Fnox, a secret manager that pairs well with mise

Posted by bpierre 2 days ago

Fnox, a secret manager that pairs well with mise(github.com)

182 points | 38 comments

mackross 2 days ago|

Love the thought put into mise and now fnox. They’re a joy to use.

maccard 2 days ago|

Agree on mise. It's a great tool, really well implemented and easy to use. I've been trying to set up hk[0] this week and it's unfortunately not been as smooth a ride though.

[0] https://hk.jdx.dev/

jdxcode 2 days ago|||

that's fair. The DX of hk is a much harder problem since it will always require a decent amount of customization to fit into a project. I will be improving this though.

I'd probably say hk is the most challenging pre-commit manager to setup compared to its peers. That said, it's also the only one that can run hooks in parallel safely and deal with partially staged files where the others don't bother with these problems.

At least right now hk is good for folks that want the fastest and don't mind a bit of effort. Hopefully I can improve that and make it the best all-around.

maccard 22 hours ago||

Im very open to a bit of a learning curve! I wasn’t able to get a pre commit of ‘tofu fmt -check’ with the list of tf files changed working, which was frustrating! I found working with pkl tough as there’s little/no editor support (compared to writing tasks in toml with mise). I tried adding a post install hook to mise to run hk install which had surprising side effects!

I’m looking forward to trying fnox!

jdxcode 5 hours ago||

I added this for the next hk release: https://github.com/jdx/hk/commit/0fe8610fbe5d9f1c6977e0be596...

antimius 1 day ago||||

Yeah, I found the import of existing pre-commit config wasn't very useful. I just switched to using prek as a much faster drop-in replacement for pre-commit https://github.com/j178/prek. Really like mise though, and just started using fnox yesterday.

drcongo 1 day ago|||

Mind if I ask what trouble you've had setting up hk? I've been using it a while now and I love it almost as much as I love mise. Took me a little while to get my head around pkl (and if I'm honest, I'm very much still winging it) but otherwise it's been a joy to use.

maccard 22 hours ago||

No support for opentofu, so I had to write a custom hook for tofu instead of terraform. Then the hook itself didn’t work because tofu fmt didn’t like the full list of files being passed on instead of just the tf files. Then I had an issue with tflint. It wasn’t clear that hk would install in the current directory and not the git repo. Writing pkl was awkward - vscode has no support.

That’s just off the top of my head.

drcongo 11 hours ago||

Thanks, that's a list of things I've never needed from it which explains our different experiences!

maccard 7 hours ago||

Our use case is a dotnet project with infra defined in terraform. Dotnet fmt is too slow to run as a pre commit hook so I wanted to try tflint and tofu fmt as I know they are very quick and they are relatively easy to work with.

They both accept a list of files to work on, but the filter on hk gives you a full list of files that changed, so if a cs file and a tf file changes, both steps will fire with both the cs and the tf file

I think a small improvement might be adding a matched_files template sub that would only show the files that matched the glob rule. I also think an LSP integration for VSCode would go a long way. I could manage the first but the second might be pushing my limits

cultureulterior 2 days ago||

There's no explanation or link to mise from that page that I can see. I now know what mise is, but that's from googling

danw1979 2 days ago||

github.com is a popular website that lets you publish your git (a version control system) -based projects for others to read and contribute to.

In this case, the user “jdx” has published an issue (a bug or feature development tracker) about a complimentary project, but you can still access the source code and documentation about “mise” by clicking on the hyperlink labelled “mise” at the top of the page.

fishgoesblub 2 days ago|||

The link in the post is literally on the Mise Github page. One click and you're on the main page reading the detailed README.

cultureulterior 2 days ago|||

It's a dev tool manager

NamlchakKhandro 1 day ago|||

lmao wut?

hackernewscunts 2 days ago||

[dead]

augunrik 2 days ago||

From the initial feature set it sounds like Mozilla SOPS.

cippaciong 1 day ago||

I was gonna say the same. Not that there is anything bad in having alternatives, but if you like fnox, you might want to have a look at SOPS as well.

KingMob 1 day ago||

Mise already supported sops and age (https://mise.jdx.dev/environments/secrets/), so I'm assuming there's something more to it. (Existing or planned.)

pprotas 1 day ago||

Any alternatives to mise with less bloat? I don’t want the direnv and tasks functionality

rsanheim 1 day ago||

Just...don't use them?

I've use mise happily for many months without using direnv or tasks, and everything I use it for works and is solid. Installs python, ruby, node, does the switching, does the shims, stays out of the way.

direnv and tasks and everything else mise can do is all opt-in.

arcanemachiner 1 day ago|||

asdf is a predecessor to mise, and focuses language version management only.

https://asdf-vm.com

NamlchakKhandro 1 day ago||

what bloat?

Ferret7446 1 day ago||

If you need to manage your dev secrets, it seems like you've fucked up? It's 2025, any secrets should be generated on or provisioned on a single machine. If you're copying them or storing them, then https://xkcd.com/463/

elric 1 day ago|

Yes, because in 2025 every business is FAANG scale and has a dedicated SRE team and a SecOps team to manage all the secrets foo. (/s, obviously)

Different people have different experiences and work on things in a very diverse scale. The existence of one thing does not obviate all other things.

azazel75 2 days ago||

[flagged]

cjp 2 days ago||

https://github.com/jdx/mise

It's a generic version manager (replacing nvm/pyenv/etc). It also does direnv and tasks.

NamlchakKhandro 1 day ago|||

click the link.

yoavm 2 days ago||

mise.jdx.dev/

domenkozar 2 days ago|

[flagged]

kstrauser 2 days ago||

How do you figure? I'm not involved with either project, but to my outsider eyes it seems like two completely different implementations of the same basic idea, with configuration that only looks necessarily similar to (i.e. there are only so many ways to write "here's how to look for secrets in 1Password" using TOML, which is a common configuration language and also one heavily used in the Rust ecosystem).

Also, devenv and mise also feel like different animals to me. I can't imagine many scenarios where I'd use them interchangeably.

domenkozar 2 days ago||

Look at the problem statement, it's exactly the same. When I designed secretspec, I researched the space and no other tool approached secrets in such a way.

Syntax of toml is almost identical, the CLI as well.

It even has the same vocabulary.

I didn't dig deeper though, but I'd be surprised not to find more :)

kstrauser 2 days ago|||

I almost feel like we're looking at different things. From secretspec[0]:

  [project]
  name = "web-api"
  revision = "2.1.0"
  extends = ["../shared/base", "../shared/auth"]
  
  [profiles.default]
  # Inherits DATABASE_URL, LOG_LEVEL from base
  # Inherits JWT_SECRET, SESSION_SECRET from auth
  # Service-specific additions:
  STRIPE_API_KEY = { description = "Stripe payment API", required = true }
  REDIS_URL = { description = "Redis cache connection", required = true }
  PORT = { description = "Server port", required = false, default = "3000" }

From fnox[1]:

  [secrets.DATABASE_URL]
  provider = "onepass"
  value = "Database"  # ← Item name in 1Password (fetches 'password' field)
  
  [secrets.DB_USERNAME]
  provider = "onepass"
  value = "Database/username"  # ← Specific field
  
  [secrets.API_KEY]
  provider = "onepass"
  value = "op://Development/API Keys/credential"  # ←

Is the similarity that they both refer to providers (as did Terraform and countless other config tools before it)? Or profiles (like aws-cli and countless other config tools before it)? Because other than that, I'm not really seeing it. And if I hadn't seen either of these, and my boss ordered me to implement something like them, I almost guarantee I'd use similar names for things because those are the common terms for them in industry.

Honestly, I'm not invested in either of these. They both look nifty, but I couldn't personally care less if either (or both or neither) of these catch on and become standards. I'm only commenting here because your statement here and on the linked discussion[2] ("it's almost a verbatim copy") seems incredibly aggressive, and to me, quite offputting. They don't look alike at all to me, other than that they both aim to do similar things and thus will have some natural overlap in terminology.

[0]https://secretspec.dev/concepts/declarative/

[1]https://github.com/jdx/fnox

[2]https://github.com/jdx/mise/discussions/6779#discussioncomme...

domenkozar 2 days ago||

[flagged]

kstrauser 2 days ago|||

> I'm asking for an attribution given that the tool was copied, how is that aggressive?

Because it implies that the tool is copied. To me, they look similar, in a way that all tools like this are going to look somewhat similar.

> - fnix imports, - secretspec extends

So, they both have ways to slurp in other files so that you can kind of emulate inheritance. They call them different things, but the idea's similar: they both look similar to mise's configuration hierarchy, which predates both tools.[0]

> - secretspec profiles, - fnix profiles

They both support named profiles like "dev", "production", etc... like so many other devops tools that I'm having a hard time narrowing it down to one pre-existing example among thousands.

No, I'm still not seeing it. Fnox seems to be a copy of secretspec in the same way that Nginx is a copy of Apache, because they both do similar things and have config files that talk about domain names and ports and paths and certificates.

[0]https://mise.jdx.dev/configuration.html#configuration-hierar...

lenova 2 days ago||

I have to agree... the linked Github files look like pretty generic config structures you'd find in projects, regardless of the tool or specification.

jonahx 1 day ago||||

> I'm asking for an attribution given that the tool was copied, how is that aggressive?

Your original comment is snarky and unprofessional. That's a bad look for projects that actually seem solid and impressive.

It's fine if you think your projects are better, and want to mention that. Just do it in a professional, objective way.

domenkozar 1 day ago||

[flagged]

nsonha 1 day ago||

Calling out people for being unprofessional is being unprofessional itself? Logic.

swaits 1 day ago||||

Bring it up with the author then. To the rest of us, what you're saying is senseless.

jauntywundrkind 1 day ago|||

I was with you that there are similarities & was happy to see another take.

Its a very strong & weight claim to say that fnox is a copy of secretspec though. There can be a lot of overlap. But there have been lots of others similar efforts too, such as sops, and many before.

It's much too complicated in my book to be making big claims like copying. That really pisses me against the software

KingMob 1 day ago|||

I don't see it, and like the other commenters, it seems like the design space is just constrained enough that the projects would have to have some similarities.

Regardless, if you think you're being copied, just copy right back. I suggest imitating the DX.

As someone who tried devenv (and nix-darwin for a while), before eventually returning to homebrew and mise, I really wanted to like it, but the nix complexity kept leaking out.

Mise does maybe 80% of what I did with devenv, but at only 1% of the hassle.

thucydides 1 day ago||

the configs, commands, and docs for this project are all different from those of your project?

maybe you feel upset that someone has created a project similar to yours, but your accusation seems meritless.

what am i missing, if anything?