Raised: $0
0% of monthly goal Help us cross the finish line!
Goal: $12,000
Raised: $0 Goal: $12,000
0% of monthly goal Help us cross the finish line!
Sponsor DDEV

If you find this add-on useful, please star it on GitHub — stars show appreciation and help maintainers know their work matters.

add-on registry release license

DDEV Varlock

Overview

Varlock provides AI-safe .env files: schemas for agents, secrets for humans. It validates and type-checks environment variables, prevents secret leaks, and can resolve secrets from providers like 1Password, Infisical, and Doppler at runtime.

This add-on installs the Varlock CLI into the DDEV web container and wires it up to automatically load and validate your project’s environment variables on every ddev start.

Installation

ddev add-on get MetaSyntactical/ddev-varlock
ddev restart

After installation, make sure to commit the .ddev directory to version control.

Prerequisites

Usage

Obtaining provider credentials

Scope credentials as narrowly as possible (read-only, single vault/policy, short TTL) rather than reusing a personal or admin token — they’ll sit in your host shell environment for the life of the session.

Configuration

Pinning the Varlock version

By default, the add-on installs the latest Varlock release every time the web image is built. To pin a specific version instead:

ddev dotenv set .ddev/.env.varlock --varlock-version=<version>
ddev restart

For example:

ddev dotenv set .ddev/.env.varlock --varlock-version=1.9.0
ddev restart

Use a plain semantic version without a v prefix (e.g. 1.9.0), matching the tags in the Varlock releases. Leave .ddev/.env.varlock absent, or its value empty, to keep installing the latest release on every build.

Make sure to commit .ddev/.env.varlock to version control once you’ve pinned a version.

Using a different secrets provider

Varlock supports many more providers than the ones listed above — for example Azure Key Vault, Google Secret Manager, Akeyless, Bitwarden, Keeper, Passbolt, Proton Pass, and Dashlane (see the full plugin list). Each has its own auth variable(s), e.g. Azure Key Vault needs AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET.

This add-on only pre-declares web_environment passthroughs for the most common providers. web_environment entries listed as a bare name (no =value) tell DDEV to forward that variable from your host shell into the web container at start time — the value itself is never written to .ddev/config.yaml, so it’s safe to add even for secrets.

To add support for another provider’s variable(s) in your project, run:

ddev config --web-environment-add="AZURE_TENANT_ID"
ddev config --web-environment-add="AZURE_CLIENT_ID"
ddev config --web-environment-add="AZURE_CLIENT_SECRET"
ddev restart

This appends the passthrough entries to your project’s own .ddev/config.yaml (under web_environment), on top of the ones this add-on already registers globally — no need to fork or modify the add-on itself. Reference the resulting variables in your .env.schema the same way as the built-in providers (e.g. @initAzureKeyVault(tenantId=$AZURE_TENANT_ID, ...)), export the values in your host shell, then ddev restart.

Credits

Maintained by MetaSyntactical

If you find this add-on useful, please star it on GitHub — stars show appreciation and help maintainers know their work matters.