env-to-fnox_skill

This skill guides migrating secrets from .env to fnox with 1Password, enabling centralized management and secure automation.
  • Shell

31

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill steveclarke/dotfiles --skill env-to-fnox

  • SKILL.md5.3 KB

Overview

This skill guides migrating plaintext .env files to fnox with 1Password (or another secret provider) to centralize and secure secrets. It covers installing fnox, creating organized 1Password items, authoring fnox.toml, and integrating fnox with mise for consistent environments across machines. The goal is to remove .env files, keep secret values out of git, and make environment provisioning reproducible.

How this skill works

The skill inspects your existing .env keys and classifies them into secrets, credentials, and non-secret defaults. It shows how to install and initialize fnox (recommended via mise), create a single 1Password item with named fields, and map those fields to environment variables in fnox.toml. Finally it replaces mise .env sourcing with fnox export and verifies secret retrieval and runtime environment values.

When to use it

  • You plan a .env migration to a secret backend like 1Password
  • You need a reproducible, git-safe environment setup across multiple machines
  • You want to centralize API keys, DB URLs, and cloud credentials
  • You are onboarding mise and want secrets managed consistently
  • You need provider-agnostic secret references (1Password, AWS SM, age, etc.)

Best practices

  • Group related secrets into a single 1Password item using descriptive field names
  • Use [password] type for sensitive fields and [text] for IDs/defaults
  • Keep fnox.toml in git; it stores references, not secret values
  • Use mise to install and run fnox for consistent tooling across machines
  • Verify retrieval with mise exec -- fnox get and test the full env before deleting .env

Example use cases

  • Migrate a web app’s DATABASE_URL, API_TOKEN, and AWS_* keys from .env into 1Password and fnox.toml
  • Configure separate fnox profiles (development, production) pointing to different 1Password vaults
  • Adopt age encryption for secrets stored in git while using fnox to reference them
  • Standardize environment setup for a team so each developer runs mise and gets the same secrets
  • Replace hardcoded secrets in CI by switching build jobs to run fnox export

FAQ

No. fnox is provider-agnostic and supports 1Password, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, age, and others. This skill focuses on 1Password as an example.

What parts of the repo change and what gets committed?

Commit fnox.toml and mise.toml changes. fnox.toml contains only secret references and provider configuration. Do not commit any exported secrets or the old .env file after migration.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
env-to-fnox skill by steveclarke/dotfiles | VeilStrat