Closed leshik closed 3 years ago
Hi, the git dependency is optional. it's just there as a speedup to check if the current version of your secrets is already on the target system. And if yes, it should skip the password-store population step. I the password-store is without git, it unlocks and copies the secrets every time. If it doesn't work without git, then it's a bug, but I'm pretty sure I tested it.
For the name it could be possible to be an empty string or "." to take the root directory. But I have not tested that and the code could be reliant on ${name} being a subfolder. Changing that should be not very hard though.
Hi @Lassulus,
I tried again, and it doesn't work, unfortunately. First, tried with secrets inside the root directory.
With name = ""
:
error: A definition for option `source.example.pass.name' is not of type `POSIX pathname'. Definition values:
- In `/nix/store/bdqr3pf0fwc7565yhvgp0zplfrhvpk1s-krops/lib': ""
(use '--show-trace' to show detailed location information)
With name = "."
:
fatal: not a git repository (or any of the parent directories): .git
I believe this is because of https://github.com/krebs/krops/blob/master/pkgs/populate/default.nix#L129
Initialized the git
and added secrets to it:
Error: .//.gpg-id is not in the password store.
Finally, put secrets in the subfolder, and then it works.
Another thing I discovered is that, in the case of subfolders, .gpg-id
must sit inside the root folder, i.e. it's not possible to use different GPG keys for different subfolders.
Alright, it indeed got accidentally mandatory to have pwstore inside a git. This should be fixed in https://github.com/krebs/krops/commit/d8fe5a2dc9fa0c9b6e0816b5978e57bddabb5443 can you test it again? The .gpg-id is not checked by krops but by password-store directly. I think it should be possible to use different keys for subfolders like normally with password-store. If not, this would indeed be another bug
@Lassulus yes, this fixed the git
dependency, thanks.
As for .gpg-id
, it works with the password-store
, but doesn't with krops
:
Error: subfolder//.gpg-id is not in the password store.
I'm a bit confused on the way how password store works in
krops
. It looks like it depends ongit
(but should it? one might have secrets outside of the version control). Also, it seems that thename
isn't optional, thus it's not possible to store secrets with no subfolders.