1{ lib, fleet, config, ... }: with lib;2let3 sharedSecret = with types; {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 List of hosts to encrypt secret for910 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11 '';12 };13 generator = mkOption {14 type = package;15 description = "Derivation to execute for secret generation";16 };17 expireIn = mkOption {18 type = nullOr int;19 description = "Time in hours, in which this secret should be regenerated";20 default = null;21 };22 public = mkOption {23 type = nullOr str;24 description = "Secret public data";25 default = null;26 };27 secret = mkOption {28 type = str;29 description = "Encrypted secret data";30 };31 };32 };33 hostSecret = with types; {34 options = {35 generator = mkOption {36 type = package;37 description = "Derivation to execute for secret generation";38 };39 expireIn = mkOption {40 type = nullOr int;41 description = "Time in hours, in which this secret should be regenerated";42 default = null;43 };44 public = mkOption {45 type = nullOr str;46 description = "Secret public data";47 default = null;48 };49 secret = mkOption {50 type = str;51 description = "Encrypted secret data";52 };53 };54 };55in56{57 options = with types; {58 sharedSecrets = mkOption {59 type = attrsOf (submodule sharedSecret);60 default = { };61 description = "Shared secrets";62 };63 hostSecrets = mkOption {64 type = attrsOf (attrsOf (submodule hostSecret));65 default = { };66 description = "Host secrets";67 };68 };69 config = with fleet; {70 hosts = hostsToAttrs (host: {71 modules =72 let73 cleanupSecret = (secretName: v: {74 inherit (v) public secret;75 });76 in77 [78 {79 secrets = (mapAttrs cleanupSecret80 (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)81 ) // (mapAttrs cleanupSecret (if config.hostSecrets ? host then config.hostSecrets.${host} else {}));82 }83 ];84 });85 };86}