Allow multiple sopsFiles for easier common secrets sharing across multiple configuration

[vdbe]

Allow multiple sopsFiles for easier secret sharing across multiple configurations.

For example you have files

secrets/common.yaml

hashed_password: ....
vpn_user: ...
vpn_password: ...
vpn_cert: | ...

secrets/<system>/default.yaml

vpn_user: ...
vpn_password: ...

with sops.defaultSopsFiles = [ ./secrets/common.yaml ./secrets/<system>/default.yaml ]; in the configuration for <system>.

This would allow overriding of shared secrets across hosts without manually checking and changing the required sopsFile per secret.

[vdbe]

Current changes are just a rough draft

[Mic92]

Only question is how you order priority between those in case keys overlap? Otherwise it would make sense to throw an error so that users don't accidentally shadow secrets.

[vdbe]

My idea was to have the files in increasing priority, this way you can have a default common file and append system/user specific files.

In other words search the list of sops files in reverse order and use the first found secret.

In the example above vpn_user and vpn_password in secrets/common.yaml would be shadowed by vpn_user and vpn_password in secrets/<system>/default.yaml.

[Mic92]

It's just hard to enforce an order in lists if you those lists get defined in different nixos modules.

[Mic92]

Ah. I think one can use lib.mkBefore for host files.

[gabevenberg]

is this dead in the water? is there another way to share secrets among hosts without copying secrets between individual hosts secrets.yaml files?