Feature: declarative file processing

[thomas-mc-work]

Summary

I'd love to be able to substitute key references in a template file using gopass.

Steps To Reproduce

You have a file like this local config file for mysql (.mylogin.cnf):

[client]
host=127.0.0.1
port=3306
user={{ server/local/mysql:username }}
password={{ server/local/mysql:password }}

Gopass of course needs to have these values within it's database:

gopass> ls
gopass
└── server/
    └── local/
        └── mysql

Next I would process the file like this: gopass process mysql.conf. The output is then printed to stdout and would look like this:

[client]
host=127.0.0.1
port=3306
user=root
password=123456

This concept would allow me to share configuration file formats to others without exposing any secrets. Also it would be possible to add such files to a git repository and allow every user to resolve the values programmatically.

[thomas-mc-work]

The template syntax ({{ + }}) is just an example. Here everything else can be used that go provides.

[dominikschulz]

I'm not sure if I understand what exactly you're asking for.

We already have two simliar features:

• gopass env that invokes a subcommand with a pre-populated env, with a small helper script that could do what you want already.
• Then there are gopass templates for new secrets.

Can you provide a little more context how this feature would be used and if you did consider these alternatives/why they don't work?

[thomas-mc-work]

It's not the gopass templates for new secrets. gopass env is similar, but rather decoupled and imperative. I'm looking for the declarative solution. Gopass shall resolve the declarations in the file.

From my example above: Given a simple gopass show -o server/local would return 123456 on the CLI and gopass show server/local login results in root. The goal is to have gopass resolve my declarations from a source file and write the generated output to stdout.

Does that help?

[thomas-mc-work]

Regarding the context: I'm writing configuration files that shall be reused within the IT of organizations. The files can contain secrets. And instead of sharing or checking in the resulting file with the secrets, I'd like to share the template file which can be resolved by everyone with access to the gopass password store.

[thomas-mc-work]

I've create a POC in Python: https://github.com/thomas-mc-work/gopasser

I hope this helps to get an idea.

[dominikschulz]

Thanks, I'm still thinking about this. I think we could support that, but it's kind of a niche feature and every feature comes with some maintenance cost. So I wonder if it's really necessary to integrate this directly of if one would be better served by a different kind of integration.

[thomas-mc-work]

Now I finally found the project that I've seen years ago which is solving the same problem leveraging multiple backends:

https://github.com/abtreece/confd

Sadly, it seems to be focusing on network based services, as opposed to gopass being a local CLI application.

[thomas-mc-work]

Awesome!