Fnox, a secret manager that pairs well with mise

https://github.com/jdx/mise/discussions/6779

185•bpierre•3mo ago

Comments

mackross•3mo ago

Love the thought put into mise and now fnox. They’re a joy to use.

maccard•3mo ago

Agree on mise. It's a great tool, really well implemented and easy to use. I've been trying to set up hk[0] this week and it's unfortunately not been as smooth a ride though.

[0] https://hk.jdx.dev/

jdxcode•3mo ago

that's fair. The DX of hk is a much harder problem since it will always require a decent amount of customization to fit into a project. I will be improving this though.

I'd probably say hk is the most challenging pre-commit manager to setup compared to its peers. That said, it's also the only one that can run hooks in parallel safely and deal with partially staged files where the others don't bother with these problems.

At least right now hk is good for folks that want the fastest and don't mind a bit of effort. Hopefully I can improve that and make it the best all-around.

maccard•3mo ago

Im very open to a bit of a learning curve! I wasn’t able to get a pre commit of ‘tofu fmt -check’ with the list of tf files changed working, which was frustrating! I found working with pkl tough as there’s little/no editor support (compared to writing tasks in toml with mise). I tried adding a post install hook to mise to run hk install which had surprising side effects!

I’m looking forward to trying fnox!

jdxcode•3mo ago

I added this for the next hk release: https://github.com/jdx/hk/commit/0fe8610fbe5d9f1c6977e0be596...

maccard•3mo ago

In the spirit of things I sent a PR in for the other footgun that I noticed. https://github.com/jdx/hk/pull/382

jdxcode•3mo ago

I suspect it may have been that it was using `*.tf` instead of `**/*.tf`

drcongo•3mo ago

Mind if I ask what trouble you've had setting up hk? I've been using it a while now and I love it almost as much as I love mise. Took me a little while to get my head around pkl (and if I'm honest, I'm very much still winging it) but otherwise it's been a joy to use.

maccard•3mo ago

No support for opentofu, so I had to write a custom hook for tofu instead of terraform. Then the hook itself didn’t work because tofu fmt didn’t like the full list of files being passed on instead of just the tf files. Then I had an issue with tflint. It wasn’t clear that hk would install in the current directory and not the git repo. Writing pkl was awkward - vscode has no support.

That’s just off the top of my head.

drcongo•3mo ago

Thanks, that's a list of things I've never needed from it which explains our different experiences!

maccard•3mo ago

Our use case is a dotnet project with infra defined in terraform. Dotnet fmt is too slow to run as a pre commit hook so I wanted to try tflint and tofu fmt as I know they are very quick and they are relatively easy to work with.

They both accept a list of files to work on, but the filter on hk gives you a full list of files that changed, so if a cs file and a tf file changes, both steps will fire with both the cs and the tf file

I think a small improvement might be adding a matched_files template sub that would only show the files that matched the glob rule. I also think an LSP integration for VSCode would go a long way. I could manage the first but the second might be pushing my limits

jdxcode•3mo ago

there is one: https://github.com/apple/pkl-lsp it works great for me

maccard•3mo ago

Thanks! I didn’t think of searching outside the store. Works great so far.

antimius•3mo ago

Yeah, I found the import of existing pre-commit config wasn't very useful. I just switched to using prek as a much faster drop-in replacement for pre-commit https://github.com/j178/prek. Really like mise though, and just started using fnox yesterday.

cultureulterior•3mo ago

There's no explanation or link to mise from that page that I can see. I now know what mise is, but that's from googling

cultureulterior•3mo ago

It's a dev tool manager

fishgoesblub•3mo ago

The link in the post is literally on the Mise Github page. One click and you're on the main page reading the detailed README.

danw1979•3mo ago

github.com is a popular website that lets you publish your git (a version control system) -based projects for others to read and contribute to.

In this case, the user “jdx” has published an issue (a bug or feature development tracker) about a complimentary project, but you can still access the source code and documentation about “mise” by clicking on the hyperlink labelled “mise” at the top of the page.

NamlchakKhandro•3mo ago

lmao wut?

augunrik•3mo ago

From the initial feature set it sounds like Mozilla SOPS.

cippaciong•3mo ago

I was gonna say the same. Not that there is anything bad in having alternatives, but if you like fnox, you might want to have a look at SOPS as well.

KingMob•3mo ago

Mise already supported sops and age (https://mise.jdx.dev/environments/secrets/), so I'm assuming there's something more to it. (Existing or planned.)

pprotas•3mo ago

Any alternatives to mise with less bloat? I don’t want the direnv and tasks functionality

rsanheim•3mo ago

Just...don't use them?

I've use mise happily for many months without using direnv or tasks, and everything I use it for works and is solid. Installs python, ruby, node, does the switching, does the shims, stays out of the way.

direnv and tasks and everything else mise can do is all opt-in.

arcanemachiner•3mo ago

asdf is a predecessor to mise, and focuses language version management only.

https://asdf-vm.com

NamlchakKhandro•3mo ago

what bloat?

Ferret7446•3mo ago

If you need to manage your dev secrets, it seems like you've fucked up? It's 2025, any secrets should be generated on or provisioned on a single machine. If you're copying them or storing them, then https://xkcd.com/463/

elric•3mo ago

Yes, because in 2025 every business is FAANG scale and has a dedicated SRE team and a SecOps team to manage all the secrets foo. (/s, obviously)

Different people have different experiences and work on things in a very diverse scale. The existence of one thing does not obviate all other things.

63stack•3mo ago

I was about to implement it into a pilot project, but then ran into this while reading the docs:

# New person joins the team:

# 7. Team lead updates fnox.toml with new recipient

# Then re-encrypts all secrets:

fnox set DATABASE_URL "$(fnox get DATABASE_URL)" --provider age # ... repeat for all secrets

It's a bit surprising you have to manually do this, I'd imagine fnox already has knowledge of all the secrets and could do this automatically.

DoNotNotify is now Open Source

Show HN: LocalGPT – A local-first AI assistant in Rust with persistent memory

Matchlock: Linux-based sandboxing for AI agents

Reverse Engineering Raiders of the Lost Ark for the Atari 2600

Haskell for all: Beyond agentic coding

SectorC: A C Compiler in 512 bytes (2023)

LLMs as the new high level language

The Architecture of Open Source Applications (Volume 1) Berkeley DB

Software factories and the agentic moment

Modern and Antique Technologies Reveal a Dynamic Cosmos

Speed up responses with fast mode

LineageOS 23.2

Stories from 25 Years of Software Development

Hoot: Scheme on WebAssembly

uLauncher

Brookhaven Lab's RHIC concludes 25-year run with final collisions

Vocal Guide – belt sing without killing yourself

In the Australian outback, we're listening for nuclear tests

Wood Gas Vehicles: Firewood in the Fuel Tank (2010)

Rabbit Ear "Origami": programmable origami in the browser (JS)

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

First Proof

Substack confirms data breach affects users’ email addresses and phone numbers

Start all of your commands with a comma (2009)

Al Lowe on model trains, funny deaths and working with Disney

The AI boom is causing shortages everywhere else

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

Where did all the starships go?

Show HN: A luma dependent chroma compression algorithm (image compression)

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

DoNotNotify is now Open Source

Show HN: LocalGPT – A local-first AI assistant in Rust with persistent memory

Matchlock: Linux-based sandboxing for AI agents

Reverse Engineering Raiders of the Lost Ark for the Atari 2600

Haskell for all: Beyond agentic coding

SectorC: A C Compiler in 512 bytes (2023)

LLMs as the new high level language

The Architecture of Open Source Applications (Volume 1) Berkeley DB

Software factories and the agentic moment

Modern and Antique Technologies Reveal a Dynamic Cosmos

Speed up responses with fast mode

LineageOS 23.2

Stories from 25 Years of Software Development

Hoot: Scheme on WebAssembly

uLauncher

Brookhaven Lab's RHIC concludes 25-year run with final collisions

Vocal Guide – belt sing without killing yourself

In the Australian outback, we're listening for nuclear tests

Wood Gas Vehicles: Firewood in the Fuel Tank (2010)

Rabbit Ear "Origami": programmable origami in the browser (JS)

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

First Proof

Substack confirms data breach affects users’ email addresses and phone numbers

Start all of your commands with a comma (2009)

Al Lowe on model trains, funny deaths and working with Disney

The AI boom is causing shortages everywhere else

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

Where did all the starships go?

Show HN: A luma dependent chroma compression algorithm (image compression)

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Fnox, a secret manager that pairs well with mise

Comments