Can I store encrypted files/secrets outside the main repository?

[Jackenmen]

I use a public repository for my dotfiles and am wondering whether I can in some way store the encrypted files outside that repository while still benefitting from what chezmoi offers. Some things, I would want to store are my ssh key (~/.ssh/id_rsa) and tokens I'll be using in chezmoi templates (the templates will be part of the public repository). Even if encrypted, I would rather not put them in a repository accessible by anyone so I was hoping for a way to store it at a different not publically accessible place. Preferably another git repository (perhaps as a git submodule?) but if that's not achievable then a local directory/archive would be alright too as​ I can just manually get it onto the system before running chezmoi.

I don't really know whether I can achieve this with chezmoi already and am hoping to either find an already working solution or pointers on what feature I would have to request on the issue tracker to make this possible.

[twpayne]

For secrets like this, I'd strongly recommend using a password manager to store your secrets. That way the amount of information revealed in your public dotfiles repo is almost minimized. Here's an example of a secret in my public dotfile repo that is stored outside the repository - here I use a chezmoi template function to retrieve a secret from my personal password manager (LastPass), while still keeping my dotfiles repo public.

[Jackenmen]

I use Enpass as my password manager which does not have an official CLI + I currently am developing inside a Linux VM that runs on Windows and so far I have not felt the need to install the password manager inside it either which kind of stops me from using even the unofficial/3rd-party Enpass CLI.
And this doesn't really solve my issue with the storage of entire files like ssh keys.

This is why I was hoping to use a setup that does not involve my password manager at all if possible.

[twpayne]

Modern password managers can store entire files. Here's an example from my personal dotfiles where I bring in a section of a config file from a password manager. Of course, this works for entire files too.

Modern encryption tools like age and gpg combined with chezmoi's native support for them mean that you can push encrypted files to your public dotfile repo, like this. Note that chezmoi has builtin support for age.

I'm struggling to understand what exactly you want that isn't already provided by chezmoi. Would you be able to give a description of your ideal solution?

[Jackenmen]

Yeah, that seems like something that would work for me, I'll subscribe to it.

[Jackenmen]

I've been thinking about this and wondered if it would be possible to use Authorization header/HTTP basic authentication (filled from template variables) when getting the external archive from a specified URL? I could then presumably use GitHub's API to get a tarball of a private git repository.

[twpayne]

Yes, there's an example of this here: https://github.com/marcus-crane/dotfiles/blob/main/dot_ssh/config.tmpl#L12-L16

[Jackenmen]

Yes, there's an example of this here: marcus-crane/dotfiles@main/dot_ssh/config.tmpl#L12-L16

Perhaps I'm missing something but I don't think this solves my issue.

What I want is to specify an archive URL in .chezmoiexternal.<format> file and specify Authorization header (or HTTP basic authentication) that would be used when chezmoi makes a HTTP request in order to download the archive.

To give a more concrete example, I want to have a .chezmoiexternal.toml file look somewhat like this (the structure I used for headers array/table doesn't matter, just wanted to quickly express it in some way):

[""]
    type = "archive"
    url = "https://github.com/jack1142/private-dotfiles/archive/main.tar.gz"
    headers = [
        {name = "Authorization", value = "{{ .name_of_the_template_variable_with_secret }}"}
    ]
    refreshPeriod = "168h"

---

I want to note here that I haven't actually tried adding .chezmoiexternal.<format> file at all yet so I am not actually entirely sure that it is even the right tool for the job here. I was hoping that I could leverage it to have the external archive be unpacked in the top-level directory of the source state and that I could use something like .chezmoidata.<format> (or files in .chezmoitemplates directory?) inside the archive to define the secrets to be used by other templates (templates that are part of the main dotfiles repository, not the archive) and also just put some whole files like SSH key(s).

I didn't really try looking into whether this actually works like that as for now I just got stuck on figuring out whether I can specify the Authorization header (or use HTTP basic authentication)

[marcus-crane]

Yes, there's an example of this here: https://github.com/marcus-crane/dotfiles/blob/main/dot_ssh/config.tmpl#L12-L16

For historical purposes, the commit that was being pointed to lives here: https://github.com/marcus-crane/dotfiles/blob/b48dcd4/dot_ssh/config.tmpl#L11-L16

I've since changed how I deal with my work config :)

[twpayne]

By the way #741 was opened to add Enpass support to chezmoi, but there was no indication from Enpass that there would ever be an official CLI, so I closed the issue.

[Jackenmen]

Last time I searched, I found this response from Enpass team: https://discussion.enpass.io/index.php?/topic/4362-command-line-client/&tab=comments#comment-35116
I'm not sure whether they meant they're working on implementing it or if they're just "working" on whether they want to implement it and there's been no update in over a year so I don't have my hopes up. Due to my current setup, I don't really want to have Enpass on the target system at all since it's a VM and I already have the password manager on the host system but might still turn up to be useful in the future if they ever do implement it 😄