Understanding secret managers, template data and template ordering

[sysadmiral]

Hi,

This query/thought comes from a very specific use case but I imagine others might be interested to know the current status and any thoughts on if it could become a feature.

So if I hook chezmoi up to my password manager (op in my case) I can very nicely fetch my ssh private keys from 1password and this all works great.

However, what if I want to fetch secret data from my password manager for use by chezmoi?

I did a quick test and read the docs but it seems .data files cannot be .data.tmpl files but is that something that would be possible?

Basically I want to be able to fetch data from 1password before chezmoi does any template rendering/application. Since data needs to be available before any templating happens I would imagine this shouldn't alter the flow of things too much.

This would allow me to keep my dotfiles very generic and also public without the worry that I will expose sensitive information such as which orgs I am currently working with.

This all came about because I was setting up my chezmoi dotfiles so that I can specify a yaml of cvs providers and chezmoi would template out my gitconfig and ssh_config so that URL spoofing would work. It currently works if I have the data in a local file etc but it would be handy to be able to fetch secret data from a configured password manager.

Some more code snippet context below...

.chezmoidata/cvs - this is a yaml of orgs that I provide consultancy for but in some cases they don't want this information to be public:

cvs:
  github:
    orgs:
      - foo
      - bar
  gitlab:
    orgs:
      - baz

.chezmoitemplates/gitconfig-cvs-url-insteadof-github - a snippet that does the URL rewrite config for git (repeat for other providers):

### github - {{ . }}
[url "github-work:{{ . }}/"]
    insteadOf = [email protected]:{{ . }}/
[url "github-work:{{ . }}/"]
    insteadOf = https://github.com/{{ . }}/

and in my dot_gitconfig.tmpl:

...
{{- range .cvs.github.orgs }}
  {{- template "gitconfig-cvs-url-insteadof-github" . }}
{{ end }}
...

and finally my private_dot_ssh/config.tmpl so it uses the right key for my work commits:

# Work GitHub
Host github-work
  HostName github.com
  User git
  IdentityFile ~/.ssh/work_id_ed25519
  UpdateHostKeys yes

[sysadmiral]

s/cvs/vcs ... 🤦🏽‍♂️

[twpayne]

I did a quick test and read the docs but it seems .data files cannot be .data.tmpl files but is that something that would be possible?

No. .chezmoidata files are read before templates are executed. Making .chezmoidata files templates would create a circular dependency. See #3526.