Is it possible to have configuration elsewhere

Yes, you can use an external configuration system like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc., instead of putting all secrets and connection details into .env. Laravel's default use of the .env file is for convenience and local development, but it’s not mandatory in production, especially for secrets management.

✅ Overview of What You're Asking

Your .env is bloating with multiple service credentials (MQTT, AMQP, DBs, Redis, Elasticsearch, etc.).
You want to offload these to a centralized secrets manager.
You're okay with customizing Config::get() calls.
You're unsure which internal Laravel variables must come from .env.

🔧 Options & Implementation

1. Use Vault (or other secret stores) on Boot

You can integrate Vault (or any other system) during the application boot and override configuration values programmatically.

Step-by-step:

a. Pull Secrets on Boot

Edit your AppServiceProvider.php or make a custom SecretProviderServiceProvider and do something like:

public function register()
{
    if (app()->environment('production')) {
        $secrets = $this->getSecretsFromVault(); // pull from Vault/API
        config([
            'database.connections.mysql.username' => $secrets['db_user'],
            'database.connections.mysql.password' => $secrets['db_pass'],
            'cache.stores.redis.password' => $secrets['redis_pass'],
            'queue.connections.rabbitmq.host' => $secrets['amqp_host'],
            // etc.
        ]);
    }
}

b. Use Vault SDK or HTTP API

You can use Guzzle or a Laravel Vault package like:

ryanwinchester/vault-php
Or direct HTTP call to Vault using Guzzle to fetch secrets.

c. Set only core ENV vars in `.env`

Your .env can then contain only:

APP_KEY=...
APP_ENV=production
VAULT_TOKEN=...
VAULT_ADDR=https://vault.yourdomain.com

2. Laravel Internal Configs That Must Be ENV

Some Laravel internals require values from .env before any config logic can run:

⚠️ Required in `.env` (or system-level ENV):

APP_KEY – Needed before Laravel encryption works.
APP_ENV, APP_DEBUG – Used in bootstrap/app.php.
LOG_CHANNEL, LOG_LEVEL – Logging setup runs early.
CACHE_DRIVER, QUEUE_CONNECTION – Drivers need early resolution.
.env is parsed before your app bootstraps.

You cannot use Config::get() to replace those unless Laravel has already bootstrapped.

💡 A workaround: define custom placeholder values in .env like:

DB_USERNAME=__vault__
DB_PASSWORD=__vault__

Then during boot, if you detect __vault__, replace it with real ones.

🛡️ Security Best Practices

Use system-level environment variables (e.g., on the server, Docker secrets).
Use Vault Agent Injector (for Kubernetes) or template rendering to write secrets to files on the container, which Laravel can read.
Don’t hardcode secrets in git-managed .env for production.

✅ Final Advice

Yes, external secret management is possible and advisable.
You must keep certain bootstrap-critical .env values.
For the rest, use AppServiceProvider or a custom bootstrapping class to inject secrets from Vault (or AWS Secrets Manager).
You can even build a custom Laravel Config loader if needed.