search

yaxitech / ragenix

age-encrypted secrets for NixOS; drop-in replacement for agenix
Apache License 2.0
254 stars 17 forks source link

Are glob/regex supported? #48

Open pinpox opened 2 years ago

pinpox commented 2 years ago

I'm wondering how to organise my secrets without specifying every single one of them explicitly Is there some mechanism of how to specify glob patterns or regex's in the secrets.nix file?

It would be nice to be able to specify something like this:

let
  host1 = "ssh-ed25519 AAAAC3...";
  host2 = "ssh-ed25519 AAAAC3...";
  backup-admin = "ssh-ed25519 AAAAC3...";
in
{
  "hosts/host1/*".publicKeys = [ system1 ];
  "hosts/host2/*".publicKeys = [ system2 ];
  "hosts/*/backup-key".publicKeys = [ backup-admin ];
}

In this example every host should be able to access anything in his directory and the backup-admin should additionally be able to access the backup-keys for all hosts (but not the other files of all hosts). 

└── hosts
   ├── host1
   │  ├── backup-key   # Readable by 'host1' and 'backup-admin'
   │  └── ssh-key      # Readable by 'host1'
   └── host2
      ├── backup-key   # Readable by 'host2' and 'backup-admin'
      └── ssh-key      # Readable by 'host2'

Is this possible?

veehaitch commented 2 years ago

Thanks for opening this issue. Currently, there is no support for globbing in ragenix.

We are struggling a bit with your request. On one hand, we certainly acknowledge that such a feature could be useful. On the other hand, we appreciate explicitness when dealing with secrets.

Maybe we could strike a balance by introducing an additional flag glob which defaults to false:

{
  "hosts/host1/*" = {
    publicKeys = [ system1 ];
    glob = true;
  };
}

Would that work for you?

pinpox commented 2 years ago

Of course, that would be great! If a secret is matched by multiple globs, the rules would be merged I suppose?

blaggacao commented 2 years ago

I think #52 (with lib support) can lead to similar results while relying on the nix language for string manipulation, rather than a "magical" rust implementation of globbing.

Swoorup commented 1 month ago

I think #52 (with lib support) can lead to similar results while relying on the nix language for string manipulation, rather than a "magical" rust implementation of globbing.

You can just use lib = import <nixpkgs/lib>; to get lib support