diff --git a/.aws/credentials.j2 b/.aws/credentials.j2
new file mode 100644
index 0000000000000000000000000000000000000000..76c3be89450a1a2ca5773f1d72e22571ffeea153
--- /dev/null
+++ b/.aws/credentials.j2
@@ -0,0 +1,8 @@
+# vim: ft=cfg
+[shore]
+aws_access_key_id = {{ run(["ph", "show", "--field", "UserName", "shore.co.il/AWS CLI"])["stdout"] }}
+aws_secret_access_key = {{ run(["ph", "show", "--field", "Password", "shore.co.il/AWS CLI"])["stdout"] }}
+
+[smile]
+aws_access_key_id = {{ run(["ph", "show", "--field", "UserName", "Smile/AWS CLI"])["stdout"] }}
+aws_secret_access_key = {{ run(["ph", "show", "--field", "Password", "Smile/AWS CLI"])["stdout"] }}
diff --git a/.bashrc.private.j2 b/.bashrc.private.j2
new file mode 100644
index 0000000000000000000000000000000000000000..dab2e8bcd6aa2f26e7a3d0d0d1e20138f0106bb5
--- /dev/null
+++ b/.bashrc.private.j2
@@ -0,0 +1,7 @@
+# vim: ft=bash
+export GITLAB_TOKEN='{{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab token"])["stdout"] }}'
+export GITLAB_PRIVATE_TOKEN="$GITLAB_TOKEN"
+export GITLAB_REGISTRATION_TOKEN='{{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab runner registration token"])["stdout"] }}'
+export GITHUB_TOKEN='{{ run(["ph", "show", "--field", "CLI token", "Web Sites/GitHub"])["stdout"] }}'
+{% set nc_password = run(["ph", "show", "--field", "Password", "shore.co.il/LDAP"])["stdout"] %}
+export RCLONE_CONFIG_NEXTCLOUD_PASS='{{ run(["rclone", "obscure", nc_password]) }}'
diff --git a/.bundle/config.j2 b/.bundle/config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0dbaff7f6320aafafab43592c5fa40f1550f6a65
--- /dev/null
+++ b/.bundle/config.j2
@@ -0,0 +1,3 @@
+# vim:ft=yaml
+---
+BUNDLE_HTTPS://RUBYGEMS__PKG__GITHUB__COM/SMILE-IO/: '{{ run(["ph", "show", "--field", "UserName", "Web Sites/GitHub"])["stdout"] }}:{{ run(["ph", "show", "--field", "Smile gem token", "Web Sites/GitHub"])["stdout"] }}'
diff --git a/.config/gem/gemrc.j2 b/.config/gem/gemrc.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d75d87bc0dc3b7d0d2f049780d6ce8e8fa7f0c5d
--- /dev/null
+++ b/.config/gem/gemrc.j2
@@ -0,0 +1,10 @@
+# vim: ft=yaml
+---
+:backtrace: false
+:bulk_threshold: 1000
+:sources:
+- https://rubygems.org/
+- https://{{ run(["ph", "show", "--field", "UserName", "Web Sites/GitHub"])["stdout"] }}:{{ run(["ph", "show", "--field", "Smile gem token", "Web Sites/GitHub"])["stdout"] }}@rubygems.pkg.github.com/smile-io/
+:update_sources: true
+:verbose: true
+:concurrent_downloads: 8
diff --git a/.config/python-gitlab.cfg.j2 b/.config/python-gitlab.cfg.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5a51c00df11c3f8a57eb0d2faf3bd3e0be7a303c
--- /dev/null
+++ b/.config/python-gitlab.cfg.j2
@@ -0,0 +1,9 @@
+# vim: ft=cfg
+[global]
+default = shore.co.il
+ssl_verify = true
+
+[shore.co.il]
+url = https://git.shore.co.il/
+private_token = {{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab token"])["stdout"] }}
+api_version = 4
diff --git a/Makefile b/Makefile
index cf903fb556c1d2eb60a57e033593331284454cd7..dd643af03cc5985f344e2f7746f7f74b7eaa71d7 100644
--- a/Makefile
+++ b/Makefile
@@ -29,14 +29,6 @@ all: .config/pythonrc.py
 	$(mkd)
 	$(download) https://raw.githubusercontent.com/lonetwin/pythonrc/0.8.4/pythonrc.py
 
-all: .bashrc.private
-.bashrc.private: Documents/Database.kdbx
-	echo "export GITLAB_TOKEN='$$(ph show --field Password 'shore.co.il/GitLab token')'" > '$@'
-	echo 'export GITLAB_PRIVATE_TOKEN="$$GITLAB_TOKEN"' >> '$@'
-	echo "export GITLAB_REGISTRATION_TOKEN='$$(ph show --field Password 'shore.co.il/GitLab runner registration token')'" >> '$@'
-	echo "export GITHUB_TOKEN='$$(ph show --field 'CLI token' 'Web Sites/GitHub')'" >> '$@'
-	printf "export RCLONE_CONFIG_NEXTCLOUD_PASS='%s'\n" "$$(rclone obscure "$$(ph show --field 'Password' 'shore.co.il/LDAP')")" >> '$@'
-
 all: .ssh/config
 .ssh/config: $(ssh_configs)
 	$(mkd)
@@ -58,52 +50,33 @@ all: .ssh/authorized_keys
 	$(mkd)
 	-$(ansible-local) -m authorized_key -a "user=$$(whoami) key='$$(cat .ssh/localhost.pub)' key_options='from=\"127.0.0.1/8\"'"
 
+all: .gnupg/trustdb.gpg
+.gnupg/trustdb.gpg: Documents/Database.kdbx
+	ph show --field 'Notes' 'GPG/D3B913DE36AB5565DCAC91C6A322378C61339ECD' | gpg --import
+	echo 'D3B913DE36AB5565DCAC91C6A322378C61339ECD:6:' | gpg --import-ownertrust
+	chmod 600 '$@'
+
+all: .bashrc.private
+.bashrc.private: .bashrc.private.j2 Documents/Database.kdbx
+	$(mkd)
+	template '$<' > '$@'
+
 all: .config/python-gitlab.cfg
-.config/python-gitlab.cfg: Documents/Database.kdbx
+.config/python-gitlab.cfg: .config/python-gitlab.cfg.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '[global]' > '$@'
-	echo 'default = shore.co.il' >> '$@'
-	echo 'ssl_verify = true' >> '$@'
-	echo '' >> '$@'
-	echo '[shore.co.il]' >> '$@'
-	echo 'url = https://git.shore.co.il/' >> '$@'
-	echo "private_token = $$(ph show --field Password 'shore.co.il/GitLab token')" >> '$@'
-	echo 'api_version = 4' >> '$@'
+	template '$<' > '$@'
 
 all: .config/gem/gemrc
-.config/gem/gemrc: Documents/Database.kdbx
+.config/gem/gemrc: .config/gem/gemrc.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '# vim: ft=yaml' > '$@'
-	echo '---' >> '$@'
-	echo ':backtrace: false' >> '$@'
-	echo ':bulk_threshold: 1000' >> '$@'
-	echo ':sources:' >> '$@'
-	echo '- https://rubygems.org/' >> '$@'
-	echo "- https://$$(ph show --field 'UserName' 'Web Sites/GitHub'):$$(ph show --field 'Smile gem token' 'Web Sites/GitHub')@rubygems.pkg.github.com/smile-io/" >> '$@'
-	echo ':update_sources: true' >> '$@'
-	echo ':verbose: true' >> '$@'
-	echo ':concurrent_downloads: 8' >> '$@'
+	template '$<' > '$@'
 
 all: .bundle/config
-.bundle/config: Documents/Database.kdbx
+.bundle/config: .bundle/config.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '# vim:ft=yaml' > '$@'
-	echo '---' >> '$@'
-	echo "BUNDLE_HTTPS://RUBYGEMS__PKG__GITHUB__COM/SMILE-IO/: '$$(ph show --field 'UserName' 'Web Sites/GitHub'):$$(ph show --field 'Smile gem token' 'Web Sites/GitHub')'" >> '$@'
+	template '$<' > '$@'
 
 all: .aws/credentials
-.aws/credentials: Documents/Database.kdbx
+.aws/credentials: .aws/credentials.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '[shore]' > '$@'
-	echo "aws_access_key_id = $$(ph show --field 'UserName' 'shore.co.il/AWS CLI')" >> '$@'
-	echo "aws_secret_access_key = $$(ph show --field 'Password' 'shore.co.il/AWS CLI')" >> '$@'
-	echo '' >> '$@'
-	echo '[smile]' > '$@'
-	echo "aws_access_key_id = $$(ph show --field 'UserName' 'Smile/AWS CLI')" >> '$@'
-	echo "aws_secret_access_key = $$(ph show --field 'Password' 'Smile/AWS CLI')" >> '$@'
-
-all: .gnupg/trustdb.gpg
-.gnupg/trustdb.gpg: Documents/Database.kdbx
-	ph show --field 'Notes' 'GPG/D3B913DE36AB5565DCAC91C6A322378C61339ECD' | gpg --import
-	echo 'D3B913DE36AB5565DCAC91C6A322378C61339ECD:6:' | gpg --import-ownertrust
-	chmod 600 '$@'
+	template '$<' > '$@'