1= Fleet Secrets Management System23== Overview45Secret management system is a built-in way to deploy secrets to remote systems, similar to agenix and other similar systems.67Secrets are encrypted using system's host ssh key (/etc/ssh/ssh_host_ed25519_key), which is not required to build the8remote system/add secret to fleet configuration, fleet users are encrypting secrets using received public key instead,9they don't need the root access to receive the public encryption key.1011== Example1213[source,nix]14----15{16 fleet.secrets = {17 "my-secret" = {18 expectedOwners = [ "host1" "host2" ];19 regenerateOnOwnerAdded = true;20 generator = {mkImpureSecretGenerator}:21 mkImpureSecretGenerator {22 script = ''23 echo "secret content" | gh private -o $out/secret24 '';25 };26 };27 }28}29----3031== Limitations and Future Improvements3233- Pure secret generators are currently disabled34- Support for other secret management systems (e.g systemd-creds has planned asymmetric encryption support)35