Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are glob/regex supported? #48

Open
pinpox opened this issue Nov 18, 2021 · 4 comments
Open

Are glob/regex supported? #48

pinpox opened this issue Nov 18, 2021 · 4 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@pinpox
Copy link

pinpox commented Nov 18, 2021
edited
Loading

I'm wondering how to organise my secrets without specifying every single one of them explicitly
Is there some mechanism of how to specify glob patterns or regex's in the secrets.nix file?

It would be nice to be able to specify something like this:

let
  host1 = "ssh-ed25519 AAAAC3...";
  host2 = "ssh-ed25519 AAAAC3...";
  backup-admin = "ssh-ed25519 AAAAC3...";
in
{
  "hosts/host1/*".publicKeys = [ system1 ];
  "hosts/host2/*".publicKeys = [ system2 ];
  "hosts/*/backup-key".publicKeys = [ backup-admin ];
}

In this example every host should be able to access anything in his directory and the backup-admin should additionally be able to access the backup-keys for all hosts (but not the other files of all hosts).

└── hosts
   ├── host1
   │  ├── backup-key   # Readable by 'host1' and 'backup-admin'
   │  └── ssh-key      # Readable by 'host1'
   └── host2
      ├── backup-key   # Readable by 'host2' and 'backup-admin'
      └── ssh-key      # Readable by 'host2'

Is this possible?
@veehaitch veehaitch added enhancement New feature or request good first issue Good for newcomers labels Nov 21, 2021
@veehaitch
Copy link
Member

Thanks for opening this issue. Currently, there is no support for globbing in ragenix.

We are struggling a bit with your request. On one hand, we certainly acknowledge that such a feature could be useful. On the other hand, we appreciate explicitness when dealing with secrets.

Maybe we could strike a balance by introducing an additional flag glob which defaults to false:

{
  "hosts/host1/*" = {
    publicKeys = [ system1 ];
    glob = true;
  };
}

Would that work for you?

@pinpox
Copy link
Author

pinpox commented Nov 21, 2021

Of course, that would be great! If a secret is matched by multiple globs, the rules would be merged I suppose?

@pinpox pinpox mentioned this issue Nov 22, 2021
Open
@blaggacao
Copy link
Contributor

blaggacao commented Dec 16, 2021
edited
Loading

I think #52 (with lib support) can lead to similar results while relying on the nix language for string manipulation, rather than a "magical" rust implementation of globbing.

@Swoorup
Copy link

Swoorup commented Sep 24, 2024

I think #52 (with lib support) can lead to similar results while relying on the nix language for string manipulation, rather than a "magical" rust implementation of globbing.

You can just use lib = import <nixpkgs/lib>; to get lib support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pinpox @Swoorup @blaggacao @veehaitch