Are glob/regex supported?

Question

Are glob/regex supported?

pinpox opened this issue 3 years ago · 3 comments

I'm wondering how to organise my secrets without specifying every single one of them explicitly
Is there some mechanism of how to specify glob patterns or regex's in the secrets.nix file?

It would be nice to be able to specify something like this:

let
  host1 = "ssh-ed25519 AAAAC3...";
  host2 = "ssh-ed25519 AAAAC3...";
  backup-admin = "ssh-ed25519 AAAAC3...";
in
{
  "hosts/host1/*".publicKeys = [ system1 ];
  "hosts/host2/*".publicKeys = [ system2 ];
  "hosts/*/backup-key".publicKeys = [ backup-admin ];
}

In this example every host should be able to access anything in his directory and the backup-admin should additionally be able to access the backup-keys for all hosts (but not the other files of all hosts).

└── hosts
   ├── host1
   │  ├── backup-key   # Readable by 'host1' and 'backup-admin'
   │  └── ssh-key      # Readable by 'host1'
   └── host2
      ├── backup-key   # Readable by 'host2' and 'backup-admin'
      └── ssh-key      # Readable by 'host2'

Is this possible?

Answer 1 · 2021-11-21T11:58:39.000Z

Thanks for opening this issue. Currently, there is no support for globbing in ragenix.

We are struggling a bit with your request. On one hand, we certainly acknowledge that such a feature could be useful. On the other hand, we appreciate explicitness when dealing with secrets.

Maybe we could strike a balance by introducing an additional flag glob which defaults to false:

{
  "hosts/host1/*" = {
    publicKeys = [ system1 ];
    glob = true;
  };
}

Would that work for you?

Answer 2 · 2021-11-21T23:40:06.000Z

Of course, that would be great! If a secret is matched by multiple globs, the rules would be merged I suppose?

Answer 3 · 2021-12-16T21:36:50.000Z

I think #52 (with lib support) can lead to similar results while relying on the nix language for string manipulation, rather than a "magical" rust implementation of globbing.