CLI Configuration

A CLI config file can be used with so-called creation rules. These rules allow metadata settings to be provided “automatically”, opposed repetitively including them as CLI flags.

Each creation rule has a path regex that file names are matched against. They’re read in the order they appear, and the first match of any lookup cancels the next. (So there’s no concept of creation rule merging.)

Stdin content can be matched with a creation rule that captures the pseudo file name of an empty string. The .* path regex can therefore be used as a general fallback for both input sources.

rops uses the following config file look up strategy:

  1. --config/-c <FILE> flag.
  2. File path set by the environment variable $ROPS_CONFIG.
  3. File of the name .rops.toml found in the current working directory or any ancestor thereof.
# [[creation_rules]]
# path_regex = "<REGEX>"
# # Optional: Defaults to false if not set.
# mac_only_encrypted = false
# # Optional: Defaults to nothing unless set.
# # Variant may be one of:
# # - encrypted_suffix
# # - encrypted_regex
# # - unencrypted_suffix
# # - unencrypted_regex
# partial_encryption.<variant> = ""
# # Opional: The arrays of key IDs for each integration
# # are also optional and default to being empty.
# [creation_rules.integration_keys]
# age = ["<Age Key ID>"]
# aws_kms = ["<AWS KMS KeyID>"]

# Example:
[[creation_rules]]
path_regex = "testing/**"
mac_only_encrypted = true
partial_encryption.unencrypted_regex = "config"
integration_keys.age = [
  "age1se5ghfycr4n8kcwc3qwf234ymvmr2lex2a99wh8gpfx97glwt9hqch4569",
]

[[creation_rules]]
path_regex = "production/**"
mac_only_encrypted = false
partial_encryption.unencrypted_regex = "config"
integration_keys.age = [
  "age1qazf43xll4ramx3wcn7h2yl9scycxdhrwge8862vv6zj97pafdvq0d5mn6",
]

[[creation_rules]]
path_regex = ".*"
partial_encryption.encrypted_regex = "pass|token"