git.delta.rocks / jrsonnet / refs/commits / d8f3e18873ec

158	expectations: &Expectations,158	expectations: &Expectations,
159) -> Result<FleetSharedSecret> {159) -> Result<FleetSharedSecret> {
160	let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);160	let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);
161	let value = definition.inner();161	let value = definition.definition_value();
162162
163	let (should_reencrypt, reason) = match reason {163	let (should_reencrypt, reason) = match reason {
164		Some(RegenerationReason::OwnersAdded(_)) => {164		Some(RegenerationReason::OwnersAdded(_)) => {
401	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);401	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);
402	Ok(FleetSharedSecret {402	Ok(FleetSharedSecret {
403		managed: Some(true),403		managed: Some(true),
404		secret: generate(config, display_name, secret.inner(), expectations).await?,404		secret: generate(
405			config,
406			display_name,
407			secret.definition_value(),
408			expectations,
409		)
410		.await?,
713				let definition = config.shared_secret_definition(&name)?;719				let definition = config.shared_secret_definition(&name)?;
714				let expectations = definition.expectations()?;720				let expectations = definition
721					.expectations()
722					.with_context(|| format!("expectations for shared {name:?}"))?;
715723
716				let updated = maybe_regenerate_shared_secret(724				let updated = maybe_regenerate_shared_secret(
717					&name,725					&name,
746						}754						}
747						let expectations = definition.expectations()?;755						let expectations = definition
756							.expectations()
757							.with_context(|| format!("expectations for shared {missing:?}"))?;
748						info!("generating secret: {missing}");758						info!("generating secret: {missing}");
749						let shared = generate_shared(config, missing, definition, &expectations)759						let shared = generate_shared(config, missing, definition, &expectations)
750							.in_current_span()760							.in_current_span()
768							.into_iter()778							.into_iter()
769							.collect::<HashSet<_>>();779							.collect::<HashSet<_>>();
770						for missing_secret in expected_set.difference(&stored_set) {780						for missing_secret in expected_set.difference(&stored_set) {
771							info!("generating missing secret: {missing_secret}");
772							let definition = host.secret_definition(missing_secret)?;781							let secret = host.secret_definition(missing_secret)?;
782							if secret.is_shared()? {
783								continue;
784							}
785							info!("generating missing secret: {missing_secret}");
773							let expectations = definition.expectations()?;786							let expectations = secret.expectations().with_context(|| {
787								format!("expectations for {missing_secret:?} of {:?}", host.name)
788							})?;
774							let generated = match generate(789							let generated = match generate(
775								config,790								config,
776								missing_secret,791								missing_secret,
777								definition.inner(),792								secret.definition_value()?,
778								&expectations,793								&expectations,
779							)794							)
780							.in_current_span()795							.in_current_span()
796							)811							)
797						}812						}
798						for known_secret in stored_set.intersection(&expected_set) {813						for known_secret in stored_set.intersection(&expected_set) {
814							let secret = host.secret_definition(known_secret)?;
815							if secret.is_shared()? {
816								continue;
817							}
799							info!("updating secret: {known_secret}");818							info!("updating secret: {known_secret}");
800							let data = config.host_secret(&host.name, known_secret)?;819							let data = config.host_secret(&host.name, known_secret)?;
801							let definition = host.secret_definition(known_secret)?;
802							let expectations = definition.expectations()?;820							let expectations = secret.expectations()?;
803							if let Some(regen_reason) = data.needs_regeneration(&expectations) {821							if let Some(regen_reason) = data.needs_regeneration(&expectations) {
804								info!("needs regeneration: {regen_reason}");822								info!("needs regeneration: {regen_reason}");
805								let generated = match generate(823								let generated = match generate(
806									config,824									config,
807									known_secret,825									known_secret,
808									definition.inner(),826									secret.definition_value()?,
809									&expectations,827									&expectations,
810								)828								)
811								.in_current_span()829								.in_current_span()
828							}846							}
829						}847						}
830						for removed_secret in stored_set.difference(&expected_set) {848						for removed_secret in stored_set.difference(&expected_set) {
849							let definition = host.secret_definition(removed_secret)?;
850							if definition.is_shared()? {
851								continue;
852							}
831							info!("removing secret: {removed_secret}");853							info!("removing secret: {removed_secret}");
832							config.remove_secret(&host.name, removed_secret);854							config.remove_secret(&host.name, removed_secret);
833						}855						}

--- a/crates/fleet-base/src/secret.rs
+++ b/crates/fleet-base/src/secret.rs
@@ -17,20 +17,37 @@
 pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
 impl HostSecretDefinition {
 	pub fn is_managed(&self) -> Result<bool> {
-		let value = &self.1;
-		Ok(!nix_go!(value.generator).is_null())
+		let def = self.definition_value()?;
+		Ok(!nix_go!(def.generator).is_null())
 	}
+	pub fn is_shared(&self) -> Result<bool> {
+		let def = self.definition_value()?;
+		Ok(nix_go_json!(def.shared))
+	}
 	pub fn expectations(&self) -> Result<Expectations> {
-		let value = &self.1;
+		let def = self.definition_value()?;
+		let parts = nix_go!(def.parts);
+
+		let mut public_parts = BTreeSet::new();
+		let mut private_parts = BTreeSet::new();
+		for part in parts.list_fields()? {
+			if nix_go_json!(parts[&part].encrypted) {
+				private_parts.insert(part.clone());
+			} else {
+				public_parts.insert(part.clone());
+			}
+		}
+
 		Ok(Expectations {
 			owners: BTreeSet::from([self.0.clone()]),
-			generation_data: nix_go_json!(value.expectedGenerationData),
-			public_parts: nix_go_json!(value.expectedPublicParts),
-			private_parts: nix_go_json!(value.expectedPrivateParts),
+			generation_data: nix_go_json!(def.expectedGenerationData),
+			public_parts,
+			private_parts,
 		})
 	}
-	pub fn inner(&self) -> Value {
-		self.1.clone()
+	pub fn definition_value(&self) -> Result<Value> {
+		let value = &self.1;
+		Ok(nix_go!(value.definition))
 	}
 }
 
@@ -49,7 +66,7 @@
 			private_parts: nix_go_json!(value.expectedPrivateParts),
 		})
 	}
-	pub fn inner(&self) -> Value {
+	pub fn definition_value(&self) -> Value {
 		self.0.clone()
 	}
 }

--- a/lib/default.nix
+++ b/lib/default.nix
@@ -57,215 +57,191 @@
 
   inherit (modules) mkFleetDefault mkFleetGeneratorDefault;
 
-  secrets =
-    let
-      describedGenerator =
-        generator: {parts ? {}}:
-        {parts = {};}
-        // {
-          __functionArgs = functionArgs generator;
-          __functor = _: generator;
-        };
-    in
-    {
-      inherit describedGenerator;
+  secrets = {
 
-      /**
-        Generate a random secret password, 32 ascii characters by default
+    /**
+      Generate a random secret password, 32 ascii characters by default
 
-        Options:
-          size: generated password length in ascii characters (bytes).
-          noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might
-                     not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].
+      Options:
+        size: generated password length in ascii characters (bytes).
+        noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might
+                   not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].
 
-        Output:
-          Resulting secret has only part: secret, which contains encrypted password.
-      */
-      mkPassword =
+      Output:
+        Resulting secret has only part: secret, which contains encrypted password.
+    */
+    mkPassword =
+      {
+        size ? 32,
+      }:
+      (
         {
-          size ? 32,
+          coreutils,
+          mkSecretGenerator,
         }:
-        describedGenerator
-          (
-            {
-              coreutils,
-              mkSecretGenerator,
-            }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate password -o $out/secret --size ${toString size}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-          };
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate password -o $out/secret --size ${toString size}
+          '';
+          parts.secret.encrypted = true;
+        }
+      );
 
-      /**
-        Generate a random ed25519 keypair
+    /**
+      Generate a random ed25519 keypair
 
-        Options:
-          noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)
-                         When noEmbedPublis is enabled - only the private scalar is included.
-          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
+      Options:
+        noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)
+                       When noEmbedPublis is enabled - only the private scalar is included.
+        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
+
+      This secret format is used by e.g Garage S3 server
+    */
+    mkEd25519 =
+      {
+        noEmbedPublic ? false,
+        encoding ? null,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate ed25519 -p $out/public -s $out/secret \
+              ${optionalString noEmbedPublic "--no-embed-public"} \
+              ${optionalString (encoding != null) "--encoding=${encoding}"}
+          '';
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-        This secret format is used by e.g Garage S3 server
-      */
-      mkEd25519 =
-        {
-          noEmbedPublic ? false,
-          encoding ? null,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate ed25519 -p $out/public -s $out/secret \
-                  ${optionalString noEmbedPublic "--no-embed-public"} \
-                  ${optionalString (encoding != null) "--encoding=${encoding}"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+    /**
+      Generate a random x25519 keypair
 
-      /**
-        Generate a random x25519 keypair
+      Options:
+        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
 
-        Options:
-          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
+      This secret format is used by e.g Wireguard VPN for peers (base64-encoded)
+    */
+    mkX25519 =
+      {
+        encoding ? null,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate x25519 -p $out/public -s $out/secret \
+              ${optionalString (encoding != null) "--encoding=${encoding}"}
+          '';
 
-        This secret format is used by e.g Wireguard VPN for peers (base64-encoded)
-      */
-      mkX25519 =
-        {
-          encoding ? null,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate x25519 -p $out/public -s $out/secret \
-                  ${optionalString (encoding != null) "--encoding=${encoding}"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-      /**
-        Generate a random RSA keypair
+    /**
+      Generate a random RSA keypair
 
-        Options:
-          size: RSA key size, 4096 by default
+      Options:
+        size: RSA key size, 4096 by default
 
-        Output:
-          Resulting secret has two parts: public and secret, where the secret part is encrypted.
-          Both parts are PEM encoded.
-      */
-      mkRsa =
+      Output:
+        Resulting secret has two parts: public and secret, where the secret part is encrypted.
+        Both parts are PEM encoded.
+    */
+    mkRsa =
+      {
+        size ? 4096,
+      }:
+      (
         {
-          size ? 4096,
+          openssl,
+          mkSecretGenerator,
         }:
-        describedGenerator
-          (
-            {
-              openssl,
-              mkSecretGenerator,
-            }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+
+            ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}
+            ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key
 
-                ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}
-                ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key
+            cat rsa_private.key | gh private -o $out/secret
+            cat rsa_public.key | gh public -o $out/public
+          '';
 
-                cat rsa_private.key | gh private -o $out/secret
-                cat rsa_public.key | gh public -o $out/public
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-            parts.public.encrypted = false;
-          };
+          parts.secret.encrypted = true;
+          parts.public.encrypted = false;
+        }
+      );
 
-      /**
-        Generate a random byte sequence
+    /**
+      Generate a random byte sequence
 
-        Options:
-          size: generated password length in bytes, 32 by default.
-          encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"
-          noNuls: prevent output byte sequence from containing internal \0, useful for some C applications
-                  that can't handle their strings properly.
+      Options:
+        size: generated password length in bytes, 32 by default.
+        encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"
+        noNuls: prevent output byte sequence from containing internal \0, useful for some C applications
+                that can't handle their strings properly.
 
-        Output:
-          Resulting secret has only part: secret, which contains encrypted bytes.
+      Output:
+        Resulting secret has only part: secret, which contains encrypted bytes.
 
-        Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)
-      */
-      mkBytes =
-        {
-          count ? 32,
-          encoding,
-          noNuls ? false,
-        }:
-        describedGenerator
-          (
-            { mkSecretGenerator }:
-            mkSecretGenerator {
-              script = ''
-                mkdir $out
-                gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \
-                  ${optionalString noNuls "--no-nuls"}
-              '';
-            }
-          )
-          {
-            parts.secret.encrypted = true;
-          };
-      /**
-        Shorthand for `mkBytes`, which defaults to "hex" encoding
-      */
-      mkHexBytes =
-        {
-          count ? 32,
-        }:
-        mkBytes {
-          inherit count;
-          encoding = "hex";
-        };
-      /**
-        Shorthand for `mkBytes`, which defaults to "base64" encoding
-      */
-      mkBase64Bytes =
-        {
-          count ? 32,
-        }:
-        mkBytes {
-          inherit count;
-          encoding = "base64";
-        };
+      Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)
+    */
+    mkBytes =
+      {
+        count ? 32,
+        encoding,
+        noNuls ? false,
+      }:
+      (
+        { mkSecretGenerator }:
+        mkSecretGenerator {
+          script = ''
+            mkdir $out
+            gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \
+              ${optionalString noNuls "--no-nuls"}
+          '';
+          parts.secret.encrypted = true;
+        }
+      );
+    /**
+      Shorthand for `mkBytes`, which defaults to "hex" encoding
+    */
+    mkHexBytes =
+      {
+        count ? 32,
+      }:
+      mkBytes {
+        inherit count;
+        encoding = "hex";
+      };
+    /**
+      Shorthand for `mkBytes`, which defaults to "base64" encoding
+    */
+    mkBase64Bytes =
+      {
+        count ? 32,
+      }:
+      mkBytes {
+        inherit count;
+        encoding = "base64";
+      };
 
-      # Wireguard
-      # mkWireguard = {}: mkX25519 {encoding = "base64";};
-      # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};
-    };
+    # Wireguard
+    # mkWireguard = {}: mkX25519 {encoding = "base64";};
+    # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};
+  };
 
   inherit (secrets)
     mkPassword

--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -105,10 +105,14 @@
     in
     {
       options = {
+        shared = mkOption {
+          type = bool;
+          description = "Was this secret propagated from a shared secret?";
+        };
         parts = mkOption {
           type = lazyAttrsOf (secretPartType secretName);
           description = "Definition of secret parts";
-          default = {};
+          default = { };
         };
         generator = mkOption {
           type = uniq (nullOr (functionTo package));
@@ -137,24 +141,39 @@
           default = null;
         };
       };
-      config.parts = mkMerge [
-        (mkIf (config.generator != null && config.generator ? parts) config.generator.parts)
-        (mapAttrs (_: _: {}) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) ["shared" "managed"]))
-      ];
+      config = {
+        shared = (sysConfig.data.secrets.${secretName} or { shared = false; }).shared;
+        parts = mkMerge [
+          (mkIf (config.generator != null)
+            (
+              # Get fake derivation body, in future it should be implemented the same way as in Rust.
+              lib.callPackageWith (
+                pkgs
+                // {
+                  mkSecretGenerator = pkgs.stdenv.mkDerivation;
+                  mkImpureSecretGenerator = pkgs.stdenv.mkDerivation;
+                }
+              ) config.generator { }
+            ).parts
+          )
+          (mapAttrs (_: _: { }) (
+            removeAttrs (sysConfig.data.secrets.${secretName} or { }) [
+              "shared"
+              "managed"
+            ]
+          ))
+        ];
+      };
     }
   );
   processPart = secretName: partName: part: {
     inherit (part) path stablePath;
     raw = config.data.secrets.${secretName}.${partName}.raw;
   };
-  processSecret =
-    secretName: secret:
-    {
-      inherit (secret.definition) group mode owner;
-      parts = (mapAttrs (processPart secretName) (
-        secret.definition.parts
-      ));
-    };
+  processSecret = secretName: secret: {
+    inherit (secret.definition) group mode owner;
+    parts = (mapAttrs (processPart secretName) (secret.definition.parts));
+  };
   secretsData = (mapAttrs (processSecret) config.secrets);
   secretsFile = pkgs.writeTextFile {
     name = "secrets.json";
@@ -174,7 +193,7 @@
     secrets = mkOption {
       type = attrsOf secretType;
       default = { };
-      apply = v: (mapAttrs (_: secret: secret.parts // {definition = secret;}) v);
+      apply = v: (mapAttrs (_: secret: secret.parts // { definition = secret; }) v);
       description = "Host-local secrets";
     };
     system.secretsData = mkOption {

--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -124,6 +124,7 @@
                 # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD
                 # (Some secrets-encryption-in-git/managed PKI solution is expected)
                 impureOn ? null,
+                parts,
               }:
               (prev.writeShellScript "impureGenerator.sh" ''
                 #!/bin/sh
@@ -151,12 +152,12 @@
               '').overrideAttrs
                 (old: {
                   passthru = {
-                    inherit impureOn;
+                    inherit impureOn parts;
                     generatorKind = "impure";
                   };
                 });
             # Pure generators are disabled for now
-            mkSecretGenerator = { script }: mkImpureSecretGenerator { inherit script; };
+            mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };
 
             # TODO: Implement consistent naming
             # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...