search

krebs / krops

Mirror of https://cgit.krebsco.de/krops/about/ (PRs / issues accepted, as can be seen by not having them disabled)
Do What The F*ck You Want To Public License
132 stars 18 forks source link

Confusion when using the password store #28

Closed leshik closed 3 years ago

leshik commented 3 years ago

I'm a bit confused on the way how password store works in krops. It looks like it depends on git (but should it? one might have secrets outside of the version control). Also, it seems that the name isn't optional, thus it's not possible to store secrets with no subfolders.

Lassulus commented 3 years ago

Hi, the git dependency is optional. it's just there as a speedup to check if the current version of your secrets is already on the target system. And if yes, it should skip the password-store population step. I the password-store is without git, it unlocks and copies the secrets every time. If it doesn't work without git, then it's a bug, but I'm pretty sure I tested it.

For the name it could be possible to be an empty string or "." to take the root directory. But I have not tested that and the code could be reliant on ${name} being a subfolder. Changing that should be not very hard though.

leshik commented 3 years ago

Hi @Lassulus,

I tried again, and it doesn't work, unfortunately. First, tried with secrets inside the root directory.

  1. With name = "":

    error: A definition for option `source.example.pass.name' is not of type `POSIX pathname'. Definition values:
- In `/nix/store/bdqr3pf0fwc7565yhvgp0zplfrhvpk1s-krops/lib': ""
(use '--show-trace' to show detailed location information)

  2. With name = ".":

    fatal: not a git repository (or any of the parent directories): .git

    I believe this is because of https://github.com/krebs/krops/blob/master/pkgs/populate/default.nix#L129

  3. Initialized the git and added secrets to it:

    Error: .//.gpg-id is not in the password store.

  4. Finally, put secrets in the subfolder, and then it works.

Another thing I discovered is that, in the case of subfolders, .gpg-id must sit inside the root folder, i.e. it's not possible to use different GPG keys for different subfolders.

Lassulus commented 3 years ago

Alright, it indeed got accidentally mandatory to have pwstore inside a git. This should be fixed in https://github.com/krebs/krops/commit/d8fe5a2dc9fa0c9b6e0816b5978e57bddabb5443 can you test it again? The .gpg-id is not checked by krops but by password-store directly. I think it should be possible to use different keys for subfolders like normally with password-store. If not, this would indeed be another bug

leshik commented 3 years ago

@Lassulus yes, this fixed the git dependency, thanks.

As for .gpg-id, it works with the password-store, but doesn't with krops:

Error: subfolder//.gpg-id is not in the password store.