opsops is a command-line application to generate clear SOPS secrets from a given specification and generate sops-nix snippets for it.
The specification is a YAML/JSON file representing a tree-like structure where terminal nodes represent how the clear secrets will be generated, and internal nodes represent the "path" to the clear secret.
Currently, system processes, scripts and 1password field reference URIs are supported:
secrets: zamazingo: secret: type: "process" value: command: "zamazingo" arguments: ["--hip", "hop"] github: token: type: "script" value: content: "printf \"%s\" \"$(gh auth token)\"" example.com: password: type: "script" value: interpreter: "python3" content: | import netrc import sys _login, _account, password = netrc.netrc().authenticators("example.com") sys.stdout.write("password") dockerhub: password: type: "op" value: account: "PAIT5BAHSH7DAPEING3EEDIE2E" vault: "Cloud Accounts" item: "yies1Ahl4ahqu1afao4nahshoo" field: "password" influxdb: token: type: "op-read" value: account: "IPAEPH0JI3REE8FICHOOVU4CHA" uri: "op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only"Warning
If 1Password is used, 1Password CLI application (op) must be on PATH when running opsops.
nix profile install --file https://github.com/vst/opsops/archive/main.tar.gzA specification is a YAML (or JSON) file. Here is an example:
See Example
## File: opsops.yaml secrets: zamazingo: secret: type: "process" value: command: "zamazingo" arguments: ["--hip", "hop"] strip: "both" trailingNewline: "crlf" github: token: type: "script" value: content: "printf \"%s\" \"$(gh auth token)\"" example.com: password: type: "script" value: interpreter: "python3" content: | import netrc import sys _login, _account, password = netrc.netrc().authenticators("example.com") sys.stdout.write("password") dockerhub: password: type: "op" value: account: "PAIT5BAHSH7DAPEING3EEDIE2E" vault: "Cloud Accounts" item: "yies1Ahl4ahqu1afao4nahshoo" field: "password" influxdb: token: type: "op-read" value: account: "IPAEPH0JI3REE8FICHOOVU4CHA" uri: "op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only"To see canonical/normalized specification:
opsops normalize --input opsops.yamlSee Output
secrets: dockerhub: password: type: op value: account: PAIT5BAHSH7DAPEING3EEDIE2E field: password item: yies1Ahl4ahqu1afao4nahshoo newline: false section: null strip: null trailingNewline: null vault: Cloud Accounts example.com: password: type: script value: arguments: [] content: | import netrc import sys _login, _account, password = netrc.netrc().authenticators("example.com") sys.stdout.write("password") interpreter: python3 strip: null trailingNewline: null github: token: type: script value: arguments: [] content: printf "%s" "$(gh auth token)" interpreter: bash strip: null trailingNewline: null influxdb: token: type: op-read value: account: IPAEPH0JI3REE8FICHOOVU4CHA newline: false strip: null trailingNewline: null uri: op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only zamazingo: secret: type: process value: arguments: - --hip - hop command: zamazingo environment: {} strip: both trailingNewline: crlfWarning
If 1Password is used, 1Password CLI application (op) should be authenticated first:
eval $(op signin -f [--account <ACCOUNT>])To render clear secrets:
opsops render --input opsops.yamlSee Output
example.com: password: password github: token: gho_meecubier5dinohSh3tohphaekuo5Phahpei zamazingo: secret: hebelehubele dockerhub: password: ohbauy5eing8pheSh6iigooweeZee6ch influxdb: token: mu9aephabeadi7zi8goo9peYo8yae7geTo create snippet for sops-nix that can be copied/pasted inside the sops-nix module configuration:
opsops snippet sops-nix --input opsops.yamlSee Output
"dockerhub/password" = {}; "example.com/password" = {}; "github/token" = {}; "influxdb/token" = {}; "zamazingo/secret" = {};opsops snippet sops-nix --input opsops.yaml --prefix my_namespaceSee Output
"my_namespace/dockerhub/password" = { key = "dockerhub/password"; }; "my_namespace/example.com/password" = { key = "example.com/password"; }; "my_namespace/github/token" = { key = "github/token"; }; "my_namespace/influxdb/token" = { key = "influxdb/token"; }; "my_namespace/zamazingo/secret" = { key = "zamazingo/secret"; };Provision direnv:
direnv allowBig, long build command for the impatient:
hpack && direnv reload && fourmolu -i app/ src/ test/ && prettier --write . && find . -iname "*.nix" -not -path "*/nix/sources.nix" -print0 | xargs --null nixpkgs-fmt && hlint app/ src/ test/ && cabal build -O0 && cabal run -O0 opsops -- --version && cabal v1-test && cabal haddock -O0To check and build:
cabal dev-test-build [-c]See LICENSE.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}