git.delta.rocks / jrsonnet / refs/commits / 0528ea184e69

difftreelog

fix secret encoding handling

Yaroslav Bolyukin2024-07-05parent: #453e81e.patch.diff
in: trunk

2 files changed

modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -130,7 +130,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(!data.encrypted, "secret came out encrypted");
 		Ok(data.data)
 	}
 	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {
@@ -147,7 +147,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(data.encrypted, "secret came out not encrypted");
 		Ok(data)
 	}
 	/// Returns path for futureproofing, as path might change i.e on conversion to CA
modifiednixos/secrets.nixdiffbeforeafterboth
after · nixos/secrets.nix
1{2  lib,3  config,4  pkgs,5  ...6}:7with lib; let8  inherit (lib.strings) hasPrefix removePrefix;9  plaintextPrefix = "<PLAINTEXT>";10  plaintextNewlinePrefix = "<PLAINTEXT-NL>";1112  sysConfig = config;13  secretPartType = secretName:14    types.submodule ({config, ...}: {15      options = with types; {16        raw = mkOption {17          description = "Secret in fleet-specific undocumented format, do not use. Import from fleet.nix";18          internal = true;19        };20        hash = mkOption {21          type = str;22          description = "Hash of secret in encoded format";23        };24        path = mkOption {25          type = str;26          description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";27        };28        stablePath = mkOption {29          type = str;30          description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";31        };32        data = mkOption {33          type = str;34          description = "Secret public data (only available for plaintext)";35        };36      };37      config = let38        partName = config._module.args.name;39      in {40        hash = mkOptionDefault (builtins.hashString "sha1" config.raw);41        data = mkOptionDefault (42          if hasPrefix plaintextPrefix config.raw43          then removePrefix plaintextPrefix config.raw44          else if hasPrefix plaintextNewlinePrefix config.raw45          then removePrefix plaintextNewlinePrefix config.raw46          else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"47        );48        path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";49        stablePath = mkOptionDefault "/run/secrets/${secretName}/${partName}";50      };51    });52  secretType = types.submodule ({config, ...}: let53    secretName = config._module.args.name;54  in {55    freeformType = types.lazyAttrsOf (secretPartType secretName);56    options = with types; {57      shared = mkOption {58        description = "Is this secret owned by this machine, or propagated from shared secrets";59        default = false;60      };61      expectedOwners = mkOption {62        type = nullOr unspecified;63        default = null;64        internal = true;65      };6667      generator = mkOption {68        type = nullOr unspecified;69        description = "Derivation to evaluate for secret generation";70        default = null;71      };72      mode = mkOption {73        type = str;74        description = "Secret mode";75        default = "0440";76      };77      owner = mkOption {78        type = str;79        description = "Owner of the secret";80        default = "root";81      };82      group = mkOption {83        type = str;84        description = "Group of the secret";85        default = sysConfig.users.users.${config.owner}.group;86      };87    };88  });89  processPart = part: {90    inherit (part) raw path stablePath;91  };92  processSecret = secret:93    {94      inherit (secret) group mode owner;95    }96    // (mapAttrs (_: processPart) (removeAttrs secret [97      "shared"98      "generator"99      "mode"100      "group"101      "owner"102103      # FIXME: Some of those removed attributes shouldn't be here, but there is some error in passing shared secrets from fleet to nixos.104      "expectedOwners"105    ]));106  secretsFile = pkgs.writeTextFile {107    name = "secrets.json";108    text =109      builtins.toJSON (mapAttrs (_: processSecret)110        config.secrets);111  };112in {113  options = {114    secrets = mkOption {115      type = types.attrsOf secretType;116      default = {};117      description = "Host-local secrets";118    };119  };120  config = {121    environment.systemPackages = [pkgs.fleet-install-secrets];122    system.activationScripts.decryptSecrets =123      stringAfter (124        [125          # secrets are owned by user/group, thus we need to refer to those126          "users"127          "groups"128          "specialfs"129        ]130        # nixos-impermanence compatibility: secrets are encrypted by host-key,131        # but with impermanence we expect that the host-key is installed by132        # persist-file activation script.133        ++ (lib.optional (config.system.activationScripts ? "persist-file") "persist-file")134      ) ''135        1>&2 echo "setting up secrets"136        ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}137      '';138  };139}