like to dump our Postgres schema into individual files for each object (i.e., one file for each table, function, stored proc, etc.), but haven't spent enough time to see if pgdump could actually do that. We're just outputting files by object type for now (one tables, function, and stored procs files).
- Versioning data in Postgres? Testing a Git like approach
-
WordPress Core to start using SQLite Database
My personal blog runs on Django + PostgreSQL, and I got fed up of not having a version history of changes I made to my content there.
I solved that by setting up a GitHub repo that mirrors the content from my database to flat files a few times a day and commits any changes.
It's worked out really well so far. It wasn't much trouble to setup and it's now been running for nearly three years, capturing 1400+ changes.
I'd absolutely consider using the same technique for a commercial project in the future:
Latest commits are here: https://github.com/simonw/simonwillisonblog-backup/commits/m...
Workflow is https://github.com/simonw/simonwillisonblog-backup/blob/main...
-
How Postgres Triggers Can Simplify Your Back End Development
If you really, really need to be able to see a SQL schema representing the current state, a cheap trick is to run an automation on every deploy that snapshots the schema and writes it to a GitHub repository.
I do a version of that for my own (Django-powered) blog here: https://github.com/simonw/simonwillisonblog-backup/blob/main...
-
Blog with Markdown and Git, and degrade gracefully through time
My blog is Django and PostgreSQL on Heroku, but last year I decided I wanted a reliable long-term public backup... so I set up a scheduled GitHub Actions workflow to back it up to a git repository.
Bonus feature: since it runs nightly it gives me diffs if changes I make to my content, including edits to old posts.
The backups are in this repo: https://github.com/simonw/simonwillisonblog-backup
What are some alternatives?
sealed-secrets - A Kubernetes controller and tool for one-way encrypted Secrets
WriteFreely - A clean, Markdown-based publishing platform made for writers. Write together and build a community.
Vault - A tool for secrets management, encryption as a service, and privileged access management
blissue - A blog based on github issues
age - A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
docs - This is a repo of the RetroArch official document page.
git-crypt - Transparent file encryption in git
wayback-machine-downloader - Download an entire website from the Wayback Machine.
terraform-provider-sops - A Terraform provider for reading Mozilla sops files
beleyBlog - The non-content portion for my blog at www.chrisbeley.com
vault-secrets-operator - Create Kubernetes secrets from Vault for a secure GitOps based workflow.
go-readability - A Go implementation of the readability algorithm by arc90 labs