1{ lib, fleetLib, config, ... }: with lib; with fleetLib;2let3 sharedSecret = with types; {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 For which owners this secret is currently encrypted,9 if not matches expectedOwners - then this secret is considered outdated, and10 should be regenerated/reencrypted11 '';12 default = [ ];13 };14 expectedOwners = mkOption {15 type = listOf str;16 description = ''17 List of hosts to encrypt secret for1819 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners20 '';21 default = [ ];22 };23 generator = mkOption {24 type = package;25 description = "Derivation to execute for secret generation";26 };27 expireIn = mkOption {28 type = nullOr int;29 description = "Time in hours, in which this secret should be regenerated";30 default = null;31 };32 public = mkOption {33 type = nullOr str;34 description = "Secret public data";35 default = null;36 };37 secret = mkOption {38 type = nullOr str;39 description = "Encrypted secret data";40 default = null;41 };42 };43 };44 hostSecret = with types; {45 options = {46 generator = mkOption {47 type = package;48 description = "Derivation to execute for secret generation";49 };50 expireIn = mkOption {51 type = nullOr int;52 description = "Time in hours, in which this secret should be regenerated";53 default = null;54 };55 public = mkOption {56 type = nullOr str;57 description = "Secret public data";58 default = null;59 };60 secret = mkOption {61 type = str;62 description = "Encrypted secret data";63 };64 };65 };66in67{68 options = with types; {69 sharedSecrets = mkOption {70 type = attrsOf (submodule sharedSecret);71 default = { };72 description = "Shared secrets";73 };74 hostSecrets = mkOption {75 type = attrsOf (attrsOf (submodule hostSecret));76 default = { };77 description = "Host secrets";78 };79 };80 config = {81 assertions = mapAttrsToList82 (name: secret: {83 assertion = builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;84 message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}. Run fleet secrets regenerate to fix";85 })86 config.sharedSecrets;87 hosts = hostsToAttrs (host: {88 modules =89 let90 cleanupSecret = (secretName: v: {91 inherit (v) public secret;92 });93 in94 [95 {96 secrets = (mapAttrs cleanupSecret97 (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)98 ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));99 }100 ];101 });102 };103}