3 files changed, 18 insertions, 2 deletions

diff --git a/lib/subcommands/init.bash b/lib/subcommands/init.bash
index c5625f2..46497f5 100644
--- a/lib/subcommands/init.bash
+++ b/lib/subcommands/init.bash
@@ -32,6 +32,7 @@ init_local()
 
 	local files=(
 		"$BASHTARD_ETCDIR/defaults"
+		"$BASHTARD_ETCDIR/secrets"
 		"$BASHTARD_ETCDIR/hosts.d/${BASHTARD_PLATFORM[fqdn]}"
 		"$BASHTARD_ETCDIR/os.d/${BASHTARD_PLATFORM[key]}"
 		"$BASHTARD_ETCDIR/playbooks.d/remotes"
@@ -48,6 +49,12 @@ init_local()
 		notice "bashtard/init" "Creating $file"
 		touch -- "$file"
 	done
+
+	chmod 600 -- "$BASHTARD_ETCDIR/secrets"
+
+	cat > "$BASHTARD_ETCDIR/.gitignore" <<-EOF
+	secrets
+	EOF
 }
 
 init_remote()
diff --git a/lib/subcommands/var.bash b/lib/subcommands/var.bash
index 3e8fc0b..4eaf14d 100644
--- a/lib/subcommands/var.bash
+++ b/lib/subcommands/var.bash
@@ -8,12 +8,14 @@ subcommand()
 {
 	local key
 	local value
+	local secret
 
 	# Handle opts
-	while getopts ":p:" opt
+	while getopts ":p:s" opt
 	do
 		case "$opt" in
 			p) export BASHTARD_PLAYBOOK="$OPTARG" ;;
+			s) secret=1 ;;
 			*) emerg "Unused opt '$opt'?" ;;
 		esac
 	done
@@ -40,7 +42,13 @@ subcommand()
 	local kvfile
 	local buffer
 
-	kvfile="$BASHTARD_ETCDIR/hosts.d/${BASHTARD_PLATFORM[fqdn]}"
+	if [[ $secret ]]
+	then
+		kvfile="$BASHTARD_ETCDIR/secrets"
+	else
+		kvfile="$BASHTARD_ETCDIR/hosts.d/${BASHTARD_PLATFORM[fqdn]}"
+	fi
+
 	buffer="$(tmpfile)"
 
 	grep -v "^$key=" < "$kvfile" > "$buffer"
diff --git a/lib/util/config.bash b/lib/util/config.bash
index 06da99a..7918a1e 100644
--- a/lib/util/config.bash
+++ b/lib/util/config.bash
@@ -16,6 +16,7 @@ config_for() {
 	local files
 
 	files=(
+		"$BASHTARD_ETCDIR/secrets"
 		"$BASHTARD_ETCDIR/hosts.d/$host"
 		"$BASHTARD_ETCDIR/os.d/${BASHTARD_PLATFORM[key]}"
 		"$BASHTARD_ETCDIR/defaults"