Use dotenvx with Turborepo
Use dotenvx with Turborepo
Find code examples for this guide on GitHub.
Initial setup
Create a new monorepo.
npx create-turbo@latest
This will create a handful of files and a couple workspaces (apps).
$ ls -1
README.md
apps/
node_modules/
package-lock.json
package.json
packages/
turbo.json
Edit apps/web/app/page.tsx to include process.env.HELLO – to say 'Hello World'.
apps/web/app/page.tsx
export default function Page() {
return (
<>
Hello {process.env.HELLO}
</>
);
}
Declare the apps/web environment variable in turbo.json by adding a web#build configuration under the pipeline configuration key.
turbo.json
...
"pipeline": {
...
"web#build": {
"dependsOn": [
"^build"
],
"env": [
"HELLO"
]
},
...
Run dotenvx
Install dotenvx under apps/web
cd apps/web
npm install @dotenvx/dotenvx --save
cd ../..
Create a .env file under apps/web.
apps/web/.env
# apps/web/.env
HELLO="World"
Adjust your apps/web/package.json scripts to inject your env using dotenvx.
apps/web/package.json
...
"scripts": {
"dotenvx": "dotenvx",
"build": "dotenvx run -- turbo build",
"dev": "dotenvx run -- turbo dev",
"lint": "dotenvx run -- turbo lint",
"format": "prettier --write \"**/*.{ts,tsx,md}\""
},
See more about using environment variables with turborepo.
Try running it locally.
$ npm run dev
web:dev: [[email protected]] injecting env (1) from .env
docs:dev: - ready started server on 0.0.0.0:3001, url: http://localhost:3001
web:dev: - ready started server on 0.0.0.0:3000, url: http://localhost:3000
Visit localhost:3000.
Your app will say Hello World. The values from your .env file were successfully injected into your env.
Add production environment
Create a .env.production file under apps/web.
apps/web/.env.production
# apps/web/.env.production
HELLO="production"
Encrypt production
dotenvx encrypt -f apps/web/.env.production
Your .env.production file is now encrypted, and you have a .env.keys file.
apps/web/.env.production
#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/ public-key encryption for .env files /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY_PRODUCTION="025a54defaeff32caa2bbe60537b88b5b89716eade6df08418d7a68f5c4f742be6"
# .env.production
HELLO="encrypted:BD+uttK9iBuXnfx6HukDK06IGk0pQARwivtxM+ZiePvhRxHyQL3UD0sf0ayLw/P5Y/BED//zRiTlUf6nENuu7QhNJ24g3uADfrDfhvYi/MOHjmfKyRiu+yOxSw6e+c0yRNukS+n8SxONnec="
apps/web/.env.keys
#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
# .env.production
DOTENV_PRIVATE_KEY_PRODUCTION="424d0ea072eb17c6bee9b4b42ff6333513cf128ea3d5d60ccf79246ca7c3f786"
You SHOULD commit .env.production to code. It is now encrypted, safe, and recommended to do so. But DO NOT commit .env.keys to code. Keep them somewhere safe like 1Password.
We're ready to inject the encrypted .env.production secrets into the app on boot.
Set decryption key
Set DOTENV_PRIVATE_KEY_PRODUCTION using the production key in your apps/web/.env.keys file.
DOTENV_PRIVATE_KEY_PRODUCTION="424d0ea072eb17c6bee9b4b42ff6333513cf128ea3d5d60ccf79246ca7c3f786" npm run dev
Your script starts and env is successfully injected using the encrypted contents of .env.production.
web:dev: [[email protected]] injecting env (1) from .env
docs:dev: - ready started server on 0.0.0.0:3001, url: http://localhost:3001
web:dev: - ready started server on 0.0.0.0:3000, url: http://localhost:3000
Visit your url and it says Hello production.
You succesfully add encryption to your .env files. This is safer than scattering your secrets across third-party platforms and tools. When you need to update a secret, run dotenvx set KEY value and redeploy.
Great job! That's pretty much it. See the bonus section(s) below to go a little deeper.
Bonus
Try changing the value of .env.production to your name.
npm run dotenvx -- set HELLO Mot -f .env.production
Commit .env.production safely to code and redeploy.
