git.delta.rocks / jrsonnet / refs/commits / 837e795f702e

--- a/cmds/fleet/src/cmds/info.rs
+++ b/cmds/fleet/src/cmds/info.rs
@@ -1,15 +1,8 @@
-use std::{collections::BTreeSet, time::Duration};
+use std::collections::BTreeSet;
 
-use crate::{command::CommandExt, host::Config};
-use anyhow::{bail, ensure, Result};
+use crate::host::Config;
+use anyhow::{ensure, Result};
 use clap::Parser;
-use nixlike::format_nix;
-use serde_json::{json, Value};
-use tokio::{
-	fs::{self, File},
-	io::AsyncWriteExt,
-	process::Command,
-};
 
 #[derive(Parser)]
 pub struct Info {

--- a/cmds/fleet/src/fleetdata.rs
+++ b/cmds/fleet/src/fleetdata.rs
@@ -1,8 +1,7 @@
-use anyhow::{bail, Result};
+use anyhow::Result;
 use chrono::{DateTime, Utc};
 use nixlike::format_nix;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
-use serde_json::{json, Value};
 use std::collections::BTreeMap;
 use tempfile::TempDir;
 use tokio::{
@@ -11,8 +10,6 @@
 	process::Command,
 };
 
-use crate::command::CommandExt;
-
 #[derive(Serialize, Deserialize, Default)]
 #[serde(rename_all = "camelCase")]
 pub struct HostData {
@@ -34,16 +31,18 @@
 	pub host_secrets: BTreeMap<String, BTreeMap<String, FleetSecret>>,
 }
 
-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
+#[must_use]
 pub struct FleetSharedSecret {
 	pub owners: Vec<String>,
 	#[serde(flatten)]
 	pub secret: FleetSecret,
 }
 
-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
+#[must_use]
 pub struct FleetSecret {
 	#[serde(default)]
 	#[serde(skip_serializing_if = "Option::is_none")]
@@ -75,6 +74,8 @@
 		.and_then(|string| z85::decode(string).map_err(|err| Error::custom(err.to_string())))
 }
 
+/// Isn't used yet
+#[allow(dead_code)]
 pub async fn dummy_flake() -> Result<TempDir> {
 	let data_str = fs::read_to_string("fleet.nix").await?;
 

--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -8,15 +8,15 @@
 	sync::Arc,
 };
 
-use anyhow::Result;
+use anyhow::{Result, bail, Context};
 use clap::{ArgGroup, Parser};
 use serde::de::DeserializeOwned;
-use tempfile::{NamedTempFile, TempDir};
+use tempfile::NamedTempFile;
 use tokio::process::Command;
 
 use crate::{
 	command::CommandExt,
-	fleetdata::{dummy_flake, FleetData},
+	fleetdata::{FleetData, FleetSecret, FleetSharedSecret},
 };
 
 pub struct FleetConfigInternals {
@@ -125,13 +125,93 @@
 			.await
 	}
 
-	pub fn data(&self) -> Ref<FleetData> {
+	pub(super) fn data(&self) -> Ref<FleetData> {
 		self.data.borrow()
 	}
-	pub fn data_mut(&self) -> RefMut<FleetData> {
+	pub(super) fn data_mut(&self) -> RefMut<FleetData> {
 		self.data.borrow_mut()
 	}
 
+	pub fn list_shared(&self) -> Vec<String> {
+		let data = self.data();
+		data.shared_secrets.keys().cloned().collect()
+	}
+	pub fn has_shared(&self, name: &str) -> bool {
+		let data = self.data();
+		data.shared_secrets.contains_key(name)
+	}
+	pub fn replace_shared(&self, name: String, shared: FleetSharedSecret) {
+		let mut data = self.data_mut();
+		data.shared_secrets.insert(name.to_owned(), shared);
+	}
+	pub fn remove_shared(&self, secret: &str) {
+		let mut data = self.data_mut();
+		data.shared_secrets.remove(secret);
+	}
+
+	pub fn list_secrets(&self, host: &str) -> Vec<String> {
+		let data = self.data();
+		let Some(host_secrets) = data.host_secrets.get(host) else {
+			return Vec::new(); 
+		};
+		host_secrets.keys().cloned().collect()
+	}
+	pub fn has_secret(&self, host: &str, secret: &str) -> bool {
+		let data = self.data();
+		let Some(host_secrets) = data.host_secrets.get(host) else {
+			return false; 
+		};
+		host_secrets.contains_key(secret)
+	}
+	pub fn insert_secret(&self, host: &str, secret: String, value: FleetSecret) {
+		let mut data = self.data_mut();
+		let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
+		host_secrets.insert(secret, value);
+	}
+
+	pub async fn decrypt_on_host(&self, host: &str, data: Vec<u8>) -> Result<Vec<u8>>{
+		let data = z85::encode(&data);
+		let encoded = self.command_on(host, "fleet-install-secrets", true)
+			.arg("decrypt")
+			.arg("--secret")
+			.arg(data).run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
+		Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
+	}
+	pub async fn reencrypt_on_host(&self, host: &str, data: Vec<u8>, targets: Vec<String>) -> Result<Vec<u8>>{
+		let data = z85::encode(&data);
+		let mut recmd = self.command_on(host, "fleet-install-secrets", true);
+		recmd
+			.arg("reencrypt")
+			.arg("--secret")
+			.arg(format!("\"{}\"", data.replace('$', "\\$")));
+		for target in targets {
+			recmd.arg("--targets");
+			recmd.arg(format!("\"{target}\""));
+		}
+		let encoded = recmd.run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
+		Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
+	}
+
+	#[must_use]
+	pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetSecret> {
+		let data = self.data();
+		let Some(host_secrets) = data.host_secrets.get(host) else {
+            bail!("no secrets for machine {host}");
+        };
+		let Some(secret) = host_secrets.get(secret) else {
+            bail!("machine {host} has no secret {secret}");
+        };
+		Ok(secret.clone())
+	}
+	#[must_use]
+	pub fn shared_secret(&self, secret: &str) -> Result<FleetSharedSecret> {
+		let data = self.data();
+		let Some(secret) = data.shared_secrets.get(secret) else {
+			bail!("no shared secret {secret}");
+		};
+		Ok(secret.clone())
+	}
+
 	pub fn save(&self) -> Result<()> {
 		let mut tempfile = NamedTempFile::new_in(self.directory.clone())?;
 		let data = nixlike::serialize(&self.data() as &FleetData)?;

--- a/cmds/fleet/src/keys.rs
+++ b/cmds/fleet/src/keys.rs
@@ -36,15 +36,6 @@
 		}
 	}
 	/// Insecure, requires root
-	pub async fn identity(&self, host: &str) -> anyhow::Result<age::ssh::Identity> {
-		warn!("Loading private key for {host}");
-		let key = self
-			.command_on(host, "cat", true)
-			.arg("/etc/ssh/ssh_host_ed25519_key")
-			.run_string()
-			.await?;
-		Ok(age::ssh::Identity::from_buffer(key.as_bytes(), None)?)
-	}
 	pub async fn recipient(&self, host: &str) -> anyhow::Result<age::ssh::Recipient> {
 		let key = self.key(host).await?;
 		age::ssh::Recipient::from_str(&key).map_err(|e| anyhow!("parse recipient error: {:?}", e))

--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -1,21 +1,66 @@
-use age::Decryptor;
+use age::{ssh::Identity as SshIdentity, ssh::Recipient as SshRecipient, Decryptor};
+use age::{Encryptor, Identity, Recipient};
 use anyhow::{anyhow, bail, Context, Result};
 use clap::Parser;
 use log::{error, info, warn};
 use nix::sys::stat::Mode;
 use nix::unistd::{chown, Group, User};
 use serde::{Deserialize, Deserializer};
+use std::fmt::{self, Display};
 use std::fs::{self, File};
 use std::io::{self, Cursor, Read, Write};
 use std::iter;
 use std::os::unix::prelude::PermissionsExt;
-use std::str::from_utf8;
+use std::path::Path;
+use std::str::{from_utf8, FromStr};
 use std::{collections::HashMap, path::PathBuf};
 
+#[derive(Clone, Debug)]
+struct SecretWrapper(Vec<u8>);
+impl Display for SecretWrapper {
+	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+		let encoded = z85::encode(&self.0);
+		write!(f, "{encoded}")
+	}
+}
+impl FromStr for SecretWrapper {
+	type Err = z85::DecodeError;
+
+	fn from_str(s: &str) -> Result<Self, Self::Err> {
+		z85::decode(s).map(Self)
+	}
+}
+impl<'de> Deserialize<'de> for SecretWrapper {
+	fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+	where
+		D: Deserializer<'de>,
+	{
+		let v = String::deserialize(deserializer)?;
+		let de = z85::decode(v).map_err(|err| serde::de::Error::custom(err.to_string()))?;
+		Ok(Self(de))
+	}
+}
+
 #[derive(Parser)]
 #[clap(author)]
-struct Opts {
-	data: PathBuf,
+enum Opts {
+	/// Install secrets from json specification
+	Install { data: PathBuf },
+	/// Reencrypt secret using host key, outputting in z85 encoded string
+	Reencrypt {
+		#[clap(long)]
+		secret: SecretWrapper,
+		#[clap(long)]
+		targets: Vec<String>,
+	},
+	/// Decrypt secret using host key, outputting in z85 encoded string
+	Decrypt {
+		#[clap(long)]
+		secret: SecretWrapper,
+		/// Shoult decoded output be printed as plaintext, instead of z85?
+		#[clap(long)]
+		plaintext: bool,
+	},
 }
 
 #[derive(Deserialize)]
@@ -25,8 +70,7 @@
 	mode: String,
 	owner: String,
 
-	#[serde(deserialize_with = "from_z85")]
-	secret: Option<Vec<u8>>,
+	secret: Option<SecretWrapper>,
 	public: Option<String>,
 
 	public_path: PathBuf,
@@ -36,21 +80,45 @@
 	stable_secret_path: PathBuf,
 }
 
-fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
-where
-	D: Deserializer<'de>,
-{
-	use serde::de::Error;
-	if let Some(v) = <Option<String>>::deserialize(deserializer)? {
-		Ok(Some(
-			z85::decode(v).map_err(|err| Error::custom(err.to_string()))?,
-		))
-	} else {
-		Ok(None)
-	}
+type Data = HashMap<String, DataItem>;
+
+fn decrypt(input: &SecretWrapper, identity: &dyn Identity) -> Result<Vec<u8>> {
+	let mut input = Cursor::new(&input.0);
+	let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;
+	let decryptor = match decryptor {
+		Decryptor::Recipients(r) => r,
+		Decryptor::Passphrase(_) => bail!("should be recipients"),
+	};
+	let mut decryptor = decryptor
+		.decrypt(iter::once(identity as &dyn age::Identity))
+		.context("failed to decrypt, wrong key?")?;
+
+	let mut decrypted = Vec::new();
+	decryptor
+		.read_to_end(&mut decrypted)
+		.context("failed to decrypt")?;
+	Ok(decrypted)
+}
+fn encrypt(input: &[u8], targets: Vec<String>) -> Result<SecretWrapper> {
+	let recipients = targets
+		.into_iter()
+		.map(|t| {
+			SshRecipient::from_str(&t).map_err(|e| anyhow!("failed to parse recipient: {e:?}"))
+		})
+		.collect::<Result<Vec<SshRecipient>>>()?;
+	let recipients = recipients
+		.into_iter()
+		.map(|v| Box::new(v) as Box<dyn Recipient + Send>)
+		.collect::<Vec<_>>();
+	let mut encrypted = vec![];
+	let mut encryptor = Encryptor::with_recipients(recipients)
+		.expect("recipients provided")
+		.wrap_output(&mut encrypted)
+		.expect("constructor should not fail");
+	io::copy(&mut Cursor::new(input), &mut encryptor).expect("copy should not fail");
+	encryptor.finish().context("failed to finish encryption")?;
+	Ok(SecretWrapper(encrypted))
 }
-
-type Data = HashMap<String, DataItem>;
 
 fn init_secret(identity: &age::ssh::Identity, value: DataItem) -> Result<()> {
 	if let Some(public) = &value.public {
@@ -93,23 +161,7 @@
 	let mut hashed = File::create(&value.secret_path)?;
 
 	// File is owned by root, and only root can modify it
-	let decrypted = {
-		let mut input = Cursor::new(&secret);
-		let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;
-		let decryptor = match decryptor {
-			Decryptor::Recipients(r) => r,
-			Decryptor::Passphrase(_) => bail!("should be recipients"),
-		};
-		let mut decryptor = decryptor
-			.decrypt(iter::once(identity as &dyn age::Identity))
-			.context("failed to decrypt, wrong key?")?;
-
-		let mut decrypted = Vec::new();
-		decryptor
-			.read_to_end(&mut decrypted)
-			.context("failed to decrypt")?;
-		decrypted
-	};
+	let decrypted = decrypt(&secret, identity)?;
 	if decrypted.is_empty() {
 		warn!("secret is decoded as empty, something is broken?");
 	}
@@ -132,13 +184,19 @@
 	Ok(())
 }
 
-fn main() -> anyhow::Result<()> {
-	env_logger::Builder::new()
-		.filter_level(log::LevelFilter::Info)
-		.init();
+fn host_identity() -> anyhow::Result<SshIdentity> {
+	let identity = SshIdentity::from_buffer(
+		&mut Cursor::new(
+			fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,
+		),
+		None,
+	)
+	.context("failed to parse identity")?;
+	Ok(identity)
+}
 
-	let opts = Opts::parse();
-	let data = fs::read(&opts.data).context("failed to read secrets data")?;
+fn install(data: &Path) -> anyhow::Result<()> {
+	let data = fs::read(data).context("failed to read secrets data")?;
 	let data_str = from_utf8(&data).context("failed to read data to string")?;
 	let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;
 
@@ -149,13 +207,7 @@
 		fs::create_dir("/run/secrets").context("failed to create secrets directory")?;
 	}
 
-	let identity = age::ssh::Identity::from_buffer(
-		&mut Cursor::new(
-			fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,
-		),
-		None,
-	)
-	.context("failed to parse identity")?;
+	let identity = host_identity()?;
 
 	let mut failed = false;
 	for (name, value) in data {
@@ -174,3 +226,35 @@
 
 	Ok(())
 }
+
+fn main() -> anyhow::Result<()> {
+	env_logger::Builder::new()
+		.filter_level(log::LevelFilter::Info)
+		.init();
+
+	let opts = Opts::parse();
+
+	match opts {
+		Opts::Install { data } => install(&data),
+		Opts::Reencrypt { secret, targets } => {
+			let identity = host_identity()?;
+			let decrypted = decrypt(&secret, &identity).context("during decryption")?;
+			let encrypted = encrypt(&decrypted, targets).context("during re-encryption")?;
+
+			println!("{encrypted}");
+			Ok(())
+		}
+		Opts::Decrypt { secret, plaintext } => {
+			let identity = host_identity()?;
+			let decrypted = decrypt(&secret, &identity).context("during decryption")?;
+
+			if plaintext {
+				let s = String::from_utf8(decrypted).context("output is not utf8")?;
+				print!("{}", s);
+			} else {
+				println!("{}", SecretWrapper(decrypted));
+			}
+			Ok(())
+		}
+	}
+}

--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -20,9 +20,18 @@
         '';
         default = [ ];
       };
+      ownerDependent = mkOption {
+        type = bool;
+        description = "Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted";
+      };
       generator = mkOption {
-        type = package;
-        description = "Derivation to execute for secret generation";
+        type = nullOr package;
+        description = ''
+          Derivation to execute for secret generation
+
+          If null - may only be created manually
+        '';
+        default = null;
       };
       expireIn = mkOption {
         type = nullOr int;

--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -89,9 +89,10 @@
     };
   };
   config = {
+    environment.systemPackages = with pkgs; [pkgs.fleet-install-secrets];
     system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''
       1>&2 echo "setting up secrets"
-      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}
+      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}
     '';
   };
 }