- Home
- Skills
- Steveclarke
- Dotfiles
- Env To Fnox
env-to-fnox_skill
- Shell
31
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill steveclarke/dotfiles --skill env-to-fnox- SKILL.md5.3 KB
Overview
This skill guides migrating plaintext .env files to fnox with 1Password (or another secret provider) to centralize and secure secrets. It covers installing fnox, creating organized 1Password items, authoring fnox.toml, and integrating fnox with mise for consistent environments across machines. The goal is to remove .env files, keep secret values out of git, and make environment provisioning reproducible.
How this skill works
The skill inspects your existing .env keys and classifies them into secrets, credentials, and non-secret defaults. It shows how to install and initialize fnox (recommended via mise), create a single 1Password item with named fields, and map those fields to environment variables in fnox.toml. Finally it replaces mise .env sourcing with fnox export and verifies secret retrieval and runtime environment values.
When to use it
- You plan a .env migration to a secret backend like 1Password
- You need a reproducible, git-safe environment setup across multiple machines
- You want to centralize API keys, DB URLs, and cloud credentials
- You are onboarding mise and want secrets managed consistently
- You need provider-agnostic secret references (1Password, AWS SM, age, etc.)
Best practices
- Group related secrets into a single 1Password item using descriptive field names
- Use [password] type for sensitive fields and [text] for IDs/defaults
- Keep fnox.toml in git; it stores references, not secret values
- Use mise to install and run fnox for consistent tooling across machines
- Verify retrieval with mise exec -- fnox get and test the full env before deleting .env
Example use cases
- Migrate a web app’s DATABASE_URL, API_TOKEN, and AWS_* keys from .env into 1Password and fnox.toml
- Configure separate fnox profiles (development, production) pointing to different 1Password vaults
- Adopt age encryption for secrets stored in git while using fnox to reference them
- Standardize environment setup for a team so each developer runs mise and gets the same secrets
- Replace hardcoded secrets in CI by switching build jobs to run fnox export
FAQ
No. fnox is provider-agnostic and supports 1Password, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, age, and others. This skill focuses on 1Password as an example.
What parts of the repo change and what gets committed?
Commit fnox.toml and mise.toml changes. fnox.toml contains only secret references and provider configuration. Do not commit any exported secrets or the old .env file after migration.