3
lorentz
2y

I decided to use Docker Compose on a tiny project that essentially consists of an API and a Caddy server that serves static files and proxies to the API, all of this running on an EC2 t1-nano. I made this admittedly odd choice because I wanted to learn Compose and simultaneously forego figuring out why the node-gyp bindings for sqlite3 refuse to build on EC2 even though it builds just fine on my machine.

I am storing secrets in .env which is committed into the private GH repo. Just now I came across a rant that described the same security practice and it sounded pretty bad from an outside perspective so I decided to research alternatives.

Apparently professional methods for storing secrets generally have higher system requirements than a t1-nano. I'm not looking for a complex service orchestration system, I'm not trying to run an enterprise on this poor little cloud-based raspberry pi. I just want to move my secrets out of the Git repo,

Any tips?

Comments
  • 0
    🙂 could you please rephrase your question more precisely please?

    "how can I...?"
  • 2
    @heyheni How can I manage credentials in a tiny project running on a single grossly underpowered host, in Docker Compose?
  • 0
    @homo-lorens 👍
  • 1
    https://git-secret.io/

    You can also use AWS parameter store and AWS cli if you want to build your own.

    Still highly recommend git secret though.

    You should also use git BFG to sanitize your history afterwards.
  • 2
    We use hashicorp vault and inject secrets on build. May not work in this scenario, but thought I’d throw it out there.
  • 1
    Github has secrets, which I assumed I think that you would use for github actions. So basically to use them fully, you are supposed to learn CI/CD pipline to build stage step.

    I just went lazier for now... I keep my secret envs... in secrets private repo.
  • 2
    Store them in an encrypted file that you commit. Decrypt to a .env file that is ignored by git. Developers will need the decryption key to publish the app. That's how I handle it, anyway.
  • 1
    @ezpz huh. elegant most lazy solution.
  • 1
    I just put an env on the instance and link it to the compose file
Add Comment