I’m new to github and storing files on a remote repository like that. I’ve always used cvs or something like that on a local repository. I’ve noticed that several of the people in the HA world, have github pages with their source out there for others to look at. Is there a tool or something that scrubs the files clean of sensitive information like account passwords, secret keys, long/lat, etc? Are they using a local git repository and then only publishing finished product up to github and if so, how do they manage that? Do they open a branch to publish and edit it taking out sensitive information? What is the best practice around that?
There may be but I am not aware of one. there are ways to work around this however like having sample config files and keeping the actual config in files that are not in the git repository.
Yes - the idea is that you use git locally (just like CVS etc.) and when you reach a point that you want to publish, there are GIT commands to push local repositories to remote repositories on the Internet. GitHub is an example of a remote repository but not the only type out there.
People who publish their configurations use !env_var or !secret to include secrets in their files. Then they have a separate file (NOT published) that contains definitions for all those secrets.
Exactly this. Mine is one of the linked config examples, and I use !secret for the bits of information I want to be private and then a .gitignore to never include my secrets.yaml
You can even see my .gitignore excluding it here: https://github.com/gstevenson/ha-config/blob/master/.gitignore 
Wonderful,
I read the yaml docs so long ago, I completely forgot the section about secrets.
It looks like !secret could be used for just about anything. Are there any types of things that !secret can’t be used for?
Thanks
I haven’t run into one - My repo has extensive use of !secret and a .gitignore as mentioned above.
I also use a script (pinched from @CCOSTAN) to do my push:
#!/bin/bash
cd /home/homeassistant/.homeassistant
source /srv/homeassistant/homeassistant_venv/bin/activate
hass --script check_config
git add .
git status
echo -n "Enter the Description for the Change: " [Minor Update]
read CHANGE_MSG
git commit -m "${CHANGE_MSG}"
git push origin master
exit
2 Likes
I wish someone would do a tutorial for this…
Can a !secret be embedded in a line?
sqlplus !secret userid!secret password@dbhome
kind of an idea? I understand I can do it all as one line sqlplus !secret db, but the other would be nice to in some cases.
I think you can only do this for the whole line. Makes more sense anyway.
I use the same userid for most things. It would be nice to just have a !secret userid that could be inserted inline maybe inside {} or something kind of like an environment variable.
I might work on this.
1 Like
let me know if you need any help with a tutorial. Happy to help and be a Ginnie pig
1 Like
That would be awesome. I just want to be able to share my configuration and I really don’t know how to set up a Github repo. I think this would help a lot of people because more people would share their configs to help others learn.
I know I learned a lot from looking at the examples when I started out. If you decide to do this, let me know and like @turboc, I’ll help where I can.
3 Likes
Agreed. I would like to learn more about Git myself, but I need to get all the secrets out of my config file. I have yet to do that.
Thanks, y’all - I’ve got it mostly done. It’s in rough draft right now and I want to review it a little more before submitting a PR. I might reach out to you to get you to follow it and let me know if I missed anything. I did it mostly from memory, and I am terrible at Github.
Do it!! It’s a super good practice.
It’s easier than you think. I put it off for a while because the docs made it seem complex but it’s so easy and you can use it for just about anything in the configs you want to keep secret. Just remember that if you use split configs and separate directories, you need a separate secrets.yaml for each directory with just the stuff that’s being ‘secretized’ in that directories YAML files.
2 Likes
I need to get it done, but my configuration is still very much in active development with components to add yet.
I think you just answered a question I didn’t know I needed to ask! A problem I’ve had for some time but put aside.
Wow, I guess that’s about as efficient as it gets here!
Yeah, if you have say, a separate devices directory for all your sensors, cameras, etc. then anything that uses a secret entry needs to be in a secrets.yaml file in that directory. So I have one in my root, one in my devices directory and each one is specific to the YAML files in that directory.
Only reason I know this is that I was following the original PR when it was merged. According to another dev, they can also be used as variables, but not sure if this works in line like with a template.