Add support for Dotenvx #1790
Description
Is there an existing issue that is already proposing this?
- I have searched the existing issues
Is your feature request related to a problem? Please describe it
Since this library already uses Dotenv and Dotenv-expand, it would be great to take the Dotenvx wagon.
It includes all the goodness from the 2 mentioned above (in fact, Dotenvx imports them), and enables .env files encryption/decryption.
Describe the solution you'd like
No change to the experience or interface of the ConfigModule, simply replace the dotenv library by dotenvx to enable the detection of key files (.env.keys) or variables (DOTENV_PRIVATE_KEY or DOTENV_PRIVATE_KEY_<STAGE>).
Teachability, documentation, adoption, migration strategy
For those interested in using it, the first step would be to encrypt variables.
This tool is already provided by dotenvx and I don't see a reason to create a wrapper around it (maybe via the NestJS CLI to keep users in the NestJS bubble?).
Encrypting a whole file is as simple as:
dotenvx encrypt
# or
dotenvx encrypt -f .env.ciMore advanced examples can be found in Dotenvx docs.
What is the motivation / use case for changing the behavior?
Using encrypted .env files enables them to be shared safely, which is helpful for development or CI configuration.
Sorry for the self-promotion. I even published an article that shows (amongst other things) how to manage env vars for local and CI environments.
Maintaining secrets in CI providers is fun once but quickly gets boring. I find it more effective to manage all those variables from the codebase.
The remaining complexity is how to share the private keys to decrypt files, and this remains an exercise for the users :)
Of course, we can offer suggestions on how to share these keys safely.
- GitHub Actions secrets, Gitlab variables.... for CI environment variables
- Vault such as 1Password for local development variables
- PGP encryption + email for the nerds