Secrets. Docker. Silence.
Composer manages SOPS secrets and orchestrates Docker Compose. No local Python setup. No local sops. Just Docker.
Put start.sh or start.ps1 in your project root.
If you need a key:
./start.sh keygenTo encrypt .env:
./start.sh encrypt <public_key>To decrypt secrets.enc:
./start.sh decrypt <private_key>Just start it.
./start.shComposer resolves secrets automatically. It first looks for a plaintext env
file — .env, secrets/.env, then .secrets/.env — and uses the first one
that supplies every variable the compose file requires. If none qualify, it
falls back to an encrypted file (secrets.enc, secrets/secrets.enc,
.secrets/secrets.enc) and prompts for the AGE private key (unless given with
-k).
./start.sh -k <private_key> # skip the prompt for the encrypted pathcomposer run [-m] [-s] [-F] [-f FILE] [-d] <service> <command...> runs a command inside a service instead of typing docker exec/docker run by hand. Defaults to docker compose exec <service> …; -m/--manage prepends python manage.py (e.g. ./start.sh run -m web migrate --noinput), -s/--shell runs the command via sh -c so pipes/&& work, and -F/--fresh uses a one-off docker compose run --rm. TTY is auto-detected. See composer run --help.
| flag | result |
|---|---|
-k, --key |
AGE private key for the encrypted-secrets path. |
-d, --dev |
Development mode. Loads compose.dev.yml on top of the base compose file (two files) and forces DEBUG=True / DEBUG_STATUS=True into every service. |
-u, --update [service] |
Pull the latest image(s) then recreate immediately. Pass a service name to update and recreate only that service (Compose still starts its dependencies; dependents aren't auto-restarted unless their own image changed). |
-uo, --update-only [service] |
Pull the latest image(s) before the normal full startup, without scoping the recreate. Optionally a single service. |
-r, --restart [service] |
Restart running containers via docker compose restart instead of a --down + start. Containers are preserved, so baked-in env vars survive. Pass a service name to restart only that service. |
-b, --build |
Rebuild images during startup. |
--down |
Stop everything. |
-v, --volumes |
Remove volumes too. |
-p, --purge |
With --down: also remove built untagged images, volumes, networks, orphans, and dangling build cache. |
--encrypt |
Encrypt a dotenv file with an AGE public key. |
--decrypt |
Decrypt an encrypted dotenv file. |
- Secrets: Plaintext env first (must satisfy the compose's required vars), encrypted
secrets.encas fallback. - Version: Every service gets
COMPOSER_VERSION. - UI: Progress stays on one status line.
- Image: Wrapper scripts target
debeski/composer:latest.
Installing sops, age, and Python everywhere is friction. Composer keeps the toolchain inside the container and leaves the project root alone.