nuxt-env
nuxt-env
Set up SOPS + age encryption for environment variables in a Nuxt project.
When to Use
- Setting up encrypted environment variable management for a project
- Adding SOPS + age encryption workflow
- User mentions
env:pull,env:push,env:encrypt,env:decrypt - Onboarding a project to the encrypted env bundle workflow
Pre-flight: System Dependencies
Check and install system dependencies in order:
1. sops + age
which sops && which age-keygen
If either is missing:
brew install sops age
2. npm dependencies
Check if chalk is in the target project's devDependencies. If missing:
bun add -d chalk
3. Age keypair
Check if the age key file exists:
test -f ~/.config/sops/age/keys.txt
If missing, generate one:
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt
Display the public key to the user (they will need it for .sops.yaml):
age-keygen -y ~/.config/sops/age/keys.txt
Tell the user to save this public key -- it goes into .sops.yaml and must be shared with teammates.
Setup Steps
Run these steps in the target project root.
1. Create directories
mkdir -p secrets .tmp
2. Add .gitignore entries
Append to the project root .gitignore if not already present:
.tmp/
Ensure secrets/ has proper git tracking -- encrypted files ARE tracked, plain JSON is NOT. Add secrets/.gitignore with:
# Ignore decrypted plain JSON bundles
*.json
# But track encrypted sops files
!*.sops.json
!.gitignore
!.gitkeep
Create secrets/.gitkeep if the directory is empty.
3. Create .sops.yaml
Skip if .sops.yaml already exists. Otherwise create at project root:
# Replace the placeholder recipients below with real age public keys (age1...)
# for your developer team and CI before encrypting secrets.
creation_rules:
- path_regex: ^(.+[\\/])?secrets[\\/].*\.sops\.json$
age: >-
AGE_PUBLIC_KEY_HERE
Prompt the user to replace AGE_PUBLIC_KEY_HERE with the public key displayed in pre-flight step 3. If the public key was just generated, offer to substitute it automatically.
4. Copy scripts
Copy these files from this skill's scripts/ directory to the target project's scripts/ directory:
| Source (skill) | Target (project) |
|---|---|
scripts/sops-bundle.ts |
scripts/sops-bundle.ts |
scripts/env-variables.ts |
scripts/env-variables.ts |
scripts/libs/load-env.ts |
scripts/libs/load-env.ts |
Create scripts/libs/ if it doesn't exist. Skip any file that already exists in the target -- warn the user instead.
5. Add package.json scripts
Read the target project's package.json. Add the following scripts, skipping any that already exist:
{
"env:export": "bun scripts/env-variables.ts --export-json --out .tmp/env-bundle.json",
"env:apply": "bun scripts/env-variables.ts --import-json --in .tmp/env-bundle.json",
"env:apply:dry": "bun scripts/env-variables.ts --import-json --in .tmp/env-bundle.json --dry-run",
"env:decrypt": "bun scripts/sops-bundle.ts decrypt",
"env:encrypt": "bun scripts/sops-bundle.ts encrypt",
"env:pull": "bun run env:decrypt && bun run env:apply",
"env:push": "bun run env:export && bun run env:encrypt"
}
Post-setup Verification
After all steps, verify:
which sops && which age-keygen-- both installedls scripts/sops-bundle.ts scripts/env-variables.ts scripts/libs/load-env.ts-- all scripts existpackage.jsonhas allenv:*scripts.sops.yamlexists with correct structuresecrets/.gitignoreexists with correct rules.tmp/is in.gitignore
Print a summary of what was created/skipped.
Usage After Setup
| Command | What it does |
|---|---|
bun run env:push |
Export .env files to JSON bundle, then SOPS-encrypt |
bun run env:pull |
SOPS-decrypt the bundle, then write .env files |
bun run env:encrypt |
Encrypt .tmp/env-bundle.json to secrets/env-bundle.sops.json |
bun run env:decrypt |
Decrypt secrets/env-bundle.sops.json to .tmp/env-bundle.json |
bun run env:export |
Export .env files to .tmp/env-bundle.json |
bun run env:apply |
Write .tmp/env-bundle.json back to .env files |
More from ralphcrisostomo/nuxt-development-skills
ralph
Convert PRDs to prd.json format for the Ralph autonomous agent system. Use when you have an existing PRD and need to convert it to Ralph's JSON format. Triggers on: convert this prd, turn this into ralph format, create prd.json from this, ralph json.
52prd
Generate a Product Requirements Document (PRD) for a new feature. Use when planning a feature, starting a new project, or when asked to create a PRD. Triggers on: create a prd, write prd for, plan this feature, requirements for, spec out.
39optimise-claude
Use when auditing, trimming, or restructuring AI instruction files (CLAUDE.md, SKILL.md, AGENTS.md) to reduce context-window consumption. Trigger whenever CLAUDE.md is bloated or Claude ignores instructions, a SKILL.md exceeds 120 lines, skills share duplicated content, AGENTS.md has large inline blocks, or the user asks to optimize, slim down, or reduce token usage.
37nuxt-init
Use when scaffolding a new Nuxt 4 project with standard config files (prettier, eslint, gitignore, husky, vitest, tsconfig, sops) and bun scripts.
33nuxt-terraform
Scaffold Nuxt + AWS Terraform infrastructure. Use when adding GraphQL resolvers, Lambda functions, initializing a new project with AppSync, DynamoDB, Cognito, writing Terraform tests, or generating/reviewing Terraform code style. Triggers on: add graphql resolver, create lambda, scaffold terraform, init terraform, add appsync resolver, add mutation, add query, add terraform test, write tftest, terraform style.
32todo
Use when scanning a codebase for incomplete work and maintaining a living TODO.md grouped by feature. Triggers on: scan for todos, find incomplete work, update todo, what needs doing, create todo list.
30