git.delta.rocks / jrsonnet / refs/commits / d8f3e18873ec

difftreelog

refactor move parts to secret generator derivation

rquyvuskYaroslav Bolyukin2025-11-05parent: #488d19a.patch.diff
in: trunk

5 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, Read, Write, stdin, stdout},4	path::PathBuf,5};67use anyhow::{Context, Result, anyhow, bail, ensure};8use chrono::{DateTime, Utc};9use clap::Parser;10use fleet_base::{11	fleetdata::{12		FleetHostSecret, FleetSecretData, FleetSecretPart, FleetSharedSecret, encrypt_secret_data,13	},14	host::Config,15	opts::FleetOpts,16	secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},17};18use fleet_shared::SecretData;19use nix_eval::{NixType, Value, nix_go, nix_go_json};20use owo_colors::OwoColorize;21use serde::Deserialize;22use tabled::{Table, Tabled};23use tokio::{fs::read, task::spawn_blocking};24use tracing::{Instrument, error, info, info_span, warn};2526#[derive(Parser)]27pub enum Secret {28	AddManager,29	/// Force load host keys for all defined hosts30	ForceKeys,31	/// Add secret, data should be provided in stdin32	AddShared {33		/// Secret name34		name: String,35		/// Secret owners36		#[clap(long, short)]37		machines: Vec<String>,38		/// Override secret if already present39		#[clap(long)]40		force: bool,41		/// Secret public part42		#[clap(long)]43		public: Option<String>,44		/// Load public part from specified file45		#[clap(long)]46		public_file: Option<PathBuf>,4748		/// Create a notification on secret expiration49		#[clap(long)]50		expires_at: Option<DateTime<Utc>>,5152		/// Secret with this name already exists, override its value while keeping the same owners.53		#[clap(long)]54		re_add: bool,5556		/// How to name public secret part57		#[clap(long, short = 'p', default_value = "public")]58		public_part: String,59		/// How to name private secret part60		#[clap(short = 's', long, default_value = "secret")]61		part: String,62	},63	/// Add secret, data should be provided in stdin64	Add {65		/// Secret name66		name: String,67		/// Secret owner68		#[clap(short = 'm', long)]69		machine: String,70		/// Replace secret if already present71		#[clap(long)]72		replace: bool,73		/// Add new parts to existing secret74		#[clap(long)]75		merge: bool,76		/// Secret public part77		#[clap(long)]78		public: Option<String>,79		/// Load public part from specified file80		#[clap(long)]81		public_file: Option<PathBuf>,8283		/// How to name public secret part84		#[clap(short = 'p', long, default_value = "public")]85		public_part: String,86		/// How to name private secret part87		#[clap(short = 's', long, default_value = "secret")]88		part: String,89	},90	/// Read secret from remote host, requires sudo on said host91	Read {92		name: String,93		#[clap(short = 'm', long)]94		machine: String,9596		/// Which private secret part to read97		#[clap(short = 'p', long, default_value = "secret")]98		part: String,99	},100	/// Read secret from remote host, requires sudo on said host101	ReadShared {102		name: String,103		/// Which private secret part to read104		#[clap(short = 'p', long, default_value = "secret")]105		part: String,106		/// Which host should we use to decrypt, in case if reencryption is required, without107		/// regeneration108		#[clap(long)]109		prefer_identities: Vec<String>,110	},111	UpdateShared {112		name: String,113114		#[clap(short = 'm', long)]115		machine: Option<Vec<String>>,116117		#[clap(long)]118		add_machine: Vec<String>,119		#[clap(long)]120		remove_machine: Vec<String>,121122		/// Which host should we use to decrypt123		#[clap(long)]124		prefer_identities: Vec<String>,125	},126	Regenerate {127		/// Which host should we use to decrypt, in case if reencryption is required, without128		/// regeneration129		#[clap(long)]130		prefer_identities: Vec<String>,131		/// Only regenerate shared secrets132		#[clap(long)]133		skip_hosts: bool,134	},135	List {},136	Edit {137		name: String,138		#[clap(short = 'm', long)]139		machine: String,140141		#[clap(long)]142		add: bool,143144		/// Which private secret part to read145		#[clap(short = 'p', long, default_value = "secret")]146		part: String,147	},148}149150#[allow(clippy::too_many_arguments)]151#[tracing::instrument(skip(config, secret, definition, prefer_identities))]152async fn maybe_regenerate_shared_secret(153	secret_name: &str,154	config: &Config,155	mut secret: FleetSharedSecret,156	definition: SharedSecretDefinition,157	prefer_identities: &[String],158	expectations: &Expectations,159) -> Result<FleetSharedSecret> {160	let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);161	let value = definition.inner();162163	let (should_reencrypt, reason) = match reason {164		Some(RegenerationReason::OwnersAdded(_)) => {165			// Secret always needs to be reencrypted for new owners to be able to read it166			(167				true,168				if nix_go_json!(value.regenerateOnOwnerAdded) {169					reason170				} else {171					None172				},173			)174		}175		Some(RegenerationReason::OwnersRemoved(_)) => {176			// No need to reencrypt, we can just leave stanzas in place.177			if nix_go_json!(value.regenerateOnOwnerRemoved) {178				(true, reason)179			} else {180				(false, None)181			}182		}183		Some(_) => (true, reason),184		None => (false, None),185	};186187	if let Some(reason) = reason {188		info!("secret needs to be regenerated: {reason}");189		let generated = generate_shared(config, secret_name, definition, expectations).await?;190		Ok(generated)191	} else if should_reencrypt {192		info!("secret needs to be reencrypted");193		let identity_holder = if !prefer_identities.is_empty() {194			prefer_identities195				.iter()196				.find(|i| secret.owners.iter().any(|s| s == *i))197		} else {198			secret.owners.first()199		};200		let Some(identity_holder) = identity_holder else {201			bail!("no available holder found");202		};203204		for (part_name, part) in secret.secret.parts.iter_mut() {205			let _span = info_span!("part reencryption", part_name);206			if !part.raw.encrypted {207				continue;208			}209			let host = config.host(identity_holder).await?;210			let encrypted = host211				.reencrypt(212					part.raw.clone(),213					expectations.owners.iter().cloned().collect(),214				)215				.await?;216			part.raw = encrypted;217		}218		secret.owners = expectations.owners.clone();219		Ok(secret)220	} else {221		Ok(secret)222	}223}224225#[derive(Deserialize)]226#[serde(rename_all = "camelCase")]227enum GeneratorKind {228	Impure,229	Pure,230}231232async fn generate_pure(233	_config: &Config,234	_display_name: &str,235	_secret: Value,236	_default_generator: Value,237	_expectations: &Expectations,238) -> Result<FleetSecretData> {239	bail!("pure generators are broken for now")240}241async fn generate_impure(242	config: &Config,243	_display_name: &str,244	secret: Value,245	default_generator: Value,246	expectations: &Expectations,247) -> Result<FleetSecretData> {248	let generator = nix_go!(secret.generator);249	let on: Option<String> = nix_go_json!(default_generator.impureOn);250251	let nixpkgs = &config.nixpkgs;252253	let host = if let Some(on) = &on {254		config.host(on).await?255	} else {256		config.local_host()257	};258	let on_pkgs = host.pkgs().await?;259	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);260261	let mut recipients = Vec::new();262	for owner in &expectations.owners {263		let key = config.key(owner).await?;264		recipients.push(key);265	}266	let generators = nix_go!(mk_secret_generators(Obj { recipients }));267	let pkgs_and_generators = on_pkgs.attrs_update(generators)?;268269	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));270271	let generator = nix_go!(call_package(generator)(Obj {}));272273	let generator = spawn_blocking(move || generator.build("out"))274		.await275		.expect("nix build shouldn't fail")?;276	let generator = host.remote_derivation(&generator).await?;277278	let out_parent = host.mktemp_dir().await?;279	let out = format!("{out_parent}/out");280281	let mut r#gen = host.cmd(generator).await?;282	r#gen.env("out", &out);283	if on.is_none() {284		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.285		let project_path: String = config286			.directory287			.clone()288			.into_os_string()289			.into_string()290			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;291		r#gen.env("FLEET_PROJECT", project_path);292	}293	r#gen.run().await.context("impure generator")?;294295	{296		let marker = host.read_file_text(format!("{out}/marker")).await?;297		ensure!(marker == "SUCCESS", "generation not succeeded");298	}299300	let mut parts = BTreeMap::new();301	for part in host.read_dir(&out).await? {302		if part == "created_at" || part == "expires_at" || part == "marker" {303			continue;304		}305		let contents: SecretData = host306			.read_file_text(format!("{out}/{part}"))307			.await?308			.parse()309			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;310		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });311	}312313	let created_at = host.read_file_value(format!("{out}/created_at")).await?;314	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();315316	let new_data = FleetSecretData {317		created_at,318		expires_at,319		parts,320		generation_data: expectations.generation_data.clone(),321	};322323	if let Some(reason) = secret_needs_regeneration(&new_data, &expectations.owners, expectations) {324		bail!("newly generated secret needs to be regenerated: {reason}")325	}326327	Ok(new_data)328}329330async fn generate(331	config: &Config,332	display_name: &str,333	secret: Value,334	expectations: &Expectations,335) -> Result<FleetSecretData> {336	let generator = nix_go!(secret.generator);337	// Can't properly check on nix module system level338	{339		let gen_ty = generator.type_of();340		if matches!(gen_ty, NixType::Null) {341			bail!("secret has no generator defined, can't automatically generate it.");342		}343		if matches!(gen_ty, NixType::Attrs) {344			if !generator.has_field("__functor")? {345				bail!("generator should be functor, got {gen_ty:?}");346			}347		} else if matches!(gen_ty, NixType::Function) {348			bail!("generator should be functor, got {gen_ty:?}");349		}350	}351	let nixpkgs = &config.nixpkgs;352	let default_pkgs = &config.default_pkgs;353	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);354	// Generators provide additional information in passthru, to access355	// passthru we should call generator, but information about where this generator is supposed to build356	// is located in passthru... Thus evaluating generator on host.357	//358	// Maybe it is also possible to do some magic with __functor?359	//360	// I don't want to make modules always responsible for additional secret data anyway,361	// so it should be in derivation, and not in the secret data itself.362	let generators = nix_go!(default_mk_secret_generators(Obj {363		recipients: <Vec<String>>::new(),364	}));365	let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;366367	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));368	let default_generator = nix_go!(call_package(generator)(Obj {}));369370	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);371372	match kind {373		GeneratorKind::Impure => {374			generate_impure(375				config,376				display_name,377				secret,378				default_generator,379				expectations,380			)381			.await382		}383		GeneratorKind::Pure => {384			generate_pure(385				config,386				display_name,387				secret,388				default_generator,389				expectations,390			)391			.await392		}393	}394}395async fn generate_shared(396	config: &Config,397	display_name: &str,398	secret: SharedSecretDefinition,399	expectations: &Expectations,400) -> Result<FleetSharedSecret> {401	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);402	Ok(FleetSharedSecret {403		managed: Some(true),404		secret: generate(config, display_name, secret.inner(), expectations).await?,405		owners: expectations.owners.clone(),406	})407}408409async fn parse_public(410	public: Option<String>,411	public_file: Option<PathBuf>,412) -> Result<Option<SecretData>> {413	Ok(match (public, public_file) {414		(Some(v), None) => Some(SecretData {415			data: v.into(),416			encrypted: false,417		}),418		(None, Some(v)) => Some(SecretData {419			data: read(v).await?,420			encrypted: false,421		}),422		(Some(_), Some(_)) => {423			bail!("only public or public_file should be set")424		}425		(None, None) => None,426	})427}428429async fn parse_secret() -> Result<Option<Vec<u8>>> {430	let mut input = vec![];431	stdin().read_to_end(&mut input)?;432	if input.is_empty() {433		Ok(None)434	} else {435		Ok(Some(input))436	}437}438439fn parse_machines(440	initial: BTreeSet<String>,441	machines: Option<Vec<String>>,442	mut add_machines: Vec<String>,443	mut remove_machines: Vec<String>,444) -> Result<BTreeSet<String>> {445	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {446		bail!("no operation");447	}448449	let initial_machines = initial.clone();450	let mut target_machines = initial;451	info!("Currently encrypted for {initial_machines:?}");452453	if let Some(machines) = machines {454		ensure!(455			add_machines.is_empty() && remove_machines.is_empty(),456			"can't combine --machines and --add-machines/--remove-machines"457		);458		let target = initial_machines.iter().collect::<HashSet<_>>();459		let source = machines.iter().collect::<HashSet<_>>();460		for removed in target.difference(&source) {461			remove_machines.push((*removed).clone());462		}463		for added in source.difference(&target) {464			add_machines.push((*added).clone());465		}466	}467468	for machine in &remove_machines {469		if !target_machines.remove(machine) {470			warn!("secret is not enabled for {machine}");471		}472	}473	for machine in &add_machines {474		if !target_machines.insert(machine.to_owned()) {475			warn!("secret is already added to {machine}");476		}477	}478	if !remove_machines.is_empty() {479		// TODO: maybe force secret regeneration?480		// Not that useful without revokation.481		warn!(482			"secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret"483		);484	}485	Ok(target_machines)486}487impl Secret {488	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {489		match self {490			Secret::AddManager => {491				todo!("part of fleet-pusher")492			}493			Secret::ForceKeys => {494				for host in config.list_hosts().await? {495					if opts.should_skip(&host).await? {496						continue;497					}498					config.key(&host.name).await?;499				}500			}501			Secret::AddShared {502				machines,503				name,504				force,505				public,506				public_part: public_name,507				public_file,508				expires_at,509				re_add,510				part: part_name,511			} => {512				let mut machines: BTreeSet<String> = machines.into_iter().collect();513				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).514515				if let Some(old_shared) = config.shared_secret(&name)? {516					if !force && !re_add {517						bail!("secret already defined");518					};519					if old_shared.managed.unwrap_or(false) {520						bail!("secret is marked as managed, should not be updated manually");521					};522					if re_add {523						// Fixme: use clap to limit this usage524						ensure!(!force, "--force and --readd are not compatible");525						ensure!(526							machines.is_empty(),527							"you can't use machines argument for --readd"528						);529						machines = old_shared.owners;530					}531				} else if re_add {532					bail!("secret doesn't exists");533				};534535				let recipients = config536					.recipients(machines.iter().cloned().collect())537					.await?;538539				let mut parts = BTreeMap::new();540541				let mut input = vec![];542				io::stdin().read_to_end(&mut input)?;543544				if !input.is_empty() {545					let encrypted = encrypt_secret_data(recipients.iter(), input)546						.ok_or_else(|| anyhow!("no recipients provided"))?;547					parts.insert(part_name, FleetSecretPart { raw: encrypted });548				}549550				if let Some(public) = parse_public(public, public_file).await? {551					parts.insert(public_name, FleetSecretPart { raw: public });552				}553554				config.replace_shared(555					name,556					FleetSharedSecret {557						managed: Some(false),558						owners: machines,559						secret: FleetSecretData {560							created_at: Utc::now(),561							expires_at,562							parts,563							generation_data: serde_json::Value::Null,564						},565					},566				);567			}568			Secret::Add {569				machine,570				name,571				replace,572				merge,573				public,574				public_part: public_name,575				public_file,576				part: part_name,577			} => {578				if config.has_secret(&machine, &name) && !replace && !merge {579					bail!(580						"secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret"581					);582				}583584				let mut out = if merge && !replace {585					config586						.host_secret(&machine, &name)587						.context("failed to read existing secret for --merge")?588				} else {589					FleetHostSecret {590						managed: Some(false),591						secret: FleetSecretData {592							created_at: Utc::now(),593							expires_at: None,594							parts: BTreeMap::new(),595							generation_data: serde_json::Value::Null,596						},597					}598				};599				if out.managed.unwrap_or(false) {600					bail!("secret is managed by fleet and should not be updated manually");601				}602				out.managed = Some(false);603604				if let Some(secret) = parse_secret().await? {605					let recipient = config.recipient(&machine).await?;606					let encrypted =607						encrypt_secret_data([&recipient], secret).expect("recipient provided");608					if out609						.secret610						.parts611						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })612						.is_some() && !replace613					{614						bail!(615							"part {part_name:?} is already defined, use --replace if you wish to replace it"616						);617					}618				}619620				if let Some(public) = parse_public(public, public_file).await? {621					if out622						.secret623						.parts624						.insert(public_name.clone(), FleetSecretPart { raw: public })625						.is_some() && !replace626					{627						bail!(628							"part {public_name:?} is already defined, use --replace if you wish to replace it"629						);630					}631				};632633				config.insert_secret(&machine, name, out);634			}635			#[allow(clippy::await_holding_refcell_ref)]636			Secret::Read {637				name,638				machine,639				part: part_name,640			} => {641				let secret = config.host_secret(&machine, &name)?;642				let Some(secret) = secret.secret.parts.get(&part_name) else {643					bail!("no part {part_name} in secret {name}");644				};645				let data = if secret.raw.encrypted {646					let host = config.host(&machine).await?;647					host.decrypt(secret.raw.clone()).await?648				} else {649					secret.raw.data.clone()650				};651652				stdout().write_all(&data)?;653			}654			Secret::ReadShared {655				name,656				part: part_name,657				prefer_identities,658			} => {659				let Some(secret) = config.shared_secret(&name)? else {660					bail!("secret doesn't exists");661				};662				let Some(part) = secret.secret.parts.get(&part_name) else {663					bail!("no part {part_name} in secret {name}");664				};665				let data = if part.raw.encrypted {666					let identity_holder = if !prefer_identities.is_empty() {667						prefer_identities668							.iter()669							.find(|i| secret.owners.iter().any(|s| s == *i))670					} else {671						secret.owners.first()672					};673					let Some(identity_holder) = identity_holder else {674						bail!("no available holder found");675					};676					let host = config.host(identity_holder).await?;677					host.decrypt(part.raw.clone()).await?678				} else {679					part.raw.data.clone()680				};681				stdout().write_all(&data)?;682			}683			Secret::UpdateShared {684				name,685				machine,686				add_machine,687				remove_machine,688				prefer_identities,689			} => {690				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).691692				let Some(secret) = config.shared_secret(&name)? else {693					bail!("secret doesn't exists");694				};695				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {696					bail!("no secret");697				}698699				let initial_machines = secret.owners.clone();700				let target_machines = parse_machines(701					initial_machines.clone(),702					machine,703					add_machine,704					remove_machine,705				)?;706707				if target_machines.is_empty() {708					info!("no machines left for secret, removing it");709					config.remove_shared(&name);710					return Ok(());711				}712713				let definition = config.shared_secret_definition(&name)?;714				let expectations = definition.expectations()?;715716				let updated = maybe_regenerate_shared_secret(717					&name,718					config,719					secret,720					definition,721					&prefer_identities,722					&expectations,723				)724				.await?;725				config.replace_shared(name, updated);726			}727			Secret::Regenerate {728				prefer_identities,729				skip_hosts,730			} => {731				info!("checking for secrets to regenerate");732				let expected_shared_set = config733					.list_configured_shared()734					.await?735					.into_iter()736					.collect::<HashSet<_>>();737				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();738				{739					// Generate missing shared740					let _span = info_span!("shared").entered();741					for missing in expected_shared_set.difference(&stored_shared_set) {742						let definition = config.shared_secret_definition(missing)?;743						if !definition.is_managed()? {744							info!("skipping unmanaged secret: {missing}");745							continue;746						}747						let expectations = definition.expectations()?;748						info!("generating secret: {missing}");749						let shared = generate_shared(config, missing, definition, &expectations)750							.in_current_span()751							.await?;752						config.replace_shared(missing.to_string(), shared)753					}754				}755				if !skip_hosts {756					for host in config.list_hosts().await? {757						if opts.should_skip(&host).await? {758							continue;759						}760761						let _span = info_span!("host", host = host.name).entered();762						let expected_set = host763							.list_defined_secrets()?764							.into_iter()765							.collect::<HashSet<_>>();766						let stored_set = config767							.list_secrets(&host.name)768							.into_iter()769							.collect::<HashSet<_>>();770						for missing_secret in expected_set.difference(&stored_set) {771							info!("generating missing secret: {missing_secret}");772							let definition = host.secret_definition(missing_secret)?;773							let expectations = definition.expectations()?;774							let generated = match generate(775								config,776								missing_secret,777								definition.inner(),778								&expectations,779							)780							.in_current_span()781							.await782							{783								Ok(v) => v,784								Err(e) => {785									error!("{e:?}");786									continue;787								}788							};789							config.insert_secret(790								&host.name,791								missing_secret.to_string(),792								FleetHostSecret {793									managed: Some(true),794									secret: generated,795								},796							)797						}798						for known_secret in stored_set.intersection(&expected_set) {799							info!("updating secret: {known_secret}");800							let data = config.host_secret(&host.name, known_secret)?;801							let definition = host.secret_definition(known_secret)?;802							let expectations = definition.expectations()?;803							if let Some(regen_reason) = data.needs_regeneration(&expectations) {804								info!("needs regeneration: {regen_reason}");805								let generated = match generate(806									config,807									known_secret,808									definition.inner(),809									&expectations,810								)811								.in_current_span()812								.await813								{814									Ok(v) => v,815									Err(e) => {816										error!("{e:?}");817										continue;818									}819								};820								config.insert_secret(821									&host.name,822									known_secret.to_string(),823									FleetHostSecret {824										managed: Some(true),825										secret: generated,826									},827								)828							}829						}830						for removed_secret in stored_set.difference(&expected_set) {831							info!("removing secret: {removed_secret}");832							config.remove_secret(&host.name, removed_secret);833						}834					}835				}836				for known_secret in stored_shared_set.intersection(&expected_shared_set) {837					info!("updating shared secret: {known_secret}");838					let data = config.shared_secret(known_secret)?.expect("exists");839840					let definition = config.shared_secret_definition(known_secret)?;841					let expectations = definition.expectations()?;842					config.replace_shared(843						known_secret.to_owned(),844						maybe_regenerate_shared_secret(845							known_secret,846							config,847							data,848							definition,849							&prefer_identities,850							&expectations,851						)852						.await?,853					);854				}855				for removed_secret in stored_shared_set.difference(&expected_shared_set) {856					info!("removing shared secret: {removed_secret}");857					config.remove_shared(removed_secret);858				}859			}860			Secret::List {} => {861				let _span = info_span!("loading secrets").entered();862				let configured = config.list_configured_shared().await?;863				#[derive(Tabled)]864				struct SecretDisplay {865					#[tabled(rename = "Name")]866					name: String,867					#[tabled(rename = "Owners")]868					owners: String,869				}870				let mut table = vec![];871				for name in configured.iter().cloned() {872					let config = config.clone();873					let data = config.shared_secret(&name)?.expect("exists");874					let definition = config.shared_secret_definition(&name)?;875					let expectations = definition.expectations()?;876					let owners = data877						.owners878						.iter()879						.map(|o| {880							if expectations.owners.contains(o) {881								o.green().to_string()882							} else {883								o.red().to_string()884							}885						})886						.collect::<Vec<_>>();887					table.push(SecretDisplay {888						owners: owners.join(", "),889						name,890					})891				}892				info!("loaded\n{}", Table::new(table).to_string())893			}894			Secret::Edit {895				name,896				machine,897				part,898				add,899			} => {900				let secret = config.host_secret(&machine, &name)?;901				if let Some(data) = secret.secret.parts.get(&part) {902					let host = config.host(&machine).await?;903					let secret = host.decrypt(data.raw.clone()).await?;904					String::from_utf8(secret).context("secret is not utf8")?905				} else if add {906					String::new()907				} else {908					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");909				};910			}911		}912		Ok(())913	}914}915916/*917async fn edit_temp_file(918	builder: tempfile::Builder<'_, '_>,919	r: Vec<u8>,920	header: &str,921	comment: &str,922) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {923	if !stdin().is_tty() {924		// TODO: Also try to open /dev/tty directly?925		bail!("stdin is not tty, can't open editor");926	}927928	use std::fmt::Write;929	let mut file = builder.tempfile()?;930931	let mut full_header = String::new();932	let mut had = false;933	for line in header.trim_end().lines() {934		had = true;935		writeln!(&mut full_header, "{comment}{line}")?;936	}937	if had {938		writeln!(&mut full_header, "{}", comment.trim_end())?;939	}940	writeln!(941		&mut full_header,942		"{comment}Do not touch this header! It will be removed automatically"943	)?;944945	file.write_all(full_header.as_bytes())?;946	file.write_all(&r)?;947948	let abs_path = file.into_temp_path();949	let editor = std::env::var_os("VISUAL")950		.or_else(|| std::env::var_os("EDITOR"))951		.unwrap_or_else(|| "vi".into());952	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())953		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;954	let editor_args = editor_args955		.into_iter()956		.map(|v| {957			// Only ASCII subsequences are replaced958			unsafe { OsString::from_encoded_bytes_unchecked(v) }959		})960		.collect_vec();961	let Some((editor, args)) = editor_args.split_first() else {962		bail!("EDITOR env var has no command");963	};964	let mut command = Command::new(editor);965	command.args(args);966967	let path_arg = abs_path.canonicalize()?;968969	// TODO: Save full state, using tcget/_getmode/_setmode970	let was_raw = terminal::is_raw_mode_enabled()?;971	terminal::enable_raw_mode()?;972973	let status = command.arg(path_arg).status().await;974975	if !was_raw {976		terminal::disable_raw_mode()?;977	}978979	let success = match status {980		Ok(s) => s.success(),981		Err(e) if e.kind() == io::ErrorKind::NotFound => {982			bail!("editor not found")983		}984		Err(e) => bail!("editor spawn error: {e}"),985	};986987	let mut file = std::fs::read(&abs_path).context("read editor output")?;988	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {989		todo!();990	};991	todo!();992993	// Ok((success, abs_path))994}995*/
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, Read, Write, stdin, stdout},4	path::PathBuf,5};67use anyhow::{Context, Result, anyhow, bail, ensure};8use chrono::{DateTime, Utc};9use clap::Parser;10use fleet_base::{11	fleetdata::{12		FleetHostSecret, FleetSecretData, FleetSecretPart, FleetSharedSecret, encrypt_secret_data,13	},14	host::Config,15	opts::FleetOpts,16	secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},17};18use fleet_shared::SecretData;19use nix_eval::{NixType, Value, nix_go, nix_go_json};20use owo_colors::OwoColorize;21use serde::Deserialize;22use tabled::{Table, Tabled};23use tokio::{fs::read, task::spawn_blocking};24use tracing::{Instrument, error, info, info_span, warn};2526#[derive(Parser)]27pub enum Secret {28	AddManager,29	/// Force load host keys for all defined hosts30	ForceKeys,31	/// Add secret, data should be provided in stdin32	AddShared {33		/// Secret name34		name: String,35		/// Secret owners36		#[clap(long, short)]37		machines: Vec<String>,38		/// Override secret if already present39		#[clap(long)]40		force: bool,41		/// Secret public part42		#[clap(long)]43		public: Option<String>,44		/// Load public part from specified file45		#[clap(long)]46		public_file: Option<PathBuf>,4748		/// Create a notification on secret expiration49		#[clap(long)]50		expires_at: Option<DateTime<Utc>>,5152		/// Secret with this name already exists, override its value while keeping the same owners.53		#[clap(long)]54		re_add: bool,5556		/// How to name public secret part57		#[clap(long, short = 'p', default_value = "public")]58		public_part: String,59		/// How to name private secret part60		#[clap(short = 's', long, default_value = "secret")]61		part: String,62	},63	/// Add secret, data should be provided in stdin64	Add {65		/// Secret name66		name: String,67		/// Secret owner68		#[clap(short = 'm', long)]69		machine: String,70		/// Replace secret if already present71		#[clap(long)]72		replace: bool,73		/// Add new parts to existing secret74		#[clap(long)]75		merge: bool,76		/// Secret public part77		#[clap(long)]78		public: Option<String>,79		/// Load public part from specified file80		#[clap(long)]81		public_file: Option<PathBuf>,8283		/// How to name public secret part84		#[clap(short = 'p', long, default_value = "public")]85		public_part: String,86		/// How to name private secret part87		#[clap(short = 's', long, default_value = "secret")]88		part: String,89	},90	/// Read secret from remote host, requires sudo on said host91	Read {92		name: String,93		#[clap(short = 'm', long)]94		machine: String,9596		/// Which private secret part to read97		#[clap(short = 'p', long, default_value = "secret")]98		part: String,99	},100	/// Read secret from remote host, requires sudo on said host101	ReadShared {102		name: String,103		/// Which private secret part to read104		#[clap(short = 'p', long, default_value = "secret")]105		part: String,106		/// Which host should we use to decrypt, in case if reencryption is required, without107		/// regeneration108		#[clap(long)]109		prefer_identities: Vec<String>,110	},111	UpdateShared {112		name: String,113114		#[clap(short = 'm', long)]115		machine: Option<Vec<String>>,116117		#[clap(long)]118		add_machine: Vec<String>,119		#[clap(long)]120		remove_machine: Vec<String>,121122		/// Which host should we use to decrypt123		#[clap(long)]124		prefer_identities: Vec<String>,125	},126	Regenerate {127		/// Which host should we use to decrypt, in case if reencryption is required, without128		/// regeneration129		#[clap(long)]130		prefer_identities: Vec<String>,131		/// Only regenerate shared secrets132		#[clap(long)]133		skip_hosts: bool,134	},135	List {},136	Edit {137		name: String,138		#[clap(short = 'm', long)]139		machine: String,140141		#[clap(long)]142		add: bool,143144		/// Which private secret part to read145		#[clap(short = 'p', long, default_value = "secret")]146		part: String,147	},148}149150#[allow(clippy::too_many_arguments)]151#[tracing::instrument(skip(config, secret, definition, prefer_identities))]152async fn maybe_regenerate_shared_secret(153	secret_name: &str,154	config: &Config,155	mut secret: FleetSharedSecret,156	definition: SharedSecretDefinition,157	prefer_identities: &[String],158	expectations: &Expectations,159) -> Result<FleetSharedSecret> {160	let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);161	let value = definition.definition_value();162163	let (should_reencrypt, reason) = match reason {164		Some(RegenerationReason::OwnersAdded(_)) => {165			// Secret always needs to be reencrypted for new owners to be able to read it166			(167				true,168				if nix_go_json!(value.regenerateOnOwnerAdded) {169					reason170				} else {171					None172				},173			)174		}175		Some(RegenerationReason::OwnersRemoved(_)) => {176			// No need to reencrypt, we can just leave stanzas in place.177			if nix_go_json!(value.regenerateOnOwnerRemoved) {178				(true, reason)179			} else {180				(false, None)181			}182		}183		Some(_) => (true, reason),184		None => (false, None),185	};186187	if let Some(reason) = reason {188		info!("secret needs to be regenerated: {reason}");189		let generated = generate_shared(config, secret_name, definition, expectations).await?;190		Ok(generated)191	} else if should_reencrypt {192		info!("secret needs to be reencrypted");193		let identity_holder = if !prefer_identities.is_empty() {194			prefer_identities195				.iter()196				.find(|i| secret.owners.iter().any(|s| s == *i))197		} else {198			secret.owners.first()199		};200		let Some(identity_holder) = identity_holder else {201			bail!("no available holder found");202		};203204		for (part_name, part) in secret.secret.parts.iter_mut() {205			let _span = info_span!("part reencryption", part_name);206			if !part.raw.encrypted {207				continue;208			}209			let host = config.host(identity_holder).await?;210			let encrypted = host211				.reencrypt(212					part.raw.clone(),213					expectations.owners.iter().cloned().collect(),214				)215				.await?;216			part.raw = encrypted;217		}218		secret.owners = expectations.owners.clone();219		Ok(secret)220	} else {221		Ok(secret)222	}223}224225#[derive(Deserialize)]226#[serde(rename_all = "camelCase")]227enum GeneratorKind {228	Impure,229	Pure,230}231232async fn generate_pure(233	_config: &Config,234	_display_name: &str,235	_secret: Value,236	_default_generator: Value,237	_expectations: &Expectations,238) -> Result<FleetSecretData> {239	bail!("pure generators are broken for now")240}241async fn generate_impure(242	config: &Config,243	_display_name: &str,244	secret: Value,245	default_generator: Value,246	expectations: &Expectations,247) -> Result<FleetSecretData> {248	let generator = nix_go!(secret.generator);249	let on: Option<String> = nix_go_json!(default_generator.impureOn);250251	let nixpkgs = &config.nixpkgs;252253	let host = if let Some(on) = &on {254		config.host(on).await?255	} else {256		config.local_host()257	};258	let on_pkgs = host.pkgs().await?;259	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);260261	let mut recipients = Vec::new();262	for owner in &expectations.owners {263		let key = config.key(owner).await?;264		recipients.push(key);265	}266	let generators = nix_go!(mk_secret_generators(Obj { recipients }));267	let pkgs_and_generators = on_pkgs.attrs_update(generators)?;268269	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));270271	let generator = nix_go!(call_package(generator)(Obj {}));272273	let generator = spawn_blocking(move || generator.build("out"))274		.await275		.expect("nix build shouldn't fail")?;276	let generator = host.remote_derivation(&generator).await?;277278	let out_parent = host.mktemp_dir().await?;279	let out = format!("{out_parent}/out");280281	let mut r#gen = host.cmd(generator).await?;282	r#gen.env("out", &out);283	if on.is_none() {284		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.285		let project_path: String = config286			.directory287			.clone()288			.into_os_string()289			.into_string()290			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;291		r#gen.env("FLEET_PROJECT", project_path);292	}293	r#gen.run().await.context("impure generator")?;294295	{296		let marker = host.read_file_text(format!("{out}/marker")).await?;297		ensure!(marker == "SUCCESS", "generation not succeeded");298	}299300	let mut parts = BTreeMap::new();301	for part in host.read_dir(&out).await? {302		if part == "created_at" || part == "expires_at" || part == "marker" {303			continue;304		}305		let contents: SecretData = host306			.read_file_text(format!("{out}/{part}"))307			.await?308			.parse()309			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;310		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });311	}312313	let created_at = host.read_file_value(format!("{out}/created_at")).await?;314	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();315316	let new_data = FleetSecretData {317		created_at,318		expires_at,319		parts,320		generation_data: expectations.generation_data.clone(),321	};322323	if let Some(reason) = secret_needs_regeneration(&new_data, &expectations.owners, expectations) {324		bail!("newly generated secret needs to be regenerated: {reason}")325	}326327	Ok(new_data)328}329330async fn generate(331	config: &Config,332	display_name: &str,333	secret: Value,334	expectations: &Expectations,335) -> Result<FleetSecretData> {336	let generator = nix_go!(secret.generator);337	// Can't properly check on nix module system level338	{339		let gen_ty = generator.type_of();340		if matches!(gen_ty, NixType::Null) {341			bail!("secret has no generator defined, can't automatically generate it.");342		}343		if matches!(gen_ty, NixType::Attrs) {344			if !generator.has_field("__functor")? {345				bail!("generator should be functor, got {gen_ty:?}");346			}347		} else if matches!(gen_ty, NixType::Function) {348			bail!("generator should be functor, got {gen_ty:?}");349		}350	}351	let nixpkgs = &config.nixpkgs;352	let default_pkgs = &config.default_pkgs;353	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);354	// Generators provide additional information in passthru, to access355	// passthru we should call generator, but information about where this generator is supposed to build356	// is located in passthru... Thus evaluating generator on host.357	//358	// Maybe it is also possible to do some magic with __functor?359	//360	// I don't want to make modules always responsible for additional secret data anyway,361	// so it should be in derivation, and not in the secret data itself.362	let generators = nix_go!(default_mk_secret_generators(Obj {363		recipients: <Vec<String>>::new(),364	}));365	let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;366367	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));368	let default_generator = nix_go!(call_package(generator)(Obj {}));369370	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);371372	match kind {373		GeneratorKind::Impure => {374			generate_impure(375				config,376				display_name,377				secret,378				default_generator,379				expectations,380			)381			.await382		}383		GeneratorKind::Pure => {384			generate_pure(385				config,386				display_name,387				secret,388				default_generator,389				expectations,390			)391			.await392		}393	}394}395async fn generate_shared(396	config: &Config,397	display_name: &str,398	secret: SharedSecretDefinition,399	expectations: &Expectations,400) -> Result<FleetSharedSecret> {401	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);402	Ok(FleetSharedSecret {403		managed: Some(true),404		secret: generate(405			config,406			display_name,407			secret.definition_value(),408			expectations,409		)410		.await?,411		owners: expectations.owners.clone(),412	})413}414415async fn parse_public(416	public: Option<String>,417	public_file: Option<PathBuf>,418) -> Result<Option<SecretData>> {419	Ok(match (public, public_file) {420		(Some(v), None) => Some(SecretData {421			data: v.into(),422			encrypted: false,423		}),424		(None, Some(v)) => Some(SecretData {425			data: read(v).await?,426			encrypted: false,427		}),428		(Some(_), Some(_)) => {429			bail!("only public or public_file should be set")430		}431		(None, None) => None,432	})433}434435async fn parse_secret() -> Result<Option<Vec<u8>>> {436	let mut input = vec![];437	stdin().read_to_end(&mut input)?;438	if input.is_empty() {439		Ok(None)440	} else {441		Ok(Some(input))442	}443}444445fn parse_machines(446	initial: BTreeSet<String>,447	machines: Option<Vec<String>>,448	mut add_machines: Vec<String>,449	mut remove_machines: Vec<String>,450) -> Result<BTreeSet<String>> {451	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {452		bail!("no operation");453	}454455	let initial_machines = initial.clone();456	let mut target_machines = initial;457	info!("Currently encrypted for {initial_machines:?}");458459	if let Some(machines) = machines {460		ensure!(461			add_machines.is_empty() && remove_machines.is_empty(),462			"can't combine --machines and --add-machines/--remove-machines"463		);464		let target = initial_machines.iter().collect::<HashSet<_>>();465		let source = machines.iter().collect::<HashSet<_>>();466		for removed in target.difference(&source) {467			remove_machines.push((*removed).clone());468		}469		for added in source.difference(&target) {470			add_machines.push((*added).clone());471		}472	}473474	for machine in &remove_machines {475		if !target_machines.remove(machine) {476			warn!("secret is not enabled for {machine}");477		}478	}479	for machine in &add_machines {480		if !target_machines.insert(machine.to_owned()) {481			warn!("secret is already added to {machine}");482		}483	}484	if !remove_machines.is_empty() {485		// TODO: maybe force secret regeneration?486		// Not that useful without revokation.487		warn!(488			"secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret"489		);490	}491	Ok(target_machines)492}493impl Secret {494	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {495		match self {496			Secret::AddManager => {497				todo!("part of fleet-pusher")498			}499			Secret::ForceKeys => {500				for host in config.list_hosts().await? {501					if opts.should_skip(&host).await? {502						continue;503					}504					config.key(&host.name).await?;505				}506			}507			Secret::AddShared {508				machines,509				name,510				force,511				public,512				public_part: public_name,513				public_file,514				expires_at,515				re_add,516				part: part_name,517			} => {518				let mut machines: BTreeSet<String> = machines.into_iter().collect();519				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).520521				if let Some(old_shared) = config.shared_secret(&name)? {522					if !force && !re_add {523						bail!("secret already defined");524					};525					if old_shared.managed.unwrap_or(false) {526						bail!("secret is marked as managed, should not be updated manually");527					};528					if re_add {529						// Fixme: use clap to limit this usage530						ensure!(!force, "--force and --readd are not compatible");531						ensure!(532							machines.is_empty(),533							"you can't use machines argument for --readd"534						);535						machines = old_shared.owners;536					}537				} else if re_add {538					bail!("secret doesn't exists");539				};540541				let recipients = config542					.recipients(machines.iter().cloned().collect())543					.await?;544545				let mut parts = BTreeMap::new();546547				let mut input = vec![];548				io::stdin().read_to_end(&mut input)?;549550				if !input.is_empty() {551					let encrypted = encrypt_secret_data(recipients.iter(), input)552						.ok_or_else(|| anyhow!("no recipients provided"))?;553					parts.insert(part_name, FleetSecretPart { raw: encrypted });554				}555556				if let Some(public) = parse_public(public, public_file).await? {557					parts.insert(public_name, FleetSecretPart { raw: public });558				}559560				config.replace_shared(561					name,562					FleetSharedSecret {563						managed: Some(false),564						owners: machines,565						secret: FleetSecretData {566							created_at: Utc::now(),567							expires_at,568							parts,569							generation_data: serde_json::Value::Null,570						},571					},572				);573			}574			Secret::Add {575				machine,576				name,577				replace,578				merge,579				public,580				public_part: public_name,581				public_file,582				part: part_name,583			} => {584				if config.has_secret(&machine, &name) && !replace && !merge {585					bail!(586						"secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret"587					);588				}589590				let mut out = if merge && !replace {591					config592						.host_secret(&machine, &name)593						.context("failed to read existing secret for --merge")?594				} else {595					FleetHostSecret {596						managed: Some(false),597						secret: FleetSecretData {598							created_at: Utc::now(),599							expires_at: None,600							parts: BTreeMap::new(),601							generation_data: serde_json::Value::Null,602						},603					}604				};605				if out.managed.unwrap_or(false) {606					bail!("secret is managed by fleet and should not be updated manually");607				}608				out.managed = Some(false);609610				if let Some(secret) = parse_secret().await? {611					let recipient = config.recipient(&machine).await?;612					let encrypted =613						encrypt_secret_data([&recipient], secret).expect("recipient provided");614					if out615						.secret616						.parts617						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })618						.is_some() && !replace619					{620						bail!(621							"part {part_name:?} is already defined, use --replace if you wish to replace it"622						);623					}624				}625626				if let Some(public) = parse_public(public, public_file).await? {627					if out628						.secret629						.parts630						.insert(public_name.clone(), FleetSecretPart { raw: public })631						.is_some() && !replace632					{633						bail!(634							"part {public_name:?} is already defined, use --replace if you wish to replace it"635						);636					}637				};638639				config.insert_secret(&machine, name, out);640			}641			#[allow(clippy::await_holding_refcell_ref)]642			Secret::Read {643				name,644				machine,645				part: part_name,646			} => {647				let secret = config.host_secret(&machine, &name)?;648				let Some(secret) = secret.secret.parts.get(&part_name) else {649					bail!("no part {part_name} in secret {name}");650				};651				let data = if secret.raw.encrypted {652					let host = config.host(&machine).await?;653					host.decrypt(secret.raw.clone()).await?654				} else {655					secret.raw.data.clone()656				};657658				stdout().write_all(&data)?;659			}660			Secret::ReadShared {661				name,662				part: part_name,663				prefer_identities,664			} => {665				let Some(secret) = config.shared_secret(&name)? else {666					bail!("secret doesn't exists");667				};668				let Some(part) = secret.secret.parts.get(&part_name) else {669					bail!("no part {part_name} in secret {name}");670				};671				let data = if part.raw.encrypted {672					let identity_holder = if !prefer_identities.is_empty() {673						prefer_identities674							.iter()675							.find(|i| secret.owners.iter().any(|s| s == *i))676					} else {677						secret.owners.first()678					};679					let Some(identity_holder) = identity_holder else {680						bail!("no available holder found");681					};682					let host = config.host(identity_holder).await?;683					host.decrypt(part.raw.clone()).await?684				} else {685					part.raw.data.clone()686				};687				stdout().write_all(&data)?;688			}689			Secret::UpdateShared {690				name,691				machine,692				add_machine,693				remove_machine,694				prefer_identities,695			} => {696				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).697698				let Some(secret) = config.shared_secret(&name)? else {699					bail!("secret doesn't exists");700				};701				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {702					bail!("no secret");703				}704705				let initial_machines = secret.owners.clone();706				let target_machines = parse_machines(707					initial_machines.clone(),708					machine,709					add_machine,710					remove_machine,711				)?;712713				if target_machines.is_empty() {714					info!("no machines left for secret, removing it");715					config.remove_shared(&name);716					return Ok(());717				}718719				let definition = config.shared_secret_definition(&name)?;720				let expectations = definition721					.expectations()722					.with_context(|| format!("expectations for shared {name:?}"))?;723724				let updated = maybe_regenerate_shared_secret(725					&name,726					config,727					secret,728					definition,729					&prefer_identities,730					&expectations,731				)732				.await?;733				config.replace_shared(name, updated);734			}735			Secret::Regenerate {736				prefer_identities,737				skip_hosts,738			} => {739				info!("checking for secrets to regenerate");740				let expected_shared_set = config741					.list_configured_shared()742					.await?743					.into_iter()744					.collect::<HashSet<_>>();745				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();746				{747					// Generate missing shared748					let _span = info_span!("shared").entered();749					for missing in expected_shared_set.difference(&stored_shared_set) {750						let definition = config.shared_secret_definition(missing)?;751						if !definition.is_managed()? {752							info!("skipping unmanaged secret: {missing}");753							continue;754						}755						let expectations = definition756							.expectations()757							.with_context(|| format!("expectations for shared {missing:?}"))?;758						info!("generating secret: {missing}");759						let shared = generate_shared(config, missing, definition, &expectations)760							.in_current_span()761							.await?;762						config.replace_shared(missing.to_string(), shared)763					}764				}765				if !skip_hosts {766					for host in config.list_hosts().await? {767						if opts.should_skip(&host).await? {768							continue;769						}770771						let _span = info_span!("host", host = host.name).entered();772						let expected_set = host773							.list_defined_secrets()?774							.into_iter()775							.collect::<HashSet<_>>();776						let stored_set = config777							.list_secrets(&host.name)778							.into_iter()779							.collect::<HashSet<_>>();780						for missing_secret in expected_set.difference(&stored_set) {781							let secret = host.secret_definition(missing_secret)?;782							if secret.is_shared()? {783								continue;784							}785							info!("generating missing secret: {missing_secret}");786							let expectations = secret.expectations().with_context(|| {787								format!("expectations for {missing_secret:?} of {:?}", host.name)788							})?;789							let generated = match generate(790								config,791								missing_secret,792								secret.definition_value()?,793								&expectations,794							)795							.in_current_span()796							.await797							{798								Ok(v) => v,799								Err(e) => {800									error!("{e:?}");801									continue;802								}803							};804							config.insert_secret(805								&host.name,806								missing_secret.to_string(),807								FleetHostSecret {808									managed: Some(true),809									secret: generated,810								},811							)812						}813						for known_secret in stored_set.intersection(&expected_set) {814							let secret = host.secret_definition(known_secret)?;815							if secret.is_shared()? {816								continue;817							}818							info!("updating secret: {known_secret}");819							let data = config.host_secret(&host.name, known_secret)?;820							let expectations = secret.expectations()?;821							if let Some(regen_reason) = data.needs_regeneration(&expectations) {822								info!("needs regeneration: {regen_reason}");823								let generated = match generate(824									config,825									known_secret,826									secret.definition_value()?,827									&expectations,828								)829								.in_current_span()830								.await831								{832									Ok(v) => v,833									Err(e) => {834										error!("{e:?}");835										continue;836									}837								};838								config.insert_secret(839									&host.name,840									known_secret.to_string(),841									FleetHostSecret {842										managed: Some(true),843										secret: generated,844									},845								)846							}847						}848						for removed_secret in stored_set.difference(&expected_set) {849							let definition = host.secret_definition(removed_secret)?;850							if definition.is_shared()? {851								continue;852							}853							info!("removing secret: {removed_secret}");854							config.remove_secret(&host.name, removed_secret);855						}856					}857				}858				for known_secret in stored_shared_set.intersection(&expected_shared_set) {859					info!("updating shared secret: {known_secret}");860					let data = config.shared_secret(known_secret)?.expect("exists");861862					let definition = config.shared_secret_definition(known_secret)?;863					let expectations = definition.expectations()?;864					config.replace_shared(865						known_secret.to_owned(),866						maybe_regenerate_shared_secret(867							known_secret,868							config,869							data,870							definition,871							&prefer_identities,872							&expectations,873						)874						.await?,875					);876				}877				for removed_secret in stored_shared_set.difference(&expected_shared_set) {878					info!("removing shared secret: {removed_secret}");879					config.remove_shared(removed_secret);880				}881			}882			Secret::List {} => {883				let _span = info_span!("loading secrets").entered();884				let configured = config.list_configured_shared().await?;885				#[derive(Tabled)]886				struct SecretDisplay {887					#[tabled(rename = "Name")]888					name: String,889					#[tabled(rename = "Owners")]890					owners: String,891				}892				let mut table = vec![];893				for name in configured.iter().cloned() {894					let config = config.clone();895					let data = config.shared_secret(&name)?.expect("exists");896					let definition = config.shared_secret_definition(&name)?;897					let expectations = definition.expectations()?;898					let owners = data899						.owners900						.iter()901						.map(|o| {902							if expectations.owners.contains(o) {903								o.green().to_string()904							} else {905								o.red().to_string()906							}907						})908						.collect::<Vec<_>>();909					table.push(SecretDisplay {910						owners: owners.join(", "),911						name,912					})913				}914				info!("loaded\n{}", Table::new(table).to_string())915			}916			Secret::Edit {917				name,918				machine,919				part,920				add,921			} => {922				let secret = config.host_secret(&machine, &name)?;923				if let Some(data) = secret.secret.parts.get(&part) {924					let host = config.host(&machine).await?;925					let secret = host.decrypt(data.raw.clone()).await?;926					String::from_utf8(secret).context("secret is not utf8")?927				} else if add {928					String::new()929				} else {930					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");931				};932			}933		}934		Ok(())935	}936}937938/*939async fn edit_temp_file(940	builder: tempfile::Builder<'_, '_>,941	r: Vec<u8>,942	header: &str,943	comment: &str,944) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {945	if !stdin().is_tty() {946		// TODO: Also try to open /dev/tty directly?947		bail!("stdin is not tty, can't open editor");948	}949950	use std::fmt::Write;951	let mut file = builder.tempfile()?;952953	let mut full_header = String::new();954	let mut had = false;955	for line in header.trim_end().lines() {956		had = true;957		writeln!(&mut full_header, "{comment}{line}")?;958	}959	if had {960		writeln!(&mut full_header, "{}", comment.trim_end())?;961	}962	writeln!(963		&mut full_header,964		"{comment}Do not touch this header! It will be removed automatically"965	)?;966967	file.write_all(full_header.as_bytes())?;968	file.write_all(&r)?;969970	let abs_path = file.into_temp_path();971	let editor = std::env::var_os("VISUAL")972		.or_else(|| std::env::var_os("EDITOR"))973		.unwrap_or_else(|| "vi".into());974	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())975		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;976	let editor_args = editor_args977		.into_iter()978		.map(|v| {979			// Only ASCII subsequences are replaced980			unsafe { OsString::from_encoded_bytes_unchecked(v) }981		})982		.collect_vec();983	let Some((editor, args)) = editor_args.split_first() else {984		bail!("EDITOR env var has no command");985	};986	let mut command = Command::new(editor);987	command.args(args);988989	let path_arg = abs_path.canonicalize()?;990991	// TODO: Save full state, using tcget/_getmode/_setmode992	let was_raw = terminal::is_raw_mode_enabled()?;993	terminal::enable_raw_mode()?;994995	let status = command.arg(path_arg).status().await;996997	if !was_raw {998		terminal::disable_raw_mode()?;999	}10001001	let success = match status {1002		Ok(s) => s.success(),1003		Err(e) if e.kind() == io::ErrorKind::NotFound => {1004			bail!("editor not found")1005		}1006		Err(e) => bail!("editor spawn error: {e}"),1007	};10081009	let mut file = std::fs::read(&abs_path).context("read editor output")?;1010	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {1011		todo!();1012	};1013	todo!();10141015	// Ok((success, abs_path))1016}1017*/
modifiedcrates/fleet-base/src/secret.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/secret.rs
+++ b/crates/fleet-base/src/secret.rs
@@ -17,20 +17,37 @@
 pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
 impl HostSecretDefinition {
 	pub fn is_managed(&self) -> Result<bool> {
-		let value = &self.1;
-		Ok(!nix_go!(value.generator).is_null())
+		let def = self.definition_value()?;
+		Ok(!nix_go!(def.generator).is_null())
 	}
+	pub fn is_shared(&self) -> Result<bool> {
+		let def = self.definition_value()?;
+		Ok(nix_go_json!(def.shared))
+	}
 	pub fn expectations(&self) -> Result<Expectations> {
-		let value = &self.1;
+		let def = self.definition_value()?;
+		let parts = nix_go!(def.parts);
+
+		let mut public_parts = BTreeSet::new();
+		let mut private_parts = BTreeSet::new();
+		for part in parts.list_fields()? {
+			if nix_go_json!(parts[&part].encrypted) {
+				private_parts.insert(part.clone());
+			} else {
+				public_parts.insert(part.clone());
+			}
+		}
+
 		Ok(Expectations {
 			owners: BTreeSet::from([self.0.clone()]),
-			generation_data: nix_go_json!(value.expectedGenerationData),
-			public_parts: nix_go_json!(value.expectedPublicParts),
-			private_parts: nix_go_json!(value.expectedPrivateParts),
+			generation_data: nix_go_json!(def.expectedGenerationData),
+			public_parts,
+			private_parts,
 		})
 	}
-	pub fn inner(&self) -> Value {
-		self.1.clone()
+	pub fn definition_value(&self) -> Result<Value> {
+		let value = &self.1;
+		Ok(nix_go!(value.definition))
 	}
 }
 
@@ -49,7 +66,7 @@
 			private_parts: nix_go_json!(value.expectedPrivateParts),
 		})
 	}
-	pub fn inner(&self) -> Value {
+	pub fn definition_value(&self) -> Value {
 		self.0.clone()
 	}
 }
modifiedlib/default.nixdiffbeforeafterboth
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -57,215 +57,191 @@
 
   inherit (modules) mkFleetDefault mkFleetGeneratorDefault;
 
-  secrets =
-    let
-      describedGenerator =
-        generator: {parts ? {}}:
-        {parts = {};}
-        // {
-          __functionArgs = functionArgs generator;
-          __functor = _: generator;
-        };
-    in
-    {
-      inherit describedGenerator;
+  secrets = {
 
-      /**
-        Generate a random secret password, 32 ascii characters by default
+    /**
+      Generate a random secret password, 32 ascii characters by default
 
-        Options:
-          size: generated password length in ascii characters (bytes).
-          noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might
-                     not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].
+      Options:
+        size: generated password length in ascii characters (bytes).
+        noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might
+                   not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].
 
-        Output:
-          Resulting secret has only part: secret, which contains encrypted password.
-      */
-      mkPassword =
+      Output:
+        Resulting secret has only part: secret, which contains encrypted password.
+    */
+    mkPassword =
+      {
+        size ? 32,
+      }:
+      (
         {
-          size ? 32,
+          coreutils,
+          mkSecretGenerator,
         }:
-        describedGenerator
-          (
-            {
-              coreutils,
-              mkSecretGenerator,
-            }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate password -o $out/secret --size ${toString size}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-          };
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate password -o $out/secret --size ${toString size}
+          '';
+          parts.secret.encrypted = true;
+        }
+      );
 
-      /**
-        Generate a random ed25519 keypair
+    /**
+      Generate a random ed25519 keypair
 
-        Options:
-          noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)
-                         When noEmbedPublis is enabled - only the private scalar is included.
-          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
+      Options:
+        noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)
+                       When noEmbedPublis is enabled - only the private scalar is included.
+        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
+
+      This secret format is used by e.g Garage S3 server
+    */
+    mkEd25519 =
+      {
+        noEmbedPublic ? false,
+        encoding ? null,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate ed25519 -p $out/public -s $out/secret \
+              ${optionalString noEmbedPublic "--no-embed-public"} \
+              ${optionalString (encoding != null) "--encoding=${encoding}"}
+          '';
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-        This secret format is used by e.g Garage S3 server
-      */
-      mkEd25519 =
-        {
-          noEmbedPublic ? false,
-          encoding ? null,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate ed25519 -p $out/public -s $out/secret \
-                  ${optionalString noEmbedPublic "--no-embed-public"} \
-                  ${optionalString (encoding != null) "--encoding=${encoding}"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+    /**
+      Generate a random x25519 keypair
 
-      /**
-        Generate a random x25519 keypair
+      Options:
+        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
 
-        Options:
-          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
+      This secret format is used by e.g Wireguard VPN for peers (base64-encoded)
+    */
+    mkX25519 =
+      {
+        encoding ? null,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate x25519 -p $out/public -s $out/secret \
+              ${optionalString (encoding != null) "--encoding=${encoding}"}
+          '';
 
-        This secret format is used by e.g Wireguard VPN for peers (base64-encoded)
-      */
-      mkX25519 =
-        {
-          encoding ? null,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate x25519 -p $out/public -s $out/secret \
-                  ${optionalString (encoding != null) "--encoding=${encoding}"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-      /**
-        Generate a random RSA keypair
+    /**
+      Generate a random RSA keypair
 
-        Options:
-          size: RSA key size, 4096 by default
+      Options:
+        size: RSA key size, 4096 by default
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
-          Both parts are PEM encoded.
-      */
-      mkRsa =
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
+        Both parts are PEM encoded.
+    */
+    mkRsa =
+      {
+        size ? 4096,
+      }:
+      (
         {
-          size ? 4096,
+          openssl,
+          mkSecretGenerator,
         }:
-        describedGenerator
-          (
-            {
-              openssl,
-              mkSecretGenerator,
-            }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+
+            ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}
+            ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key
 
-                ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}
-                ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key
+            cat rsa_private.key | gh private -o $out/secret
+            cat rsa_public.key | gh public -o $out/public
+          '';
 
-                cat rsa_private.key | gh private -o $out/secret
-                cat rsa_public.key | gh public -o $out/public
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-      /**
-        Generate a random byte sequence
+    /**
+      Generate a random byte sequence
 
-        Options:
-          size: generated password length in bytes, 32 by default.
-          encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"
-          noNuls: prevent output byte sequence from containing internal \0, useful for some C applications
-                  that can't handle their strings properly.
+      Options:
+        size: generated password length in bytes, 32 by default.
+        encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"
+        noNuls: prevent output byte sequence from containing internal \0, useful for some C applications
+                that can't handle their strings properly.
 
-        Output:
-          Resulting secret has only part: secret, which contains encrypted bytes.
+      Output:
+        Resulting secret has only part: secret, which contains encrypted bytes.
 
-        Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)
-      */
-      mkBytes =
-        {
-          count ? 32,
-          encoding,
-          noNuls ? false,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \
-                  ${optionalString noNuls "--no-nuls"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-          };
-      /**
-        Shorthand for `mkBytes`, which defaults to "hex" encoding
-      */
-      mkHexBytes =
-        {
-          count ? 32,
-        }:
-        mkBytes {
-          inherit count;
-          encoding = "hex";
-        };
-      /**
-        Shorthand for `mkBytes`, which defaults to "base64" encoding
-      */
-      mkBase64Bytes =
-        {
-          count ? 32,
-        }:
-        mkBytes {
-          inherit count;
-          encoding = "base64";
-        };
+      Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)
+    */
+    mkBytes =
+      {
+        count ? 32,
+        encoding,
+        noNuls ? false,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \
+              ${optionalString noNuls "--no-nuls"}
+          '';
+          parts.secret.encrypted = true;
+        }
+      );
+    /**
+      Shorthand for `mkBytes`, which defaults to "hex" encoding
+    */
+    mkHexBytes =
+      {
+        count ? 32,
+      }:
+      mkBytes {
+        inherit count;
+        encoding = "hex";
+      };
+    /**
+      Shorthand for `mkBytes`, which defaults to "base64" encoding
+    */
+    mkBase64Bytes =
+      {
+        count ? 32,
+      }:
+      mkBytes {
+        inherit count;
+        encoding = "base64";
+      };
 
-      # Wireguard
-      # mkWireguard = {}: mkX25519 {encoding = "base64";};
-      # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};
-    };
+    # Wireguard
+    # mkWireguard = {}: mkX25519 {encoding = "base64";};
+    # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};
+  };
 
   inherit (secrets)
     mkPassword
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -105,10 +105,14 @@
     in
     {
       options = {
+        shared = mkOption {
+          type = bool;
+          description = "Was this secret propagated from a shared secret?";
+        };
         parts = mkOption {
           type = lazyAttrsOf (secretPartType secretName);
           description = "Definition of secret parts";
-          default = {};
+          default = { };
         };
         generator = mkOption {
           type = uniq (nullOr (functionTo package));
@@ -137,24 +141,39 @@
           default = null;
         };
       };
-      config.parts = mkMerge [
-        (mkIf (config.generator != null && config.generator ? parts) config.generator.parts)
-        (mapAttrs (_: _: {}) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) ["shared" "managed"]))
-      ];
+      config = {
+        shared = (sysConfig.data.secrets.${secretName} or { shared = false; }).shared;
+        parts = mkMerge [
+          (mkIf (config.generator != null)
+            (
+              # Get fake derivation body, in future it should be implemented the same way as in Rust.
+              lib.callPackageWith (
+                pkgs
+                // {
+                  mkSecretGenerator = pkgs.stdenv.mkDerivation;
+                  mkImpureSecretGenerator = pkgs.stdenv.mkDerivation;
+                }
+              ) config.generator { }
+            ).parts
+          )
+          (mapAttrs (_: _: { }) (
+            removeAttrs (sysConfig.data.secrets.${secretName} or { }) [
+              "shared"
+              "managed"
+            ]
+          ))
+        ];
+      };
     }
   );
   processPart = secretName: partName: part: {
     inherit (part) path stablePath;
     raw = config.data.secrets.${secretName}.${partName}.raw;
   };
-  processSecret =
-    secretName: secret:
-    {
-      inherit (secret.definition) group mode owner;
-      parts = (mapAttrs (processPart secretName) (
-        secret.definition.parts
-      ));
-    };
+  processSecret = secretName: secret: {
+    inherit (secret.definition) group mode owner;
+    parts = (mapAttrs (processPart secretName) (secret.definition.parts));
+  };
   secretsData = (mapAttrs (processSecret) config.secrets);
   secretsFile = pkgs.writeTextFile {
     name = "secrets.json";
@@ -174,7 +193,7 @@
     secrets = mkOption {
       type = attrsOf secretType;
       default = { };
-      apply = v: (mapAttrs (_: secret: secret.parts // {definition = secret;}) v);
+      apply = v: (mapAttrs (_: secret: secret.parts // { definition = secret; }) v);
       description = "Host-local secrets";
     };
     system.secretsData = mkOption {
modifiedmodules/secrets.nixdiffbeforeafterboth
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -124,6 +124,7 @@
                 # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD
                 # (Some secrets-encryption-in-git/managed PKI solution is expected)
                 impureOn ? null,
+                parts,
               }:
               (prev.writeShellScript "impureGenerator.sh" ''
                 #!/bin/sh
@@ -151,12 +152,12 @@
               '').overrideAttrs
                 (old: {
                   passthru = {
-                    inherit impureOn;
+                    inherit impureOn parts;
                     generatorKind = "impure";
                   };
                 });
             # Pure generators are disabled for now
-            mkSecretGenerator = { script }: mkImpureSecretGenerator { inherit script; };
+            mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };
 
             # TODO: Implement consistent naming
             # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...