Feature request: "input addressed secret paths"

[jfly]

It's a bit finicky to correctly configure sops-nix to systemd services when secrets (or templates) change.

There are some scenarios where this is necessary (some software is hardcoded to read files from /etc/). However, for software where we can explicitly specify the config path, then things would "just work" if the resulting secret path changes whenever the corresponding secret changes. Concretely, this would mean generating secret paths that look like /run/secrets/foo-{sha256 encryptedSecret} rather than /run/secrets/foo.

Unfortunately, this is challenging to implement right now, because sops-nix's defaultSopsFile can contain multiple secrets, and we can't just hash that entire file (because it would generate new paths for every single secret when a single secret changes). Ideally we would extract the relevant encrypted secret from the large yaml file, but we can't currently parse yaml in nix.

[Mic92]

Maybe this could be an optional feature at first if some preconditions are met (i.e. secrets files can be parsed). And than we could decide if we want to deprecate using files that we can't parse. But given how wide-spread sops-nix is, I don't want to force everyone to migrate without having a good migration path.

[Mic92]

Actually in clan we can have this feature because there we only use json: https://github.com/Mic92/dotfiles/blob/main/sops/secrets/alertmanager/secret