1{2 lib,3 fleetLib,4 ...5}:6let7 inherit (fleetLib.options) mkDataOption;8 inherit (lib.options) mkOption;9 inherit (lib.types)10 nullOr11 listOf12 str13 attrsOf14 submodule15 bool16 unspecified17 ;1819 secretDataValue = {20 options = {21 raw = mkOption {22 type = nullOr str;23 description = "Raw secret data in unspecified encoded and optionally encrypted format.";24 default = null;25 };26 };27 };2829 sharedSecretData = {30 freeformType = attrsOf (submodule secretDataValue);31 options = {32 managed = mkOption {33 type = nullOr bool;34 description = "Is current fleet data value is generated by generator";35 default = null;36 };3738 createdAt = mkOption {39 type = str;40 description = "Timestamp of secret generation/last rotation.";41 default = null;42 };43 expiresAt = mkOption {44 type = nullOr str;45 description = "Expiration timestamp triggering mandatory secret rotation.";46 default = null;47 };4849 owners = mkOption {50 type = listOf str;51 description = ''52 List of hosts currently authorized to decrypt this shared secret.5354 If owners differ from expected owners, the secret is considered outdated55 and requires regeneration or re-encryption.56 '';57 default = [ ];58 };59 generationData = mkOption {60 type = unspecified;61 description = "Contextual metadata associated with secret part.";62 default = null;63 };64 };65 };6667 managerKey = {68 options = {69 name = mkOption {70 type = str;71 description = "Who does this manager key belongs to.";72 };73 key = mkOption {74 type = str;75 description = "Age-compatible key";76 };77 };78 config = { };79 };80in81{82 options.data = mkDataOption ({ config, ... }:83 {84 options = {85 managerKeys = mkOption {86 type = listOf (submodule managerKey);87 };88 secrets = mkOption {89 type = attrsOf (listOf submodule sharedSecretData);90 default = { };91 description = "Shared secret data.";92 };93 };94 });95}