Feature Request: Detect that secret decryption depends on decrypted secret

[lorenzleutgeb]

While trying out sops-nix I configured:

{
  sops = {
    age.sshKeyPaths = [ config.sops.secrets."ssh/key".path ];
    secrets."ssh/key" = { sopsFile = ./sops/ssh.yaml; };
  };
}

That is, I tried to make the SSH host key both a secret, and the key to decrypt secrets. This even worked with nixos-rebuild switch since I did this step by step and first added secrets."ssh/key". However, I noticed my mistake, and if I understood sops-nix correctly, this configuration will not boot.

sops-nix could be more helpful here, and check that the options referring to keys for secret decryption (age.keyFile, age.sshKeyPaths, gnupg.home, gnupg.sshKeyPaths) are actually not secrets. For example, if any of those paths start with /run/secrets, something is wrong, and probably worth at least a warning, maybe even failure.

I understand that finding out whether a file is a secret can be tricky, but a simple heuristic like looking for /run/secrets might already be helpful to prevent stupid mistakes.

[Mic92]

Only problem is that just now we populate age.sshKeyPaths by default from sops and it might trigger false positives for folks that want to manage ssh host keys with sops-nix, but use than other sops decryption methods i.e. aws-kms/gpg/normal age keys.

[Mic92]

I guess the warning could also have a message that tells users to explicitly unset sops.age.sshKeyPaths in those cases.