#How do you manage env secrets on a VPS?

On larger cloud platforms there's typically an obvious approach (using the secrets manager they provide). But on something smaller like Hetzner (or whatever) there isn't such a solution.

I'm wondering how others go about managing their secrets and what the reasoning for their approach is. There's bitwarden secrets manager, and infisical (which seems a bit nicer as they provide a container).

But I'm not sure there's a fat lot of gain over using ansible vault and creating a .env file on the server. If everyone else has converged on something different / better though I'd like to hear 🙂

Generally, we use CI variables in GitLab CI that get put into a .env file on the VM as part of the deployment pipeline

Makes sense, so on deploy just create a .env from a templated file. If I follow then that's basically what I've been doing with ansible (not got round to ci yet).

Yep. We also use Ansible to do it

Just using ci vars instead of the vault I guess?

Yeah. Some are pulled from our internal LDAP, though. And we had plans to also integrate the company Keeper account