ryantm
commented
2 years ago See https://github.com/ryantm/agenix/pull/96#issuecomment-1021814412 for my comments on this.
Open Radvendii opened 2 years ago
ryantm
commented
2 years ago See https://github.com/ryantm/agenix/pull/96#issuecomment-1021814412 for my comments on this.
jhillyerd
commented
2 years ago I think templating would be a valuable addition to agenix, I've run into a number of scenarios where it would be helpful. I eventually rolled my own, but it was a lot of effort to get working well. It doesn't make sense that everyone should re-invent the wheel on this, and I expect many would give up before they got it working.
My implementation differs from #96, it is a nixos module that uses an activation script.
Update: I've published a flake https://github.com/jhillyerd/agenix-template
Motivation
It has come up a couple of times that I've wanted a file to mostly not be encrypted, but have a few secrets in it (for instance, a config file that has a password in it). Of course, one can just encrypt the whole file, but it's less elegant, makes it awkward to share a common secret between files that depend on it, and makes it so only those with permissions to decrypt the secret can change other things in the file.
Proposal
The solution that I thought of is having another kind of secret that is specified by a template, and a list of secrets it depends on. Agenix would then splice in the secrets at activation time. I'm working on an implementation and will make a PR when done, but I wanted to see if people liked this idea in the meantime.
Problems
The downside is it adds some complexity to the code. We would need logic to say "if it's a regular secret, do X, if it's a template secret do Y". This is maybe okay in this case, but it worries me that this starts to be complexity creep and things become harder to maintain. I guess the question comes down to: is it worth it in this case? Is this a common enough use-case to include? It is for me, but I don't know whether other people use agenix in this way a lot.
Alternatives
In theory, this doesn't need to be managed by agenix. I could create an
activationScriptthat runs after agenix and pieces the secrets together. However, that requires some amount of repetition of code, and I never need to do this except when managing secrets. Usually I would paste things together at build time.