Show HN: Emergenv: Compose+compute env files from SSH-encrypted fragments in Git

Annoyed with the mess of .env files I have for various git-based deployments, and the copy/paste extravaganza my docker-compose environment sections have turned into, I decided to create something to solve that for my specific use-case.

EMERGENV creates plaintext env files from encrypted fragments using whole-fragment includes and per-key imports, and supports multiple layers of extensions and overrides, bringing DRY and easy composability to env files. Fear not though: all this functionality is there when you need it, but you can also 'just' encrypt your .env files :)

All secrets live in the fragments, which are encrypted with 'age' using SSH keys - just add everybody who needs to decrypt to the authorized_keys file. The encrypted fragments can be committed to git without issue. Simply 'build' the target file on deploy to produce the plaintext.

Extensive shell-like variable substitutions and integer arithmetic are also supported, without invoking a shell, and without execution capability.

There are undoubtedly other solutions that do similar things, but:

- I originally wanted to extend 'sops', but you can't trust sops to give you back the exact same plaintext (for env files specifically) without jumping through hoops you'll eventually forget about and lose data. EMERGENV verifies every encryption decrypts back to the original plaintext before writing.

- Other solutions I looked at all assume big infra, cloud, key vaults, I wanted something for the git-based deployments I'm actually using without adding a lot on top.

- I just wanted exactly these features, no more and no less :)

Perfect for people who need exactly this!