jw-pkg.py secrets [sub-command] [packages] is a set of utility commands designed to manage configuration files containing secrets.
To keep secrets from leaking via version control or packages, a _template_ should be packaged for every sensitive configuration file. Then, during post-install, configuration files can be generated from packaged templates via
jw-pkg.py secrets compile-templates <package> <package> ...
During post-uninstall
jw-pkg.py secrets rm-compilation-output <package> <package> ...
removes them.
Not specifying any packages will compile or remove all templates on the system.
To identify which files to consider and generate or remove, the compilation scans <package> for files ending in .jw-tmpl. For each match, e.g.
/path/to/some.conf.jw-tmpl
it will read key-value pairs from
/path/to/some.conf.jw-secret
and generate
/path/to/some.conf
from it, replacing all keys by their respective values. The file attributes of the generated file can be determined by the first line: of some.conf.jw-tmpl or some.conf.jw-secret:
# conf: owner=mysql; group=mysql; mode=0640
There are other commands for managing all secrets on the system at once, see jw-pkg.py secrets --help:
compile-templates Compile package template files
list-compilation-output
List package compilation output files
list-secrets List package secret files
list-templates List package template files
rm-compilation-output
Remove package compilation output files
Signed-off-by: Jan Lindemann <jan@janware.com>
Jan Lindemann
18de6f2cf2