Closed teto closed 3 months ago
Thanks for your feedback ! I'm glad it helped :)
It's not explicitly stated, but this should work:
environments:
dev:
files:
- variable: MY_SSH_KEY
dest: /tmp/somewhere/specific
content:
sops:
file: path/to/encrypted.yml
extract: '["sshPrivateKey"]'
Under the hood the sops
module takes as parameter file
and optionally an extract
which generates a string suitable for both variables and files modules. I didn't show in examples every situations, but I could if it proves useful.
You can checkout full config schema here: https://novops.dev/config/schema.html#environments_additionalProperties_files_items_content_anyOf_i2_anyOf_i8_sops
Let me know if it works for you !
that's cool that works.
I have a question about the innerworking of novops, aka does it load secrets in the order they exist in the file ? Let me explain my issue: I want to get access to a secret via sops. To decypher the sops file, I need an age key which lives in bitwarden. I wonder if I can make the previous scenario in simwork ?
Somehow I wonder if
environments:
dev:
variables:
- name: SOPS_AGE_KEY_FILE
value: dev.age
files:
- dest: dev.age
content:
bitwarden:
entry: dev - Age Key
field: notes
- dest: ssh-dev.key
content:
sops:
file: nixos/secrets.dev.yaml
extract: '["sshPrivateKey"]'
would work, just relying on the order of the execution: would novops follow the order defined in .novops.yaml aka:
in my test, it seems like it fails because novops swaps 3 and 2 (not sure yet). 1 is less of an issue, seems like I can rerun novops via direnv and SOPS_AGE_KEY_FILE will be set (which might be an issue too: do we want novops load to be atomic ?)
Maybe there is a better way than just relying on the order. I am curious about your opinion
Glad it worked :)
does it load secrets in the order they exist in the file ?
Unfortunately no, order is not guaranteed and I plan to support loading in parallel
simwork
:scream:
I want to get access to a secret via sops. To decypher the sops file, I need an age key which lives in bitwarden.
Your use case is pretty clear, in short you need to be able to depend on entry X to load entry Y ? That's not currently possible, but it can be done !
However order in YAML won't change anything: all secrets are loaded in memory before being exported as env vars or files, so even if X is loaded before Y, X won't be available at the time Y is loaded.
You can indeed rely on chained novops load/run
in different files or environments but that's not practical.
Can you file a specific issues for that please? ;) I'll let you close this one
Closing this as original issue is solved
Thank you so much for adding a sops module ! there is 0 reason not to use novops now ;)
It is also very neat to have per-module documentation !
While looking at the sops doc https://novops.dev/config/sops.html#load-entire-file-as-dotenv, I noticed the sops module didnt support "files", just sops_dotenv that dumps everything but ideally I would like to save only a single secret, else I have to run some postprocessing.
Would it be possible to save e.g., only my ssh key secret instead of all secrets to a file ?