View Source ExSopsy
Sopsy is a pragmatic wrapper around Mozilla SOPS allowing decryption of secrets at runtime.
The goal of the library is to offer a simple solution for bringing encrypted secrets into your Elixir application, especially suited for self-hosting (VPS) and easy-to-manage environments (e.g. doesn't require a Vault or a managed service)
Requirements
- Mozilla SOPS CLI must be installed on the system and available in the PATH.
- The Elixir application must have read access to the SOPS encrypted file.
- Use environment variables or
.sops.yaml
configuration file to configure the sops binary as needed.
Usage
You can call ExSopsy.load_secrets
passing a path to a SOPS encrypted file and the format of the file.
If decryption is successful, the function returns a tuple {:ok, Map.t}
with the decrypted secret keys.
# config/runtime.exs
if config_env() == :prod do
case ExSopsy.load_secrets("priv/secrets.enc.json", :json) do
{:ok, secrets} ->
config :my_app, MyApp.Repo,
username: secrets["db_user"],
password: secrets["db_password"]
config :my_app, MyAppWeb.Endpoint,
secret_key_base: secrets["secret_key_base"]
{:error, reason} ->
raise "Failed to load secrets: #{inspect(reason)}"
end
end
The library is usable from any module in the application.
Installation
If available in Hex, the package can be installed
by adding ex_sopsy
to your list of dependencies in mix.exs
:
def deps do
[
{:ex_sopsy, "~> 1.0.1"}
]
end
Documentation can be generated with ExDoc and published on HexDocs. Once published, the docs can be found at https://hexdocs.pm/ex_sopsy.