-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Templates #96
base: main
Are you sure you want to change the base?
WIP: Templates #96
Conversation
represents an action to perform or systemd service to restart when the secret changes
Co-authored-by: Winter <78392041+winterqt@users.noreply.github.com>
Co-authored-by: Winter <78392041+winterqt@users.noreply.github.com>
These secrets have a template file which refers to other secrets, which we splice in at activation time. This way we can have part of the file be secret, and part of it public.
I just realized there's an issue with this: what if we try to derive a template secret before its dependency is in place? Should we just decode all template secrets after all normal secrets? What about root secrets vs non-root secrets? I also think a good change to make would be to make a separate attribute: Will work on those later. |
Okay, I implemented all that. The code is more complex than I'd hoped... |
@Radvendii Thank you for your interest in improving agenix. I am not convinced that this template feature needs to be tightly integrated with agenix and suggest that you implement a separate (and general) templating module project that you can use activationScript deps to make run after agenix runs. |
There are three reasons I thought it best to include in agenix itself:
I won't push the matter any further though. If you think the added complexity is not worth the benefits for this project, I'll implement it separately. If you think it's somewhere in the range of reasonable, I'm happy to keep working at making the addition simpler. |
@Radvendii You're arguments are pretty compelling. I've also noticed a need for templating with secrets, but I've usually get around it by either moving the entire configuration file into the secret or using some configuration include option. I reopened the issue you made for this so we can think about it more. |
Yeah, that's the way I've done it also. Unfortunately, not all service's configurations have a way to redirect passwords to another file (two that I've encountered are msmtp and spotify passwords in mopidy). I would definitely say this is a deficiency of those projects, but it does seem to be somewhat common. And then putting the whole file in a secret does work. That's how I've been doing things. But it ends up with a lot of extra configuration being encrypted. The problem that someone else had recently that prompted me to actually try to code up a solution was that they had the same password used in two different configuration files. Right now they have to have two different secret files. Not the end of the world, but it would be nice to see an elegant solution to all these small issues. I'll think more about a more elegant design for this. |
So another way to structure this, which covers some of the use-cases but not all, is to have a Pros:
Cons:
|
We could
Pros:
Cons:
|
implements #95
updates, and thus depends on #87