search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
12.9k stars 478 forks source link

Use of "secret" function in templates #2689

Closed detzen closed 1 year ago

detzen commented 1 year ago

What exactly are you trying to do?

I try to use the "secret" function in a template file as presented in your "Conf42 Open Source Showcase 2020". Unfortunately, I can't find informations how to exactly configure this.

What have you tried so far?

Here's a simple example:

#cat pwtest.conf.tmpl
my_pass = {{ secret "to be encrypted" }}

# chezmoi diff
chezmoi: template: pwtest.conf.tmpl:1:13: executing "pwtest.conf.tmpl" at <secret "to be encrypted">: error calling secret: '' 'to be encrypted': exec: no command

In the documentation, you stated: "secret returns the output of the generic secret command defined by the secret.command configuration variable with secret.args and args with leading and trailing whitespace removed."

Thus, error "no command" is clear, because "secret" isn't set per default in the configuration:

#checmoi dump-config -f yaml
    secret:
        command: ""
        args: []

Can you please give a hint, which command could be used and configured for encryption? Is "secret" only used for decryption and I have to adjust 'args' to this? I think encrypting the password must be done manually before insert into the *.tmpl file. Is this correct?

Where else have you checked for solutions?

Output of any commands you've tried with --verbose flag

$ chezmoi diff  --verbose
chezmoi: template: pwtest.conf.tmpl:1:13: executing "pwtest.conf.tmpl" at <secret "to be encrypted">: error calling secret: '' 'to be encrypted': exec: no command

Output of chezmoi doctor

# chezmoi doctor
RESULT    CHECK                MESSAGE
ok        version              v2.29.1, commit 5e7063ec11bb85efcf8e0c152dcd7dd674ed2d90, built at 2023-01-02T15:50:04Z, built by goreleaser
ok        latest-version       v2.29.1
ok        os-arch              linux/arm64 (Ubuntu 22.04.1 LTS (Jammy Jellyfish))
ok        uname                Linux stargate 4.9.312-6 #1 SMP PREEMPT Wed Jun 29 17:01:17 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
ok        go-version           go1.19.4 (gc)
ok        executable           ~/.local/bin/chezmoi
ok        upgrade-method       replace-executable
ok        config-file          ~/.config/chezmoi/chezmoi.yaml, last modified 2023-01-12T12:08:53+01:00
warning   source-dir           ~/.dotfiles is a git working tree (dirty)
ok        suspicious-entries   no suspicious entries
warning   working-tree         ~/.dotfiles is a git working tree (dirty)
ok        dest-dir             ~ is a directory
ok        umask                002
ok        cd-command           found /bin/bash
ok        cd-args              /bin/bash
info      diff-command         not set
ok        edit-command         found /usr/bin/vim
ok        edit-args            /usr/bin/vim
ok        git-command          found /usr/bin/git, version 2.34.1
ok        merge-command        found /usr/bin/vimdiff
ok        shell-command        found /bin/bash
ok        shell-args           /bin/bash
ok        age-command          found /usr/bin/age, version 1.0.0
ok        gpg-command          found /usr/bin/gpg, version 2.2.27
info      pinentry-command     not set
info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      keeper-command       keeper not found in $PATH
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      passhole-command     ph not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set

source-dir and working tree is dirty, because I did not commit.for testing purposes

Additional context

none

bradenhilton commented 1 year ago

If I'm not mistaken, the secret template functions are intended to be used to decrypt secrets in your secret manager.

{{ secret "to be encrypted" }} roughly translates to

❯ <secret.command> <secret.args> "to be encrypted"

secret.command and secret.args should be set up to allow generic access to the secret manager, with specific arguments for each item passed inside the template, e.g.

# chezmoi config
secret:
    command: "secret-manager"
    args: "get"

# template
{{ secret "password" "github" }}

# rough command equivalent
❯ secret-manager get "password" "github"

# template
{{ secret "username" "email" }}

# rough command equivalent
❯ secret-manager get "username" "email"

If you use any of the secret managers listed here

info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      keeper-command       keeper not found in $PATH
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      passhole-command     ph not found in $PATH
info      vault-command        vault not found in $PATH

you should use the corresponding template functions instead of the generic secret.

twpayne commented 1 year ago

Exactly as @bradenhilton, the custom secret command is for when you're not using one of chezmoi's supported password managers.

There are example secret.command and secret.args values in chezmoi's user manual.

detzen commented 1 year ago

Ah, okay. Many thanks for your detailed explanation. Regards, Alex