Change `key` option to type `listOf str`

[mainrs]

I use NixOS for a couple dozen microservices, each has their own secrets that they require. Some services require the same credentials, for which I'd like to re-use existing entries in secrets.yaml. However, I also use separate files per service to not grant services access to secrets that they do not require at runtime.

The current options have a key attribute that I can use to select a subfield of the config. Using one key per microservice would require me to duplicate secrets within the same file. Using one key per logical secret group would not be powerful enough, as microservices might require multip0le secrets from multiple groyps.

I think changing the type of the key option to a list that gets merged into the final secrets file during evaluation would be a solution to this problem. But maybe this is already somehow possible and I am not aware of it.

Thank you for writing and maintaining this module!

[SuperSandro2000]

Are you aware of templates?

[mainrs]

Yes! But maybe I am understanding something else differently. Lets say I have a secrets.yaml file with secrets for two services:

serviceA:
  secretOne: hello
serviceB:
  secretTwo: world

As far as I understood, sops-nix works by putting each secret into its own file under /run/secrets. I thought that, since I would pass sops-nix the whole file or a subkey to it, it would put all the secrets inside into the run directory.

I see how I can write templates instead of using the .path attribute of secrets and use permissions to restrict access to secrets. I was hoping it would be possible to not pull in the secrets at all if not used.

But I can see how that is kind of redundant at the point of one using templates and permissions.