Passwordstore

The password store module is designed to get passwords from pass https://www.passwordstore.org

This allows you to 'get' secrets that are required, avoiding the checking into a source repository problem. This is handy when using ninja more as a 'Continous Delivery' tool, as it can get the password from pass and then provide that as inputs to further stages.

This module actually exists to facilitate building kubernetes and talosos configurations

File changes

A benefit of managing passwords this way, is we only 'rebuild' the password when the gpg file changes. Passwordstore encrypts the passwords in the users home directory, so there is a direct file dependency between that and the output. Perfect for ninja to manage.

You can rotate your passwords, re-run ninja, and have your deploy scripts use the new password. Re-running the deploy script won't have to try to grab the password again.