integrate secretspec.dev

Author: domenkozar

Cargo.lock

@@ -27,7 +27,8 @@
     pkgs.cargo-outdated # Find outdated crates
     pkgs.cargo-machete # Find unused crates
     pkgs.cargo-edit # Adds the set-version command
-    pkgs.protobuf
+    pkgs.protobuf # snix
+    pkgs.dbus # secretspec
   ];
 
   languages.nix.enable = true;

devenv.nix

@@ -53,6 +53,7 @@ shell-escape.workspace = true
 rmcp.workspace = true
 rmcp-macros.workspace = true
 async-trait.workspace = true
+secretspec = "0.2.0"
 
 # Optional snix dependencies
 snix-eval = { git = "https://github.com/cachix/snix", optional = true }

devenv/Cargo.toml

@@ -158,6 +158,20 @@ pub struct Config {
     pub impure: bool,
     #[serde(default, skip_serializing_if = "is_default")]
     pub backend: NixBackendType,
+    #[setting(nested)]
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub secretspec: Option<SecretspecConfig>,
+}
+
+#[derive(schematic::Config, Clone, Debug, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
+pub struct SecretspecConfig {
+    #[serde(skip_serializing_if = "is_false", default = "false_default")]
+    #[setting(default = false)]
+    pub enable: bool,
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub profile: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub provider: Option<String>,
 }
 
 // TODO: https://github.com/moonrepo/schematic/issues/105

devenv/src/config.rs

@@ -7,6 +7,7 @@ use cli_table::{print_stderr, WithTitle};
 use include_dir::{include_dir, Dir};
 use miette::{bail, miette, Context, IntoDiagnostic, Result};
 use once_cell::sync::Lazy;
+use secretspec;
 use serde::Deserialize;
 use serde_json;
 use sha2::Digest;
@@ -90,6 +91,9 @@ pub struct Devenv {
 
     has_processes: Arc<OnceCell<bool>>,
 
+    // Secretspec resolved data to pass to Nix
+    secretspec_resolved: Arc<OnceCell<secretspec::Resolved<HashMap<String, String>>>>,
+
     // TODO: make private.
     // Pass as an arg or have a setter.
     pub container_name: Option<String>,
@@ -145,11 +149,19 @@ impl Devenv {
             cachix_trusted_keys,
         };
 
+        // Create shared secretspec_resolved Arc to share between Devenv and Nix
+        let secretspec_resolved = Arc::new(OnceCell::new());
+
         let nix: Box<dyn nix_backend::NixBackend> = match backend_type {
             config::NixBackendType::Nix => Box::new(
-                crate::nix::Nix::new(options.config.clone(), global_options.clone(), paths)
-                    .await
-                    .expect("Failed to initialize Nix backend"),
+                crate::nix::Nix::new(
+                    options.config.clone(),
+                    global_options.clone(),
+                    paths,
+                    secretspec_resolved.clone(),
+                )
+                .await
+                .expect("Failed to initialize Nix backend"),
             ),
             #[cfg(feature = "snix")]
             config::NixBackendType::Snix => Box::new(
@@ -176,6 +188,7 @@ impl Devenv {
             assembled: Arc::new(AtomicBool::new(false)),
             assemble_lock: Arc::new(Semaphore::new(1)),
             has_processes: Arc::new(OnceCell::new()),
+            secretspec_resolved,
             container_name: None,
         }
     }
@@ -1201,6 +1214,79 @@ impl Devenv {
                 miette::miette!("Failed to create {}: {}", self.devenv_runtime.display(), e)
             })?;
 
+        // Check for secretspec.toml and load secrets
+        let secretspec_path = self.devenv_root.join("secretspec.toml");
+        let secretspec_config_exists = config.secretspec.is_some();
+        let secretspec_enabled = config
+            .secretspec
+            .as_ref()
+            .map(|c| c.enable)
+            .unwrap_or(false); // Default to false if secretspec config is not present
+
+        if secretspec_path.exists() {
+            // Log warning when secretspec.toml exists but is not configured
+            if !secretspec_enabled && !secretspec_config_exists {
+                info!(
+                    "{}",
+                    indoc::formatdoc! {"
+                    Found secretspec.toml but secretspec integration is not enabled.
+                    
+                    To enable, add to devenv.yaml:
+                      secretspec:
+                        enable: true
+                    
+                    To disable this message:
+                      secretspec:
+                        enable: false
+                    
+                    Learn more: https://devenv.sh/integrations/secretspec/
+                "}
+                );
+            }
+
+            if secretspec_enabled {
+                // Get profile and provider from devenv.yaml config
+                let (profile, provider) = if let Some(ref secretspec_config) = config.secretspec {
+                    (
+                        secretspec_config.profile.clone(),
+                        secretspec_config.provider.clone(),
+                    )
+                } else {
+                    (None, None)
+                };
+
+                // Load and validate secrets using SecretSpec API
+                let mut secrets = secretspec::Secrets::load()
+                    .map_err(|e| miette!("Failed to load secretspec configuration: {}", e))?;
+
+                // Configure provider and profile if specified
+                if let Some(ref provider_str) = provider {
+                    secrets.set_provider(provider_str);
+                }
+                if let Some(ref profile_str) = profile {
+                    secrets.set_profile(profile_str);
+                }
+
+                // Validate secrets
+                match secrets.validate()? {
+                    Ok(validated_secrets) => {
+                        // Store resolved secrets in OnceCell for Nix to use
+                        self.secretspec_resolved
+                            .set(validated_secrets.resolved)
+                            .map_err(|_| miette!("Secretspec resolved already set"))?;
+                    }
+                    Err(validation_errors) => {
+                        bail!(
+                            "Required secrets are missing: {} (provider: {}, profile: {})",
+                            validation_errors.missing_required.join(", "),
+                            validation_errors.provider,
+                            validation_errors.profile
+                        );
+                    }
+                }
+            }
+        }
+
         // Create cli-options.nix if there are CLI options
         if !self.global_options.option.is_empty() {
             let mut cli_options = String::from("{ pkgs, lib, config, ... }: {\n");

devenv/src/devenv.rs

@@ -4,9 +4,11 @@ use async_trait::async_trait;
 use futures::future;
 use miette::{bail, IntoDiagnostic, Result, WrapErr};
 use nix_conf_parser::NixConf;
+use secretspec;
 use serde::Deserialize;
+use serde_json;
 use sqlx::SqlitePool;
-use std::collections::BTreeMap;
+use std::collections::{BTreeMap, HashMap};
 use std::env;
 use std::os::unix::fs::symlink;
 use std::os::unix::process::CommandExt;
@@ -27,13 +29,15 @@ pub struct Nix {
     global_options: cli::GlobalOptions,
     cachix_caches: Arc<OnceCell<CachixCaches>>,
     paths: nix_backend::DevenvPaths,
+    secretspec_resolved: Arc<OnceCell<secretspec::Resolved<HashMap<String, String>>>>,
 }
 
 impl Nix {
     pub async fn new(
         config: config::Config,
         global_options: cli::GlobalOptions,
         paths: nix_backend::DevenvPaths,
+        secretspec_resolved: Arc<OnceCell<secretspec::Resolved<HashMap<String, String>>>>,
     ) -> Result<Self> {
         let cachix_caches = Arc::new(OnceCell::new());
         let options = nix_backend::Options::default();
@@ -51,6 +55,7 @@ impl Nix {
             global_options,
             cachix_caches,
             paths,
+            secretspec_resolved,
         })
     }
 
@@ -609,6 +614,19 @@ impl Nix {
             // set a dummy value to overcome https://github.com/NixOS/nix/issues/10247
             cmd.env("NIX_PATH", ":");
         }
+
+        // Pass secretspec data to Nix if available
+        if let Some(resolved) = self.secretspec_resolved.get() {
+            let secrets_data = serde_json::json!({
+                "secrets": resolved.secrets,
+                "profile": resolved.profile,
+                "provider": resolved.provider
+            });
+            if let Ok(secrets_json) = serde_json::to_string(&secrets_data) {
+                cmd.env("SECRETSPEC_SECRETS", secrets_json);
+            }
+        }
+
         cmd.args(flags);
         cmd.current_dir(&self.paths.root);
 

devenv/src/nix.rs

@@ -52,6 +52,16 @@
       "items": {
         "type": "string"
       }
+    },
+    "secretspec": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/SecretspecConfig"
+        },
+        {
+          "type": "null"
+        }
+      ]
     }
   },
   "definitions": {
@@ -168,6 +178,26 @@
           }
         }
       }
+    },
+    "SecretspecConfig": {
+      "type": "object",
+      "properties": {
+        "enable": {
+          "type": "boolean"
+        },
+        "profile": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "provider": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      }
     }
   }
 }

docs/devenv.schema.json

@@ -1,5 +1,6 @@
 nav:
    - .env: dotenv.md
+   - secretspec: secretspec.md
    - Android: android.md
    - Wordpress: wordpress.md
    - GitHub Actions: github-actions.md

docs/integrations/.nav.yml

@@ -0,0 +1,55 @@
+# SecretSpec
+
+[SecretSpec](https://secretspec.dev) separates secret declaration from secret provisioning. You define what secrets your application needs in a `secretspec.toml` file, and each developer, CI system, and production environment can provide those secrets from their preferred secure provider.
+
+## Quick Start
+
+Follow [SecretSpec Quick Start](https://secretspec.dev/quick-start/).
+
+## Best Practice: Runtime Loading
+
+While you can enable SecretSpec in devenv to load secrets into `secretspec.secrets` option, we recommend:
+
+a) [Use Rust SDK](https://secretspec.dev/sdk/rust/)
+
+b) Your application load secrets at runtime instead:
+
+```bash
+$ devenv shell
+$ secretspec run -- npm start
+```
+
+This approach:
+- Keeps secrets out of your shell environment
+- Reduces exposure of sensitive data
+- Makes secret rotation easier
+- Follows the principle of least privilege
+
+## Configuration (Optional)
+
+If you do need secrets in your devenv environment:
+
+```yaml title="devenv.yaml"
+secretspec:
+  enable: true
+  # these are optional global overrides
+  provider: keyring  # keyring, dotenv, env, 1password, lastpass
+  profile: default   # profile from secretspec.toml
+```
+
+Then access in `devenv.nix`:
+
+```nix title="devenv.nix"
+{ config, ... }:
+
+{
+  env.DATABASE_URL = config.secretspec.secrets.DATABASE_URL or "";
+}
+```
+
+## Learn More
+
+- [secretspec.dev](https://secretspec.dev)
+- [Providers](https://secretspec.dev/docs/providers) - Keyring, 1Password, dotenv, and more
+- [Profiles](https://secretspec.dev/docs/profiles) - Environment-specific configurations
+- [Rust SDK](https://secretspec.dev/docs/rust-sdk) - Type-safe secret access