managing files independent of their location on the filesystem

[ayushnix]

I'm not sure if this workflow is supported by chezmoi.

I want to manage files in a specific directory using chezmoi, add them in a specific source path, and apply them to a specific path without the directory prefixes.

For example, if the destination directory is ~/data/config/repo-name/ and I run chezmoi -S ../../repo/repo-name/ add README.md, I want README.md to be present in the source directory, not ~/data/config/repo-name/README.md. Similarly, if I add sample-dir/app.ini, I want the same hierarchy to get checked in the source directory. Then, when I want to apply the source directory, I want to do it somewhere else besides the original destination directory.

Is this something I should/can do with chezmoi?

My primary intent here is to leverage go templates to hide secrets from files I want to check in git repositories.

[twpayne]

My primary intent here is to leverage go templates to hide secrets from files I want to check in git repositories.

chezmoi already has multiple mechanisms for keeping data secret: you can use a password manager or encryption.

[halostatue]

Three correct answers:

The short answer is that chezmoi does not support this workflow as described and it can't, since its state is centred around final resolution of a file.

The medium answer is you can do something like this using chezmoi but you can't do it in chezmoi. You can execute any template with chezmoi execute-template and output it as you'd like, so you could do such substitutions as you need on those files. You can wrap up a model directory and then use chezmoi archive and pipe that into tar with the --strip-components parameter to take the files from the "full" path in the archive and strip off leading component parts.

The long answer is to better understand what you're trying to solve. If you're committing these files into git repos, you should probably look at using better solutions like sopts or 1Password CLI execution, etc. Chezmoi is the wrong tool for what you're doing as it's for managing dotfiles, not managing secrets. The 1Password CLI includes native template support and there are similar tools for most secret management mechanisms.

[ayushnix]

chezmoi execute-template looks useful, thanks!

However, it doesn't like I should use chezmoi to do what I want because it's centered around maintaining the location of files as part of their state.

The long answer is to better understand what you're trying to solve.

I want to take a file app.ini with some secret values, replace those values with templates like {{ .secret.value }}, maybe create app.ini.tmpl and check this file inside a git repo. When I apply these files to a directory I point at, app.ini.tmpl gets processed to app.ini and the template variables are replaced with the actual value stored somewhere (chezmoi.toml maybe?).

I don't necessarily need to or want to encrypt those secrets, just hide them in public git repos.

I was imagining something like git add --template app.ini, hide stuff, out comes app.ini.tmpl and gets staged and committed and then something like git exec-template -d <target-dir> <files>.

Thanks again for the response. I'll try to come up with something else.

[halostatue]

Yeah — there are tools that are built around this workflow and they should be used over chezmoi here, because it's the wrong tool for this particular use case.

This is sort of what various .env (dotenv, dotenvy, dotenvx, etc.) tools are for, and they often work with things like sops or the 1Password CLI.

[ayushnix]

got it, thanks!

[ayushnix]

For posterity, I found gomplate to be just what I was looking for, although tools like jinja-cli would've also worked for this use case. I can create a script to process the templates I create when I clone a repo and (obviously) never upload the data source file for these templates.

[Lockszmith-GH]

@ayushnix what you are describing sounds similar to my Layered Solution - read: #2574