sops module: add possibility to save single entry to file

[teto]

Thank you so much for adding a sops module ! there is 0 reason not to use novops now ;)

It is also very neat to have per-module documentation !

While looking at the sops doc https://novops.dev/config/sops.html#load-entire-file-as-dotenv, I noticed the sops module didnt support "files", just sops_dotenv that dumps everything but ideally I would like to save only a single secret, else I have to run some postprocessing.

Would it be possible to save e.g., only my ssh key secret instead of all secrets to a file ?

  files: # here only 'variables is supported right now
    # SOPS nested key
    - name: ssh.key
      value:
        sops:
          file: nixos/secrets.dev.yaml
          extract: '["sshPrivateKey"]' 

[PierreBeucher]

Thanks for your feedback ! I'm glad it helped :)

It's not explicitly stated, but this should work:

environments: 
  dev:

    files:
      - variable: MY_SSH_KEY
        dest: /tmp/somewhere/specific
        content:
          sops:
            file: path/to/encrypted.yml
            extract: '["sshPrivateKey"]' 

Under the hood the sops module takes as parameter file and optionally an extract which generates a string suitable for both variables and files modules. I didn't show in examples every situations, but I could if it proves useful.

You can checkout full config schema here: https://novops.dev/config/schema.html#environments_additionalProperties_files_items_content_anyOf_i2_anyOf_i8_sops

Let me know if it works for you !

[teto]

that's cool that works.

I have a question about the innerworking of novops, aka does it load secrets in the order they exist in the file ? Let me explain my issue: I want to get access to a secret via sops. To decypher the sops file, I need an age key which lives in bitwarden. I wonder if I can make the previous scenario in simwork ?

Somehow I wonder if

environments:
  dev:
    variables:
    - name: SOPS_AGE_KEY_FILE
      value: dev.age

    files:
    - dest: dev.age
      content:
        bitwarden:
          entry: dev - Age Key
          field: notes
    - dest: ssh-dev.key
      content:
        sops:
          file: nixos/secrets.dev.yaml
          extract: '["sshPrivateKey"]' 

would work, just relying on the order of the execution: would novops follow the order defined in .novops.yaml aka:

1. sets export SOPS_AGE_KEY_FILE=dev.age
2. saves the sops key from bitwarden
3. saves ssh-dev.key from sops

in my test, it seems like it fails because novops swaps 3 and 2 (not sure yet). 1 is less of an issue, seems like I can rerun novops via direnv and SOPS_AGE_KEY_FILE will be set (which might be an issue too: do we want novops load to be atomic ?)

Maybe there is a better way than just relying on the order. I am curious about your opinion

[PierreBeucher]

Glad it worked :)

does it load secrets in the order they exist in the file ?

Unfortunately no, order is not guaranteed and I plan to support loading in parallel

simwork

:scream:

I want to get access to a secret via sops. To decypher the sops file, I need an age key which lives in bitwarden.

Your use case is pretty clear, in short you need to be able to depend on entry X to load entry Y ? That's not currently possible, but it can be done !

However order in YAML won't change anything: all secrets are loaded in memory before being exported as env vars or files, so even if X is loaded before Y, X won't be available at the time Y is loaded.

You can indeed rely on chained novops load/run in different files or environments but that's not practical.

Can you file a specific issues for that please? ;) I'll let you close this one

[PierreBeucher]

Closing this as original issue is solved