1{ lib, fleet, config, ... }: with lib;2let3 secret = with types; {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 List of hosts to encrypt secret for910 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11 '';12 };13 generator = mkOption {14 type = package;15 description = "Derivation to execute for secret generation";16 };17 expireIn = mkOption {18 type = nullOr int;19 description = "Time in hours, in which this secret should be regenerated";20 default = null;21 };22 public = mkOption {23 type = nullOr str;24 description = "Secret public data";25 default = null;26 };27 secret = mkOption {28 type = str;29 description = "Encrypted secret data";30 };31 };32 };33in34{35 options = with types; {36 secrets = mkOption {37 type = attrsOf (submodule secret);38 default = { };39 description = "Secrets";40 };41 };42 config = with fleet; {43 hosts = hostsToAttrs (host: {44 modules = [45 ./nixosModule.nix46 {47 secrets = mapAttrs48 (secretName: v: {49 inherit (v) public secret;50 })51 (filterAttrs (_: v: builtins.elem host v.owners) config.secrets);52 }53 ];54 });55 };56}