SOPS Support about chezmoi HOT 7 CLOSED

I would like to have a template option where I can call SOPS, and it's correspondent key to get the value, something like {{ sops "apis.openai" }} and return the value from the YAML, or JSON.

Are you sure that this is possible with SOPS? I haven't used SOPS, but from looking at its README.md, it looks like SOPS can only handle whole files and cannot decrypt individual secrets.

Specifically, if you have {{ sops "apis.openai" }} in your template, what command should chezmoi run to get the secret?

from chezmoi.

You're right. SOPS decrypt all the file. Maybe we could have a secretYAML, similar to secretJSON, that could parse the value?
If this isn't possible, we can still have a .sops file that runs sops -d <filename>.

from chezmoi.

There's already a fromYaml template function so you can set the secret.command chezmoi configuration variable to sops and then do something like:

{{ (secret "-d" "my-sops-file.yaml" | fromYaml).apis.openai }}

from chezmoi.

Understood. Nice to know. Maybe then we could just implement the support for .sops files?

from chezmoi.

Understood. Nice to know. Maybe then we could just implement the support for .sops files?

That would require re-implementing sops, so no.

Given that you can use the above example in your templates, or call the sops binary from a run_ script, I'll close this issue as not planned.

from chezmoi.

Hi, i just got here looking to do the same, Im looking to use encrypted variable stored in my dotfiles.

For what I've been reading, there is no direct support for this however looking at this issue I've comeup with a small change to what you proposed:
{{- $secret_vars:= (joinPath .chezmoi.sourceDir ".chezmoi_vars.yaml.age" | include | decrypt |fromYaml) -}}

my idea is to be able to use (for example) "{{ .secret_vars.mypassword }}" in a template.

is this ok?
I've also noticed I need to place this snippet on top of every template, can this be done globally and define these vars upon chezmoi execution ?

thanks!

from chezmoi.

is this ok?

Yes-ish. It works, but you're effectively writing your own password manager at this point, one that stores all your secrets in an encrypted YAML file.

I've also noticed I need to place this snippet on top of every template, can this be done globally and define these vars upon chezmoi execution ?

No, this cannot be done globally (unless you want to store your secrets unencrypted in your chezmoi config file).

from chezmoi.