Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: templates based on secrets #95

Open
Radvendii opened this issue Jan 18, 2022 · 2 comments
Open

Feature: templates based on secrets #95

Radvendii opened this issue Jan 18, 2022 · 2 comments

Comments

@Radvendii
Copy link

Radvendii commented Jan 18, 2022
edited
Loading

Motivation

It has come up a couple of times that I've wanted a file to mostly not be encrypted, but have a few secrets in it (for instance, a config file that has a password in it). Of course, one can just encrypt the whole file, but it's less elegant, makes it awkward to share a common secret between files that depend on it, and makes it so only those with permissions to decrypt the secret can change other things in the file.

Proposal

The solution that I thought of is having another kind of secret that is specified by a template, and a list of secrets it depends on. Agenix would then splice in the secrets at activation time. I'm working on an implementation and will make a PR when done, but I wanted to see if people liked this idea in the meantime.

Problems

The downside is it adds some complexity to the code. We would need logic to say "if it's a regular secret, do X, if it's a template secret do Y". This is maybe okay in this case, but it worries me that this starts to be complexity creep and things become harder to maintain. I guess the question comes down to: is it worth it in this case? Is this a common enough use-case to include? It is for me, but I don't know whether other people use agenix in this way a lot.

Alternatives

In theory, this doesn't need to be managed by agenix. I could create an activationScript that runs after agenix and pieces the secrets together. However, that requires some amount of repetition of code, and I never need to do this except when managing secrets. Usually I would paste things together at build time.
@Radvendii Radvendii mentioned this issue Jan 18, 2022
Draft
@ryantm
Copy link
Owner

ryantm commented Jan 26, 2022

See #96 (comment) for my comments on this.

@ryantm ryantm closed this as completed Jan 26, 2022
@ryantm ryantm reopened this Jan 26, 2022
@jhillyerd
Copy link

jhillyerd commented Aug 22, 2022
edited
Loading

I think templating would be a valuable addition to agenix, I've run into a number of scenarios where it would be helpful. I eventually rolled my own, but it was a lot of effort to get working well. It doesn't make sense that everyone should re-invent the wheel on this, and I expect many would give up before they got it working.

My implementation differs from #96, it is a nixos module that uses an activation script.

Update: I've published a flake https://github.com/jhillyerd/agenix-template

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryantm @Radvendii @jhillyerd