[FEATURE] Private information storage in config files

[totikom]

Is your feature request related to a problem? Please describe.

Some times config files contain sensitive information: port numbers for sshd, some wireguard settings, even passwords for web-interfaces are sometimes placed in config files.

That's reasonable. If someone has access to your home folder, he/she definitely will be able to retrieve this information from the state of the programs. However, publishing this data will make you more vulnerable to targeted attacks.

Describe the solution you'd like

Here I propose dotter module for sensitive information storage with the following architecture:

• We add .dotter/Unprotected.toml and .dotter/Protected.toml files.
• Unprotected.toml is a regular dotter config file, where variables can be set in plaintext. This file should be added to `.gitignore'
• Protected.toml contains data from Unprotected.toml in encrypted form. The contents of the files are kept in sync by dotter.
• At each start dotter first checks, that the files are in sync, and then use Unprotected.toml as a regular config.

Sidenotes:

For me the reasonable security model looks like this:

• Attacker has read access to the repo
• Attacker does not have access to user's home folder

For this model it is ok to either ask for password, then dotter is started, or store password in .gitignored file.

IMO, the easiest way to perform encryption reasonably safe is to use gpg or sequoia-pgp.
As a pgp software, they provide text file encryption out-of-the-box.

Maybe, we can just decrypt Protected.toml as a text file and then parse it as a regular config.

Describe alternatives you've considered

By now I'm solving this task in a very hacky way: I put all the private info in the system keyring (secret-tool store) and use {{command_output "secret-tool lookup"}} in the templates.
It works smoothly on one machine, but this approach detaches parts of the config from the git history, making some undeployments irreproducible. More other, migration from one machine to another (or OS reinstalling on the same machine) will be a huge pain.

Additional context

I'm willing to implement this feature myself, but (1)I'm not enough familiar with the codebase and (2)now I'm having finals, so I'll be ready to start only when I pass them.

[totikom]

Actually, we can create a .gitignored folder .dotter/private, where the user can store arbitrary dotter config files and include them in the manifest as regular files.
For example:

.dotter/
    Global.toml # main manifest
    Local.toml # local manifest
    Foo.toml # file to be included
    private/
        Bar.toml # gitignored, can be included just as Foo.toml
        Bar.asc # encrypted version of Bar.toml, not gitignored

[totikom]

Well, actually, the pgp approach can be used with pre-deploy hooks, but it will be a very complicated script because of synchronization and merging logic.

I've came up with this questions, which should be answered before the actual implementation:

1. How to determine, which version is more resent (encrypted or unencrypted)? - we can't use mtime for it.
2. How to track, if files are in sync? (maybe, store encrypted file hash somewhere in .dotter/cache and compare, if it differs form the actual encrypted file)
3. What to do, if both unencrypted and encrypted files are changed? (i.e. you changed the file, but forgot to pull the most resent version before the editing) Maybe, In that case we could emit a patch-file and a warning, so the user will be able to manually merge the changes.

[SuperCuber]

I guess what makes this use case complicated is the need to edit an encrypted file.
Consider this solution:

• pre-deploy runs a command to decrypt the file into .dotter/private/bar.toml
• .dotter/private/bar.toml is used in the normal configuration using existing include
• post-deploy runs rm .dotter/private/bar.toml

(The decrypted file's location is gitignored just in case)

Then editing the encrypted file could be done without relation to Dotter - I haven't worked with encrypted files at all, but is there no way to conveniently edit one? This probably depends on your chosen format and whatnot, but I imagine the solution to that can be separate from Dotter?

[totikom]

Well, I did it with pre and post deploy hooks.

The scripts contains a single passphrase, which is stored in secret-tool. Pre-hook decrypts all files in the .dotter/private directory and compare them with corresponding nonencrypted ones. If they are not identical, a path-file is created. If the path-file is already present, the hook exits with non-zero status and message Resolve conflicts before deploy!

Post-hook encrypts all changed .dotter/private/*.toml files.