search

ryantm / agenix

age-encrypted secrets for NixOS and Home manager
https://matrix.to/#/#agenix:nixos.org
Creative Commons Zero v1.0 Universal
1.34k stars 108 forks source link

doc: diff `*.age` files #177

Open smaximov opened 1 year ago

smaximov commented 1 year ago

I'd like to share the steps I used to enable cleartext Git diffs for *.age files using .gitattributes (disclaimer: I borrowed the idea and even whole sentences from SOPS README).

smaximov commented 1 year ago

As an alternative to manually adding a helper script rage-textconv, maybe it's worth introducing a new option (disabled by default?) which would do it automatically? For example:

let ageDiffer = with pkgs; 
   writeShellApplication {
     name = "rage-textconv";
     text = ''
        ${cfg.ageBin} --decrypt "$1" ${
          lib.strings.concatMapStringsSep " "
          (path: "-i ${lib.strings.escapeShellArg path}")
          cfg.identityPaths
       }
    '';
  }; 
in {
  # ...
  options.age = {
    # ...
    enablePlaintextDiffer = mkOption {
      type = types.bool;
      default = false;
      # ...
    };
  };

  # ...
  config = {
    # ...
    environment.systemPackages = lib.lists.optional cfg.enablePlaintextDiffer ageDiffer;
  };
}

But that would still require manual actions from the user.

raboof commented 1 month ago

something like this would be really nice!

my ssh key has a passphrase, though, and while git diff does prompt for it and continues after I hit 'enter', it does not pass on all characters.