Getting caching for templates using pass

[Nicholas42]

I am using the pass password manager with chezmoi to add secrets to a few files that need them. There is a nice standard way for this with the pass template function. However, then pass gets called whenever I run chezmoi status or something similar. Of course, chezmoi needs to know if the password changed, but with pass, you don't actually need to decrypt the password for this, since every password is a separate, encrypted file.

So, what we want here is a file that gets cache-invalidated if the encrypted file changes, but when it gets recreated runs the decryption. There is hacky way to do this with chezmoi:

• Have a template that adds a hash for each password file it depends on
• Give it a shebang that re-templates it, with the actual pass command being run in the second stage
• Mark it as run_onchange to be executed when the first stage template changes

The first stage template does not need to decrypt the password, since it just uses a file hash. The second stage template needs to decrypt the password, but is only run when the file hashes change.

It gets a bit tricky to get all of this right, such that it works well, but I think I have a pretty solid way, now. It is based on a few template helpers and a script chezmoi-templatize-changed that is inserted as a shebang by the first template. Those basically do what it says on the tin and I include them at the end.

Now let's look at an example. I have a wireguard config with a private and pre-shared key in pass under wireguard/vpn.key and wireguard/vpn.psk respectively. In chezmoi, we store

dot_config/wireguard/run_onchange_vpn.conf.tmpl

{{ includeTemplate "shebang-templatize-changed.tmpl" (merge . (dict "private" true)) -}}
{{ includeTemplate "pass-hashes.tmpl" (merge . (dict "passwords" (dict "key" "wireguard/vpn.key" "psk" "wireguard/vpn.psk" ))) -}}
[Interface]
PrivateKey = [[ pass $passwords.key ]]
Address = 10.0.0.2/24

[Peer]
PublicKey = asdf
PresharedKey = [[ pass $passwords.psk ]]
Endpoint = endpoint.mc.endpoint.face
AllowedIPs = 0.0.0.0/0, ::/0 # Route all traffic through vpn

When this template is executed, it will result in the following output:

#!/bin/env -S chezmoi-templatize-changed "/home/me/.config/wireguard/vpn.conf" --private 
[[- /* this will ensure that nothing of the following is included in the final state

pass hash: a0463f2ea8ab4c20e3232edc65c09cb264d76a05c85699f23d14a1fd1fe02150

pass hash: a4b8044a477f51099ccd7301524480c50d47dd6ebd754ed8c0ef5c3401c749c2

5e7d36c4f9c2bfddcf55ba484af68ef4c540aad2a0ae9f1f1038642e1e401b5d
*/ -]][[ $passwords := ("{\"key\":\"wireguard/vpn.key\",\"psk\":\"wireguard/vpn.psk\"}" | mustFromJson) ]][Interface]
PrivateKey = [[ pass $passwords.key ]]
Address = 10.0.0.2/24

[Peer]
PublicKey = asdf
PresharedKey = [[ pass $passwords.psk ]]
Endpoint = endpoint.mc.endpoint.face
AllowedIPs = 0.0.0.0/0, ::/0 # Route all traffic through vpn

Note the [[ and ]] here instead of {{ and }}. This is set in chezmoi-templatize-changed such that we don't need to escape them everywhere. Be careful to only call pass in square brackets! This file is normally only created internally and you don't see it.

As you can see, there are hashes for the password files (sorted by their filenames to make it deterministic) and a hash for the target file. Hence, the template changes if any of those files change and the script is run again. If those files do not change, the template is evaluated (which does not need to run pass) but the script is not run.

Adding the target file hash is necessary, otherwise chezmoi will not care if that file was deleted or changed. However,this will also have the effect when changing the password, the second run of chezmoi apply also executes the template, since the dependency on the output changed. For me, this is not that much of a problem, but it can be annoying.

If you now execute the file above, you run it through chezmoi-templatize-changed and create /home/me/.config/wireguard/vpn.conf

[Interface]
PrivateKey = key1234
Address = 10.0.0.2/24

[Peer]
PublicKey = asdf
PresharedKey = psk1234
Endpoint = endpoint.mc.endpoint.face
AllowedIPs = 0.0.0.0/0, ::/0 # Route all traffic through vpn

Here the necessary files:

~/.local/share/chezmoi/.chezmoitemplates/hash-file.tmpl

{{- /* Hash file at given path, fail with reasonable error message if it doesn't exist */ -}}
{{ if (stat .) }}{{ include . | sha256sum }}{{ else }}{{ fail (printf "Error trying to hash %s: file does not exist" .)}}{{ end -}}

~/.local/share/chezmoi/.chezmoitemplates/pass-file-path.tmpl

{{- /* return path in filesystem for a given pass path it is important that there are no extraneous whitespaces in this template */ -}}
{{ coalesce (env "PASSWORD_STORE_DIR") (expandenv "$HOME/.password-store") }}/{{print . ".gpg" -}}

~/.local/share/chezmoi/.chezmoitemplates/pass-hashes.tmpl

{{- /* insert hashes of password files and pass them to second stage template. Expects a dictionary of passwords and */ -}}
[[- /* this will ensure that nothing of the following is included in the final state
{{ range (values .passwords | sortAlpha)}}
pass hash: {{ includeTemplate "hash-file.tmpl" (includeTemplate "pass-file-path.tmpl" .) }}
{{ end }}
{{ includeTemplate "safe-hash-file.tmpl" .chezmoi.targetFile }}
*/ -]]
{{- includeTemplate "transfer-variables.tmpl" (dict "passwords" .passwords) -}}

~/.local/share/chezmoi/.chezmoitemplates/safe-hash-file.tmpl

{{- /* hash file at given path, return random ash if it does not exist (non-existing file should always be a cache-miss) */ -}}
{{ if (stat .) }}{{ include . | sha256sum }}{{ else }}{{ randAscii 24 | sha256sum }}{{ end -}}

~/.local/share/chezmoi/.chezmoitemplates/shebang-templatize-changed.tmpl

{{- /* Add a shebang that calls chezmoi-templatize-changed as expected */ -}}
#!/bin/env -S chezmoi-templatize-changed {{ .chezmoi.targetFile | quote }} {{ if (get . "private") }}--private{{ end }} {{ if (get . "readonly") }}--readonly{{ end }}

~/.local/share/chezmoi/.chezmoitemplates/transfer-value.tmpl

{{- /* escape value in a form that can be reused in a template */ -}}
({{ . | mustToJson | quote }} | mustFromJson){{- /* remove following newline */ -}}

~/.local/share/chezmoi/.chezmoitemplates/transfer-variables.tmpl

{{- /* Output a dict of variables in a way that can then be used by chezmoi-templatize-changed */ -}}
{{ range $name, $value := . -}}
[[ ${{ $name }} := {{ includeTemplate "transfer-value.tmpl" $value }} ]]
{{- end -}}

~/.bin/chezmoi-templatize-changed

Note: ~/.bin/ is in my $PATH

#!/bin/bash

set -e
TARGET_PATH="$1"
shift

PRIVATE=0
READONLY=0
EXECUTABLE=0

while [ -n "$1" ]; do
  case "$1" in
  "--private")
    PRIVATE=1
    ;;
  "--executable")
    EXECUTABLE=1
    ;;
  "--readonly")
    READONLY=1
    ;;
  *)
    if [[ -n "$INPUT_FILE" ]]; then
      echo "Error: Multiple input file options"
      exit 1
    fi
    INPUT_FILE="$1"
    ;;
  esac
  shift
done

if [[ -z "$TARGET_PATH" ]]; then
  echo "Error: target path (first argument) needs to be non-empty"
  exit 1
fi

if [[ ! -f "$INPUT_FILE" ]]; then
  echo "Error: \"$INPUT_FILE\" (second non-option argument) is not a regular file"
  exit 1
fi

if [ "$PRIVATE" -eq 1 ]; then
  umask 077
fi

if [ "$READONLY" -eq 1 ]; then
  umask a-w
fi

[ -f "$TARGET_PATH" ] && rm -f "$TARGET_PATH"

# Skip 1 [sic!] line at the start
chezmoi execute-template --left-delimiter='[[' --right-delimiter=']]' -f <(tail -n +2 "$INPUT_FILE") >"$TARGET_PATH"

if [ "$EXECUTABLE" -eq 1 ]; then
  if [ "$PRIVATE" -eq 1 ]; then
    chmod u+x "$TARGET_PATH"
  else
    chmod a+x "$TARGET_PATH"
  fi
fi