1{ lib, fleetLib, config, ... }: with lib; with fleetLib;2let3 sharedSecret = with types; {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 For which owners this secret is currently encrypted,9 if not matches expectedOwners - then this secret is considered outdated, and10 should be regenerated/reencrypted11 '';12 };13 expectedOwners = mkOption {14 type = listOf str;15 description = ''16 List of hosts to encrypt secret for1718 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners19 '';20 default = [ ];21 };22 generator = mkOption {23 type = package;24 description = "Derivation to execute for secret generation";25 };26 expireIn = mkOption {27 type = nullOr int;28 description = "Time in hours, in which this secret should be regenerated";29 default = null;30 };31 public = mkOption {32 type = nullOr str;33 description = "Secret public data";34 default = null;35 };36 secret = mkOption {37 type = nullOr str;38 description = "Encrypted secret data";39 default = null;40 };41 };42 };43 hostSecret = with types; {44 options = {45 generator = mkOption {46 type = package;47 description = "Derivation to execute for secret generation";48 };49 expireIn = mkOption {50 type = nullOr int;51 description = "Time in hours, in which this secret should be regenerated";52 default = null;53 };54 public = mkOption {55 type = nullOr str;56 description = "Secret public data";57 default = null;58 };59 secret = mkOption {60 type = str;61 description = "Encrypted secret data";62 };63 };64 };65in66{67 options = with types; {68 sharedSecrets = mkOption {69 type = attrsOf (submodule sharedSecret);70 default = { };71 description = "Shared secrets";72 };73 hostSecrets = mkOption {74 type = attrsOf (attrsOf (submodule hostSecret));75 default = { };76 description = "Host secrets";77 };78 };79 config = {80 assertions = mapAttrsToList81 (name: secret: {82 assertion = builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;83 message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}";84 })85 config.sharedSecrets;86 hosts = hostsToAttrs (host: {87 modules =88 let89 cleanupSecret = (secretName: v: {90 inherit (v) public secret;91 });92 in93 [94 {95 secrets = (mapAttrs cleanupSecret96 (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)97 ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));98 }99 ];100 });101 };102}