git.delta.rocks / jrsonnet / refs/commits / 80667c474dc7

difftreelog

feat generation data

Yaroslav Bolyukin2024-11-30parent: #6d807f6.patch.diff
in: trunk

4 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	UpdateShared {98		name: String,99100		#[clap(short = 'm', long)]101		machine: Option<Vec<String>>,102103		#[clap(long)]104		add_machine: Vec<String>,105		#[clap(long)]106		remove_machine: Vec<String>,107108		/// Which host should we use to decrypt109		#[clap(long)]110		prefer_identities: Vec<String>,111	},112	Regenerate {113		/// Which host should we use to decrypt, in case if reencryption is required, without114		/// regeneration115		#[clap(long)]116		prefer_identities: Vec<String>,117	},118	List {},119	Edit {120		name: String,121		#[clap(short = 'm', long)]122		machine: String,123124		#[clap(long)]125		add: bool,126127		/// Which private secret part to read128		#[clap(short = 'p', long, default_value = "secret")]129		part: String,130	},131}132133#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]134async fn update_owner_set(135	secret_name: &str,136	config: &Config,137	mut secret: FleetSharedSecret,138	field: Value,139	updated_set: &[String],140	prefer_identities: &[String],141	batch: Option<NixBuildBatch>,142) -> Result<FleetSharedSecret> {143	let original_set = secret.owners.clone();144145	let set = original_set.iter().collect::<BTreeSet<_>>();146	let expected_set = updated_set.iter().collect::<BTreeSet<_>>();147148	if set == expected_set {149		info!("no need to update owner list, it is already correct");150		return Ok(secret);151	}152153	let should_regenerate = if set.difference(&expected_set).next().is_some() {154		// TODO: Remove this warning for revokable secrets.155		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");156		nix_go_json!(field.regenerateOnOwnerRemoved)157	} else if expected_set.difference(&set).next().is_some() {158		nix_go_json!(field.regenerateOnOwnerAdded)159	} else {160		false161	};162163	if should_regenerate {164		info!("secret is owner-dependent, will regenerate");165		let generated =166			generate_shared(config, secret_name, field, updated_set.to_vec(), batch).await?;167		Ok(generated)168	} else {169		drop(batch);170		let identity_holder = if !prefer_identities.is_empty() {171			prefer_identities172				.iter()173				.find(|i| original_set.iter().any(|s| s == *i))174		} else {175			secret.owners.first()176		};177		let Some(identity_holder) = identity_holder else {178			bail!("no available holder found");179		};180181		for (part_name, part) in secret.secret.parts.iter_mut() {182			let _span = info_span!("part reencryption", part_name);183			if !part.raw.encrypted {184				continue;185			}186			let host = config.host(identity_holder).await?;187			let encrypted = host188				.reencrypt(part.raw.clone(), updated_set.to_vec())189				.await?;190			part.raw = encrypted;191		}192193		secret.owners = updated_set.to_vec();194		Ok(secret)195	}196}197198#[derive(Deserialize)]199#[serde(rename_all = "camelCase")]200enum GeneratorKind {201	Impure,202	Pure,203}204205async fn generate_pure(206	_config: &Config,207	_display_name: &str,208	_secret: Value,209	_default_generator: Value,210	_owners: &[String],211) -> Result<FleetSecret> {212	bail!("pure generators are broken for now")213}214async fn generate_impure(215	config: &Config,216	_display_name: &str,217	secret: Value,218	default_generator: Value,219	owners: &[String],220	batch: Option<NixBuildBatch>,221) -> Result<FleetSecret> {222	let generator = nix_go!(secret.generator);223	let on: Option<String> = nix_go_json!(default_generator.impureOn);224225	let host = if let Some(on) = &on {226		config.host(on).await?227	} else {228		config.local_host()229	};230	let on_pkgs = host.pkgs().await?;231	let call_package = nix_go!(on_pkgs.callPackage);232	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);233234	let mut recipients = Vec::new();235	for owner in owners {236		let key = config.key(owner).await?;237		recipients.push(key);238	}239	let generators = nix_go!(mk_secret_generators(Obj { recipients }));240241	let generator = nix_go!(call_package(generator)(generators));242243	let generator = generator.build_maybe_batch(batch).await?;244	let generator = generator245		.get("out")246		.ok_or_else(|| anyhow!("missing generateImpure out"))?;247	let generator = host.remote_derivation(generator).await?;248249	let out_parent = host.mktemp_dir().await?;250	let out = format!("{out_parent}/out");251252	let mut gen = host.cmd(generator).await?;253	gen.env("out", &out);254	if on.is_none() {255		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.256		let project_path: String = config257			.directory258			.clone()259			.into_os_string()260			.into_string()261			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;262		gen.env("FLEET_PROJECT", project_path);263	}264	gen.run().await.context("impure generator")?;265266	{267		let marker = host.read_file_text(format!("{out}/marker")).await?;268		ensure!(marker == "SUCCESS", "generation not succeeded");269	}270271	let mut parts = BTreeMap::new();272	for part in host.read_dir(&out).await? {273		if part == "created_at" || part == "expired_at" || part == "marker" {274			continue;275		}276		let contents: SecretData = host277			.read_file_text(format!("{out}/{part}"))278			.await?279			.parse()280			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;281		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });282	}283284	let created_at = host.read_file_value(format!("{out}/created_at")).await?;285	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();286287	Ok(FleetSecret {288		created_at,289		expires_at,290		parts,291	})292}293async fn generate(294	config: &Config,295	display_name: &str,296	secret: Value,297	owners: &[String],298	batch: Option<NixBuildBatch>,299) -> Result<FleetSecret> {300	let generator = nix_go!(secret.generator);301	// Can't properly check on nix module system level302	{303		let gen_ty = generator.type_of().await?;304		if gen_ty == "null" {305			bail!("secret has no generator defined, can't automatically generate it.");306		}307		if gen_ty != "lambda" {308			bail!("generator should be lambda, got {gen_ty}");309		}310	}311	let default_pkgs = &config.default_pkgs;312	let default_call_package = nix_go!(default_pkgs.callPackage);313	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);314	// Generators provide additional information in passthru, to access315	// passthru we should call generator, but information about where this generator is supposed to build316	// is located in passthru... Thus evaluating generator on host.317	//318	// Maybe it is also possible to do some magic with __functor?319	//320	// I don't want to make modules always responsible for additional secret data anyway,321	// so it should be in derivation, and not in the secret data itself.322	let generators = nix_go!(default_mk_secret_generators(Obj {323		recipients: <Vec<String>>::new(),324	}));325	let default_generator = nix_go!(default_call_package(generator)(generators));326327	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);328329	match kind {330		GeneratorKind::Impure => {331			generate_impure(332				config,333				display_name,334				secret,335				default_generator,336				owners,337				batch,338			)339			.await340		}341		GeneratorKind::Pure => {342			generate_pure(config, display_name, secret, default_generator, owners).await343		}344	}345}346async fn generate_shared(347	config: &Config,348	display_name: &str,349	secret: Value,350	expected_owners: Vec<String>,351	batch: Option<NixBuildBatch>,352) -> Result<FleetSharedSecret> {353	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);354	Ok(FleetSharedSecret {355		secret: generate(config, display_name, secret, &expected_owners, batch).await?,356		owners: expected_owners,357	})358}359360async fn parse_public(361	public: Option<String>,362	public_file: Option<PathBuf>,363) -> Result<Option<SecretData>> {364	Ok(match (public, public_file) {365		(Some(v), None) => Some(SecretData {366			data: v.into(),367			encrypted: false,368		}),369		(None, Some(v)) => Some(SecretData {370			data: read(v).await?,371			encrypted: false,372		}),373		(Some(_), Some(_)) => {374			bail!("only public or public_file should be set")375		}376		(None, None) => None,377	})378}379380async fn parse_secret() -> Result<Option<Vec<u8>>> {381	let mut input = vec![];382	stdin().read_to_end(&mut input)?;383	if input.is_empty() {384		Ok(None)385	} else {386		Ok(Some(input))387	}388}389390fn parse_machines(391	initial: Vec<String>,392	machines: Option<Vec<String>>,393	mut add_machines: Vec<String>,394	mut remove_machines: Vec<String>,395) -> Result<Vec<String>> {396	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {397		bail!("no operation");398	}399400	let initial_machines = initial.clone();401	let mut target_machines = initial;402	info!("Currently encrypted for {initial_machines:?}");403404	// ensure!(machines.is_some() || !add_machines.is_empty() || )405	if let Some(machines) = machines {406		ensure!(407			add_machines.is_empty() && remove_machines.is_empty(),408			"can't combine --machines and --add-machines/--remove-machines"409		);410		let target = initial_machines.iter().collect::<HashSet<_>>();411		let source = machines.iter().collect::<HashSet<_>>();412		for removed in target.difference(&source) {413			remove_machines.push((*removed).clone());414		}415		for added in source.difference(&target) {416			add_machines.push((*added).clone());417		}418	}419420	for machine in &remove_machines {421		let mut removed = false;422		while let Some(pos) = target_machines.iter().position(|m| m == machine) {423			target_machines.swap_remove(pos);424			removed = true;425		}426		if !removed {427			warn!("secret is not enabled for {machine}");428		}429	}430	for machine in &add_machines {431		if target_machines.iter().any(|m| m == machine) {432			warn!("secret is already added to {machine}");433		} else {434			target_machines.push(machine.to_owned());435		}436	}437	if !remove_machines.is_empty() {438		// TODO: maybe force secret regeneration?439		// Not that useful without revokation.440		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");441	}442	Ok(target_machines)443}444impl Secret {445	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {446		match self {447			Secret::ForceKeys => {448				for host in config.list_hosts().await? {449					if opts.should_skip(&host).await? {450						continue;451					}452					config.key(&host.name).await?;453				}454			}455			Secret::AddShared {456				mut machines,457				name,458				force,459				public,460				public_part: public_name,461				public_file,462				expires_at,463				re_add,464				part: part_name,465			} => {466				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).467468				let exists = config.has_shared(&name);469				if exists && !force && !re_add {470					bail!("secret already defined");471				}472				if re_add {473					// Fixme: use clap to limit this usage474					ensure!(!force, "--force and --readd are not compatible");475					ensure!(exists, "secret doesn't exists");476					ensure!(477						machines.is_empty(),478						"you can't use machines argument for --readd"479					);480					let shared = config.shared_secret(&name)?;481					machines = shared.owners;482				}483484				let recipients = config.recipients(machines.clone()).await?;485486				let mut parts = BTreeMap::new();487488				let mut input = vec![];489				io::stdin().read_to_end(&mut input)?;490491				if !input.is_empty() {492					let encrypted =493						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)494							.ok_or_else(|| anyhow!("no recipients provided"))?;495					parts.insert(part_name, FleetSecretPart { raw: encrypted });496				}497498				if let Some(public) = parse_public(public, public_file).await? {499					parts.insert(public_name, FleetSecretPart { raw: public });500				}501502				config.replace_shared(503					name,504					FleetSharedSecret {505						owners: machines,506						secret: FleetSecret {507							created_at: Utc::now(),508							expires_at,509							parts,510						},511					},512				);513			}514			Secret::Add {515				machine,516				name,517				replace,518				merge,519				public,520				public_part: public_name,521				public_file,522				part: part_name,523			} => {524				if config.has_secret(&machine, &name) && !replace && !merge {525					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");526				}527528				let mut out = if merge && !replace {529					config530						.host_secret(&machine, &name)531						.context("failed to read existing secret for --merge")?532				} else {533					FleetSecret {534						created_at: Utc::now(),535						expires_at: None,536						parts: BTreeMap::new(),537					}538				};539540				if let Some(secret) = parse_secret().await? {541					let recipient = config.recipient(&machine).await?;542					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)543						.expect("recipient provided");544					if out545						.parts546						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })547						.is_some() && !replace548					{549						bail!("part {part_name:?} is already defined");550					}551				}552553				if let Some(public) = parse_public(public, public_file).await? {554					if out555						.parts556						.insert(public_name.clone(), FleetSecretPart { raw: public })557						.is_some() && !replace558					{559						bail!("part {public_name:?} is already defined");560					}561				};562563				config.insert_secret(&machine, name, out);564			}565			#[allow(clippy::await_holding_refcell_ref)]566			Secret::Read {567				name,568				machine,569				part: part_name,570			} => {571				let secret = config.host_secret(&machine, &name)?;572				let Some(secret) = secret.parts.get(&part_name) else {573					bail!("no part {part_name} in secret {name}");574				};575				let data = if secret.raw.encrypted {576					let host = config.host(&machine).await?;577					host.decrypt(secret.raw.clone()).await?578				} else {579					secret.raw.data.clone()580				};581582				stdout().write_all(&data)?;583			}584			Secret::UpdateShared {585				name,586				machine,587				add_machine,588				remove_machine,589				prefer_identities,590			} => {591				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).592593				let secret = config.shared_secret(&name)?;594				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {595					bail!("no secret");596				}597598				let initial_machines = secret.owners.clone();599				let target_machines = parse_machines(600					initial_machines.clone(),601					machine,602					add_machine,603					remove_machine,604				)?;605606				if target_machines.is_empty() {607					info!("no machines left for secret, removing it");608					config.remove_shared(&name);609					return Ok(());610				}611612				let config_field = &config.config_field;613				let field = nix_go!(config_field.sharedSecrets[{ name }]);614615				let updated = update_owner_set(616					&name,617					config,618					secret,619					field,620					&target_machines,621					&prefer_identities,622					None,623				)624				.await?;625				config.replace_shared(name, updated);626			}627			Secret::Regenerate { prefer_identities } => {628				info!("checking for secrets to regenerate");629				{630					let shared_batch = None;631					let _span = info_span!("shared").entered();632					let expected_shared_set = config633						.list_configured_shared()634						.await?635						.into_iter()636						.collect::<HashSet<_>>();637					let shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();638					for missing in expected_shared_set.difference(&shared_set) {639						let config_field = &config.config_field;640						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);641						let expected_owners: Option<Vec<String>> =642							nix_go_json!(secret.expectedOwners);643						let Some(expected_owners) = expected_owners else {644							// TODO: Might still need to regenerate645							continue;646						};647						info!("generating secret: {missing}");648						let shared = generate_shared(649							config,650							missing,651							secret,652							expected_owners,653							shared_batch.clone(),654						)655						.in_current_span()656						.await?;657						config.replace_shared(missing.to_string(), shared)658					}659				}660				let hosts_batch = None;661				for host in config.list_hosts().await? {662					if opts.should_skip(&host).await? {663						continue;664					}665666					let _span = info_span!("host", host = host.name).entered();667					let expected_set = host668						.list_configured_secrets()669						.in_current_span()670						.await?671						.into_iter()672						.collect::<HashSet<_>>();673					let stored_set = config674						.list_secrets(&host.name)675						.into_iter()676						.collect::<HashSet<_>>();677					for missing in expected_set.difference(&stored_set) {678						info!("generating secret: {missing}");679						let secret = host.secret_field(missing).in_current_span().await?;680						let generated = match generate(681							config,682							missing,683							secret,684							&[host.name.clone()],685							hosts_batch.clone(),686						)687						.in_current_span()688						.await689						{690							Ok(v) => v,691							Err(e) => {692								error!("{e:?}");693								continue;694							}695						};696						config.insert_secret(&host.name, missing.to_string(), generated)697					}698				}699				let mut to_remove = Vec::new();700				for name in &config.list_shared() {701					info!("updating secret: {name}");702					let data = config.shared_secret(name)?;703					let config_field = &config.config_field;704					let expected_owners: Vec<String> =705						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);706					if expected_owners.is_empty() {707						warn!("secret was removed from fleet config: {name}, removing from data");708						to_remove.push(name.to_string());709						continue;710					}711712					let secret = nix_go!(config_field.sharedSecrets[{ name }]);713					config.replace_shared(714						name.to_owned(),715						update_owner_set(716							name,717							config,718							data,719							secret,720							&expected_owners,721							&prefer_identities,722							None,723						)724						.await?,725					);726				}727				for k in to_remove {728					config.remove_shared(&k);729				}730			}731			Secret::List {} => {732				let _span = info_span!("loading secrets").entered();733				let configured = config.list_configured_shared().await?;734				#[derive(Tabled)]735				struct SecretDisplay {736					#[tabled(rename = "Name")]737					name: String,738					#[tabled(rename = "Owners")]739					owners: String,740				}741				let mut table = vec![];742				for name in configured.iter().cloned() {743					let config = config.clone();744					let expected_owners = config.shared_secret_expected_owners(&name).await?;745					let data = config.shared_secret(&name)?;746					let owners = data747						.owners748						.iter()749						.map(|o| {750							if expected_owners.contains(o) {751								o.green().to_string()752							} else {753								o.red().to_string()754							}755						})756						.collect::<Vec<_>>();757					table.push(SecretDisplay {758						owners: owners.join(", "),759						name,760					})761				}762				info!("loaded\n{}", Table::new(table).to_string())763			}764			Secret::Edit {765				name,766				machine,767				part,768				add,769			} => {770				let secret = config.host_secret(&machine, &name)?;771				if let Some(data) = secret.parts.get(&part) {772					let host = config.host(&machine).await?;773					let secret = host.decrypt(data.raw.clone()).await?;774					String::from_utf8(secret).context("secret is not utf8")?775				} else if add {776					String::new()777				} else {778					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");779				};780			}781		}782		Ok(())783	}784}785786/*787async fn edit_temp_file(788	builder: tempfile::Builder<'_, '_>,789	r: Vec<u8>,790	header: &str,791	comment: &str,792) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {793	if !stdin().is_tty() {794		// TODO: Also try to open /dev/tty directly?795		bail!("stdin is not tty, can't open editor");796	}797798	use std::fmt::Write;799	let mut file = builder.tempfile()?;800801	let mut full_header = String::new();802	let mut had = false;803	for line in header.trim_end().lines() {804		had = true;805		writeln!(&mut full_header, "{comment}{line}")?;806	}807	if had {808		writeln!(&mut full_header, "{}", comment.trim_end())?;809	}810	writeln!(811		&mut full_header,812		"{comment}Do not touch this header! It will be removed automatically"813	)?;814815	file.write_all(full_header.as_bytes())?;816	file.write_all(&r)?;817818	let abs_path = file.into_temp_path();819	let editor = std::env::var_os("VISUAL")820		.or_else(|| std::env::var_os("EDITOR"))821		.unwrap_or_else(|| "vi".into());822	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())823		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;824	let editor_args = editor_args825		.into_iter()826		.map(|v| {827			// Only ASCII subsequences are replaced828			unsafe { OsString::from_encoded_bytes_unchecked(v) }829		})830		.collect_vec();831	let Some((editor, args)) = editor_args.split_first() else {832		bail!("EDITOR env var has no command");833	};834	let mut command = Command::new(editor);835	command.args(args);836837	let path_arg = abs_path.canonicalize()?;838839	// TODO: Save full state, using tcget/_getmode/_setmode840	let was_raw = terminal::is_raw_mode_enabled()?;841	terminal::enable_raw_mode()?;842843	let status = command.arg(path_arg).status().await;844845	if !was_raw {846		terminal::disable_raw_mode()?;847	}848849	let success = match status {850		Ok(s) => s.success(),851		Err(e) if e.kind() == io::ErrorKind::NotFound => {852			bail!("editor not found")853		}854		Err(e) => bail!("editor spawn error: {e}"),855	};856857	let mut file = std::fs::read(&abs_path).context("read editor output")?;858	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {859		todo!();860	};861	todo!();862863	// Ok((success, abs_path))864}865*/
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	UpdateShared {98		name: String,99100		#[clap(short = 'm', long)]101		machine: Option<Vec<String>>,102103		#[clap(long)]104		add_machine: Vec<String>,105		#[clap(long)]106		remove_machine: Vec<String>,107108		/// Which host should we use to decrypt109		#[clap(long)]110		prefer_identities: Vec<String>,111	},112	Regenerate {113		/// Which host should we use to decrypt, in case if reencryption is required, without114		/// regeneration115		#[clap(long)]116		prefer_identities: Vec<String>,117	},118	List {},119	Edit {120		name: String,121		#[clap(short = 'm', long)]122		machine: String,123124		#[clap(long)]125		add: bool,126127		/// Which private secret part to read128		#[clap(short = 'p', long, default_value = "secret")]129		part: String,130	},131}132133#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]134async fn update_owner_set(135	secret_name: &str,136	config: &Config,137	mut secret: FleetSharedSecret,138	field: Value,139	updated_set: &[String],140	prefer_identities: &[String],141	batch: Option<NixBuildBatch>,142) -> Result<FleetSharedSecret> {143	let original_set = secret.owners.clone();144145	let set = original_set.iter().collect::<BTreeSet<_>>();146	let expected_set = updated_set.iter().collect::<BTreeSet<_>>();147148	if set == expected_set {149		info!("no need to update owner list, it is already correct");150		return Ok(secret);151	}152153	let should_regenerate = if set.difference(&expected_set).next().is_some() {154		// TODO: Remove this warning for revokable secrets.155		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");156		nix_go_json!(field.regenerateOnOwnerRemoved)157	} else if expected_set.difference(&set).next().is_some() {158		nix_go_json!(field.regenerateOnOwnerAdded)159	} else {160		false161	};162163	if should_regenerate {164		info!("secret is owner-dependent, will regenerate");165		let generated =166			generate_shared(config, secret_name, field, updated_set.to_vec(), batch).await?;167		Ok(generated)168	} else {169		drop(batch);170		let identity_holder = if !prefer_identities.is_empty() {171			prefer_identities172				.iter()173				.find(|i| original_set.iter().any(|s| s == *i))174		} else {175			secret.owners.first()176		};177		let Some(identity_holder) = identity_holder else {178			bail!("no available holder found");179		};180181		for (part_name, part) in secret.secret.parts.iter_mut() {182			let _span = info_span!("part reencryption", part_name);183			if !part.raw.encrypted {184				continue;185			}186			let host = config.host(identity_holder).await?;187			let encrypted = host188				.reencrypt(part.raw.clone(), updated_set.to_vec())189				.await?;190			part.raw = encrypted;191		}192193		secret.owners = updated_set.to_vec();194		Ok(secret)195	}196}197198#[derive(Deserialize)]199#[serde(rename_all = "camelCase")]200enum GeneratorKind {201	Impure,202	Pure,203}204205async fn generate_pure(206	_config: &Config,207	_display_name: &str,208	_secret: Value,209	_default_generator: Value,210	_owners: &[String],211) -> Result<FleetSecret> {212	bail!("pure generators are broken for now")213}214async fn generate_impure(215	config: &Config,216	_display_name: &str,217	secret: Value,218	default_generator: Value,219	owners: &[String],220	batch: Option<NixBuildBatch>,221) -> Result<FleetSecret> {222	let generator = nix_go!(secret.generator);223	let on: Option<String> = nix_go_json!(default_generator.impureOn);224225	let host = if let Some(on) = &on {226		config.host(on).await?227	} else {228		config.local_host()229	};230	let on_pkgs = host.pkgs().await?;231	let call_package = nix_go!(on_pkgs.callPackage);232	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);233234	let mut recipients = Vec::new();235	for owner in owners {236		let key = config.key(owner).await?;237		recipients.push(key);238	}239	let generators = nix_go!(mk_secret_generators(Obj { recipients }));240241	let generator = nix_go!(call_package(generator)(generators));242243	let generator = generator.build_maybe_batch(batch).await?;244	let generator = generator245		.get("out")246		.ok_or_else(|| anyhow!("missing generateImpure out"))?;247	let generator = host.remote_derivation(generator).await?;248249	let out_parent = host.mktemp_dir().await?;250	let out = format!("{out_parent}/out");251252	let mut gen = host.cmd(generator).await?;253	gen.env("out", &out);254	if on.is_none() {255		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.256		let project_path: String = config257			.directory258			.clone()259			.into_os_string()260			.into_string()261			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;262		gen.env("FLEET_PROJECT", project_path);263	}264	gen.run().await.context("impure generator")?;265266	{267		let marker = host.read_file_text(format!("{out}/marker")).await?;268		ensure!(marker == "SUCCESS", "generation not succeeded");269	}270271	let mut parts = BTreeMap::new();272	for part in host.read_dir(&out).await? {273		if part == "created_at" || part == "expired_at" || part == "marker" {274			continue;275		}276		let contents: SecretData = host277			.read_file_text(format!("{out}/{part}"))278			.await?279			.parse()280			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;281		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });282	}283284	let created_at = host.read_file_value(format!("{out}/created_at")).await?;285	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();286287	Ok(FleetSecret {288		created_at,289		expires_at,290		parts,291		// TODO: Fill with expected292		generation_data: serde_json::Value::Null,293	})294}295async fn generate(296	config: &Config,297	display_name: &str,298	secret: Value,299	owners: &[String],300	batch: Option<NixBuildBatch>,301) -> Result<FleetSecret> {302	let generator = nix_go!(secret.generator);303	// Can't properly check on nix module system level304	{305		let gen_ty = generator.type_of().await?;306		if gen_ty == "null" {307			bail!("secret has no generator defined, can't automatically generate it.");308		}309		if gen_ty != "lambda" {310			bail!("generator should be lambda, got {gen_ty}");311		}312	}313	let default_pkgs = &config.default_pkgs;314	let default_call_package = nix_go!(default_pkgs.callPackage);315	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);316	// Generators provide additional information in passthru, to access317	// passthru we should call generator, but information about where this generator is supposed to build318	// is located in passthru... Thus evaluating generator on host.319	//320	// Maybe it is also possible to do some magic with __functor?321	//322	// I don't want to make modules always responsible for additional secret data anyway,323	// so it should be in derivation, and not in the secret data itself.324	let generators = nix_go!(default_mk_secret_generators(Obj {325		recipients: <Vec<String>>::new(),326	}));327	let default_generator = nix_go!(default_call_package(generator)(generators));328329	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);330331	match kind {332		GeneratorKind::Impure => {333			generate_impure(334				config,335				display_name,336				secret,337				default_generator,338				owners,339				batch,340			)341			.await342		}343		GeneratorKind::Pure => {344			generate_pure(config, display_name, secret, default_generator, owners).await345		}346	}347}348async fn generate_shared(349	config: &Config,350	display_name: &str,351	secret: Value,352	expected_owners: Vec<String>,353	batch: Option<NixBuildBatch>,354) -> Result<FleetSharedSecret> {355	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);356	Ok(FleetSharedSecret {357		secret: generate(config, display_name, secret, &expected_owners, batch).await?,358		owners: expected_owners,359	})360}361362async fn parse_public(363	public: Option<String>,364	public_file: Option<PathBuf>,365) -> Result<Option<SecretData>> {366	Ok(match (public, public_file) {367		(Some(v), None) => Some(SecretData {368			data: v.into(),369			encrypted: false,370		}),371		(None, Some(v)) => Some(SecretData {372			data: read(v).await?,373			encrypted: false,374		}),375		(Some(_), Some(_)) => {376			bail!("only public or public_file should be set")377		}378		(None, None) => None,379	})380}381382async fn parse_secret() -> Result<Option<Vec<u8>>> {383	let mut input = vec![];384	stdin().read_to_end(&mut input)?;385	if input.is_empty() {386		Ok(None)387	} else {388		Ok(Some(input))389	}390}391392fn parse_machines(393	initial: Vec<String>,394	machines: Option<Vec<String>>,395	mut add_machines: Vec<String>,396	mut remove_machines: Vec<String>,397) -> Result<Vec<String>> {398	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {399		bail!("no operation");400	}401402	let initial_machines = initial.clone();403	let mut target_machines = initial;404	info!("Currently encrypted for {initial_machines:?}");405406	// ensure!(machines.is_some() || !add_machines.is_empty() || )407	if let Some(machines) = machines {408		ensure!(409			add_machines.is_empty() && remove_machines.is_empty(),410			"can't combine --machines and --add-machines/--remove-machines"411		);412		let target = initial_machines.iter().collect::<HashSet<_>>();413		let source = machines.iter().collect::<HashSet<_>>();414		for removed in target.difference(&source) {415			remove_machines.push((*removed).clone());416		}417		for added in source.difference(&target) {418			add_machines.push((*added).clone());419		}420	}421422	for machine in &remove_machines {423		let mut removed = false;424		while let Some(pos) = target_machines.iter().position(|m| m == machine) {425			target_machines.swap_remove(pos);426			removed = true;427		}428		if !removed {429			warn!("secret is not enabled for {machine}");430		}431	}432	for machine in &add_machines {433		if target_machines.iter().any(|m| m == machine) {434			warn!("secret is already added to {machine}");435		} else {436			target_machines.push(machine.to_owned());437		}438	}439	if !remove_machines.is_empty() {440		// TODO: maybe force secret regeneration?441		// Not that useful without revokation.442		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");443	}444	Ok(target_machines)445}446impl Secret {447	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {448		match self {449			Secret::ForceKeys => {450				for host in config.list_hosts().await? {451					if opts.should_skip(&host).await? {452						continue;453					}454					config.key(&host.name).await?;455				}456			}457			Secret::AddShared {458				mut machines,459				name,460				force,461				public,462				public_part: public_name,463				public_file,464				expires_at,465				re_add,466				part: part_name,467			} => {468				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).469470				let exists = config.has_shared(&name);471				if exists && !force && !re_add {472					bail!("secret already defined");473				}474				if re_add {475					// Fixme: use clap to limit this usage476					ensure!(!force, "--force and --readd are not compatible");477					ensure!(exists, "secret doesn't exists");478					ensure!(479						machines.is_empty(),480						"you can't use machines argument for --readd"481					);482					let shared = config.shared_secret(&name)?;483					machines = shared.owners;484				}485486				let recipients = config.recipients(machines.clone()).await?;487488				let mut parts = BTreeMap::new();489490				let mut input = vec![];491				io::stdin().read_to_end(&mut input)?;492493				if !input.is_empty() {494					let encrypted =495						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)496							.ok_or_else(|| anyhow!("no recipients provided"))?;497					parts.insert(part_name, FleetSecretPart { raw: encrypted });498				}499500				if let Some(public) = parse_public(public, public_file).await? {501					parts.insert(public_name, FleetSecretPart { raw: public });502				}503504				config.replace_shared(505					name,506					FleetSharedSecret {507						owners: machines,508						secret: FleetSecret {509							created_at: Utc::now(),510							expires_at,511							parts,512							generation_data: serde_json::Value::Null,513						},514					},515				);516			}517			Secret::Add {518				machine,519				name,520				replace,521				merge,522				public,523				public_part: public_name,524				public_file,525				part: part_name,526			} => {527				if config.has_secret(&machine, &name) && !replace && !merge {528					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");529				}530531				let mut out = if merge && !replace {532					config533						.host_secret(&machine, &name)534						.context("failed to read existing secret for --merge")?535				} else {536					FleetSecret {537						created_at: Utc::now(),538						expires_at: None,539						parts: BTreeMap::new(),540						generation_data: serde_json::Value::Null,541					}542				};543544				if let Some(secret) = parse_secret().await? {545					let recipient = config.recipient(&machine).await?;546					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)547						.expect("recipient provided");548					if out549						.parts550						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })551						.is_some() && !replace552					{553						bail!("part {part_name:?} is already defined");554					}555				}556557				if let Some(public) = parse_public(public, public_file).await? {558					if out559						.parts560						.insert(public_name.clone(), FleetSecretPart { raw: public })561						.is_some() && !replace562					{563						bail!("part {public_name:?} is already defined");564					}565				};566567				config.insert_secret(&machine, name, out);568			}569			#[allow(clippy::await_holding_refcell_ref)]570			Secret::Read {571				name,572				machine,573				part: part_name,574			} => {575				let secret = config.host_secret(&machine, &name)?;576				let Some(secret) = secret.parts.get(&part_name) else {577					bail!("no part {part_name} in secret {name}");578				};579				let data = if secret.raw.encrypted {580					let host = config.host(&machine).await?;581					host.decrypt(secret.raw.clone()).await?582				} else {583					secret.raw.data.clone()584				};585586				stdout().write_all(&data)?;587			}588			Secret::UpdateShared {589				name,590				machine,591				add_machine,592				remove_machine,593				prefer_identities,594			} => {595				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).596597				let secret = config.shared_secret(&name)?;598				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {599					bail!("no secret");600				}601602				let initial_machines = secret.owners.clone();603				let target_machines = parse_machines(604					initial_machines.clone(),605					machine,606					add_machine,607					remove_machine,608				)?;609610				if target_machines.is_empty() {611					info!("no machines left for secret, removing it");612					config.remove_shared(&name);613					return Ok(());614				}615616				let config_field = &config.config_field;617				let field = nix_go!(config_field.sharedSecrets[{ name }]);618619				let updated = update_owner_set(620					&name,621					config,622					secret,623					field,624					&target_machines,625					&prefer_identities,626					None,627				)628				.await?;629				config.replace_shared(name, updated);630			}631			Secret::Regenerate { prefer_identities } => {632				info!("checking for secrets to regenerate");633				{634					let shared_batch = None;635					let _span = info_span!("shared").entered();636					let expected_shared_set = config637						.list_configured_shared()638						.await?639						.into_iter()640						.collect::<HashSet<_>>();641					let shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();642					for missing in expected_shared_set.difference(&shared_set) {643						let config_field = &config.config_field;644						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);645						let expected_owners: Option<Vec<String>> =646							nix_go_json!(secret.expectedOwners);647						let Some(expected_owners) = expected_owners else {648							// TODO: Might still need to regenerate649							continue;650						};651						info!("generating secret: {missing}");652						let shared = generate_shared(653							config,654							missing,655							secret,656							expected_owners,657							shared_batch.clone(),658						)659						.in_current_span()660						.await?;661						config.replace_shared(missing.to_string(), shared)662					}663				}664				let hosts_batch = None;665				for host in config.list_hosts().await? {666					if opts.should_skip(&host).await? {667						continue;668					}669670					let _span = info_span!("host", host = host.name).entered();671					let expected_set = host672						.list_configured_secrets()673						.in_current_span()674						.await?675						.into_iter()676						.collect::<HashSet<_>>();677					let stored_set = config678						.list_secrets(&host.name)679						.into_iter()680						.collect::<HashSet<_>>();681					for missing in expected_set.difference(&stored_set) {682						info!("generating secret: {missing}");683						let secret = host.secret_field(missing).in_current_span().await?;684						let generated = match generate(685							config,686							missing,687							secret,688							&[host.name.clone()],689							hosts_batch.clone(),690						)691						.in_current_span()692						.await693						{694							Ok(v) => v,695							Err(e) => {696								error!("{e:?}");697								continue;698							}699						};700						config.insert_secret(&host.name, missing.to_string(), generated)701					}702				}703				let mut to_remove = Vec::new();704				for name in &config.list_shared() {705					info!("updating secret: {name}");706					let data = config.shared_secret(name)?;707					let config_field = &config.config_field;708					let expected_owners: Vec<String> =709						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);710					if expected_owners.is_empty() {711						warn!("secret was removed from fleet config: {name}, removing from data");712						to_remove.push(name.to_string());713						continue;714					}715716					let secret = nix_go!(config_field.sharedSecrets[{ name }]);717					config.replace_shared(718						name.to_owned(),719						update_owner_set(720							name,721							config,722							data,723							secret,724							&expected_owners,725							&prefer_identities,726							None,727						)728						.await?,729					);730				}731				for k in to_remove {732					config.remove_shared(&k);733				}734			}735			Secret::List {} => {736				let _span = info_span!("loading secrets").entered();737				let configured = config.list_configured_shared().await?;738				#[derive(Tabled)]739				struct SecretDisplay {740					#[tabled(rename = "Name")]741					name: String,742					#[tabled(rename = "Owners")]743					owners: String,744				}745				let mut table = vec![];746				for name in configured.iter().cloned() {747					let config = config.clone();748					let expected_owners = config.shared_secret_expected_owners(&name).await?;749					let data = config.shared_secret(&name)?;750					let owners = data751						.owners752						.iter()753						.map(|o| {754							if expected_owners.contains(o) {755								o.green().to_string()756							} else {757								o.red().to_string()758							}759						})760						.collect::<Vec<_>>();761					table.push(SecretDisplay {762						owners: owners.join(", "),763						name,764					})765				}766				info!("loaded\n{}", Table::new(table).to_string())767			}768			Secret::Edit {769				name,770				machine,771				part,772				add,773			} => {774				let secret = config.host_secret(&machine, &name)?;775				if let Some(data) = secret.parts.get(&part) {776					let host = config.host(&machine).await?;777					let secret = host.decrypt(data.raw.clone()).await?;778					String::from_utf8(secret).context("secret is not utf8")?779				} else if add {780					String::new()781				} else {782					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");783				};784			}785		}786		Ok(())787	}788}789790/*791async fn edit_temp_file(792	builder: tempfile::Builder<'_, '_>,793	r: Vec<u8>,794	header: &str,795	comment: &str,796) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {797	if !stdin().is_tty() {798		// TODO: Also try to open /dev/tty directly?799		bail!("stdin is not tty, can't open editor");800	}801802	use std::fmt::Write;803	let mut file = builder.tempfile()?;804805	let mut full_header = String::new();806	let mut had = false;807	for line in header.trim_end().lines() {808		had = true;809		writeln!(&mut full_header, "{comment}{line}")?;810	}811	if had {812		writeln!(&mut full_header, "{}", comment.trim_end())?;813	}814	writeln!(815		&mut full_header,816		"{comment}Do not touch this header! It will be removed automatically"817	)?;818819	file.write_all(full_header.as_bytes())?;820	file.write_all(&r)?;821822	let abs_path = file.into_temp_path();823	let editor = std::env::var_os("VISUAL")824		.or_else(|| std::env::var_os("EDITOR"))825		.unwrap_or_else(|| "vi".into());826	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())827		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;828	let editor_args = editor_args829		.into_iter()830		.map(|v| {831			// Only ASCII subsequences are replaced832			unsafe { OsString::from_encoded_bytes_unchecked(v) }833		})834		.collect_vec();835	let Some((editor, args)) = editor_args.split_first() else {836		bail!("EDITOR env var has no command");837	};838	let mut command = Command::new(editor);839	command.args(args);840841	let path_arg = abs_path.canonicalize()?;842843	// TODO: Save full state, using tcget/_getmode/_setmode844	let was_raw = terminal::is_raw_mode_enabled()?;845	terminal::enable_raw_mode()?;846847	let status = command.arg(path_arg).status().await;848849	if !was_raw {850		terminal::disable_raw_mode()?;851	}852853	let success = match status {854		Ok(s) => s.success(),855		Err(e) if e.kind() == io::ErrorKind::NotFound => {856			bail!("editor not found")857		}858		Err(e) => bail!("editor spawn error: {e}"),859	};860861	let mut file = std::fs::read(&abs_path).context("read editor output")?;862	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {863		todo!();864	};865	todo!();866867	// Ok((success, abs_path))868}869*/
modifiedcrates/fleet-base/src/fleetdata.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/fleetdata.rs
+++ b/crates/fleet-base/src/fleetdata.rs
@@ -117,4 +117,8 @@
 
 	#[serde(flatten)]
 	pub parts: BTreeMap<String, FleetSecretPart>,
+
+	#[serde(default)]
+	#[serde(skip_serializing_if = "Value::is_null")]
+	pub generation_data: Value,
 }
modifiedcrates/nix-eval/src/macros.rsdiffbeforeafterboth
--- a/crates/nix-eval/src/macros.rs
+++ b/crates/nix-eval/src/macros.rs
@@ -7,7 +7,7 @@
 	pub(crate) out: String,
 	used_fields: Vec<Value>,
 }
-trait AttrSetValue {
+pub trait AttrSetValue {
 	fn to_builder(self) -> NixExprBuilder;
 }
 trait Primitive {}
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -41,6 +41,17 @@
           type = str;
           description = "Secret public data (only available for plaintext)";
         };
+
+        expectedGenerationData = mkOption {
+          type = unspecified;
+          description = "Data that gets embedded into secret part";
+          default = null;
+        };
+        generationData = mkOption {
+          type = unspecified;
+          description = "Data that is embedded into secret part";
+          default = null;
+        };
       };
       config = {
         hash = hashString "sha1" config.raw;