1{ lib, fleet, config, ... }: with lib;2let3 sharedSecret = with types; {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 List of hosts to encrypt secret for910 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11 '';12 };13 generator = mkOption {14 type = package;15 description = "Derivation to execute for secret generation";16 };17 expireIn = mkOption {18 type = nullOr int;19 description = "Time in hours, in which this secret should be regenerated";20 default = null;21 };22 public = mkOption {23 type = nullOr str;24 description = "Secret public data";25 default = null;26 };27 secret = mkOption {28 type = nullOr str;29 description = "Encrypted secret data";30 default = null;31 };32 };33 };34 hostSecret = with types; {35 options = {36 generator = mkOption {37 type = package;38 description = "Derivation to execute for secret generation";39 };40 expireIn = mkOption {41 type = nullOr int;42 description = "Time in hours, in which this secret should be regenerated";43 default = null;44 };45 public = mkOption {46 type = nullOr str;47 description = "Secret public data";48 default = null;49 };50 secret = mkOption {51 type = str;52 description = "Encrypted secret data";53 };54 };55 };56in57{58 options = with types; {59 sharedSecrets = mkOption {60 type = attrsOf (submodule sharedSecret);61 default = { };62 description = "Shared secrets";63 };64 hostSecrets = mkOption {65 type = attrsOf (attrsOf (submodule hostSecret));66 default = { };67 description = "Host secrets";68 };69 };70 config = with fleet; {71 hosts = hostsToAttrs (host: {72 modules =73 let74 cleanupSecret = (secretName: v: {75 inherit (v) public secret;76 });77 in78 [79 {80 secrets = (mapAttrs cleanupSecret81 (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)82 ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));83 }84 ];85 });86 };87}