difftreelog
refactor move parts to secret generator derivation
in: trunk
5 files changed
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -158,7 +158,7 @@
expectations: &Expectations,
) -> Result<FleetSharedSecret> {
let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);
- let value = definition.inner();
+ let value = definition.definition_value();
let (should_reencrypt, reason) = match reason {
Some(RegenerationReason::OwnersAdded(_)) => {
@@ -401,7 +401,13 @@
// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);
Ok(FleetSharedSecret {
managed: Some(true),
- secret: generate(config, display_name, secret.inner(), expectations).await?,
+ secret: generate(
+ config,
+ display_name,
+ secret.definition_value(),
+ expectations,
+ )
+ .await?,
owners: expectations.owners.clone(),
})
}
@@ -711,7 +717,9 @@
}
let definition = config.shared_secret_definition(&name)?;
- let expectations = definition.expectations()?;
+ let expectations = definition
+ .expectations()
+ .with_context(|| format!("expectations for shared {name:?}"))?;
let updated = maybe_regenerate_shared_secret(
&name,
@@ -744,7 +752,9 @@
info!("skipping unmanaged secret: {missing}");
continue;
}
- let expectations = definition.expectations()?;
+ let expectations = definition
+ .expectations()
+ .with_context(|| format!("expectations for shared {missing:?}"))?;
info!("generating secret: {missing}");
let shared = generate_shared(config, missing, definition, &expectations)
.in_current_span()
@@ -768,13 +778,18 @@
.into_iter()
.collect::<HashSet<_>>();
for missing_secret in expected_set.difference(&stored_set) {
+ let secret = host.secret_definition(missing_secret)?;
+ if secret.is_shared()? {
+ continue;
+ }
info!("generating missing secret: {missing_secret}");
- let definition = host.secret_definition(missing_secret)?;
- let expectations = definition.expectations()?;
+ let expectations = secret.expectations().with_context(|| {
+ format!("expectations for {missing_secret:?} of {:?}", host.name)
+ })?;
let generated = match generate(
config,
missing_secret,
- definition.inner(),
+ secret.definition_value()?,
&expectations,
)
.in_current_span()
@@ -796,16 +811,19 @@
)
}
for known_secret in stored_set.intersection(&expected_set) {
+ let secret = host.secret_definition(known_secret)?;
+ if secret.is_shared()? {
+ continue;
+ }
info!("updating secret: {known_secret}");
let data = config.host_secret(&host.name, known_secret)?;
- let definition = host.secret_definition(known_secret)?;
- let expectations = definition.expectations()?;
+ let expectations = secret.expectations()?;
if let Some(regen_reason) = data.needs_regeneration(&expectations) {
info!("needs regeneration: {regen_reason}");
let generated = match generate(
config,
known_secret,
- definition.inner(),
+ secret.definition_value()?,
&expectations,
)
.in_current_span()
@@ -828,6 +846,10 @@
}
}
for removed_secret in stored_set.difference(&expected_set) {
+ let definition = host.secret_definition(removed_secret)?;
+ if definition.is_shared()? {
+ continue;
+ }
info!("removing secret: {removed_secret}");
config.remove_secret(&host.name, removed_secret);
}
crates/fleet-base/src/secret.rsdiffbeforeafterboth--- a/crates/fleet-base/src/secret.rs
+++ b/crates/fleet-base/src/secret.rs
@@ -17,20 +17,37 @@
pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
impl HostSecretDefinition {
pub fn is_managed(&self) -> Result<bool> {
- let value = &self.1;
- Ok(!nix_go!(value.generator).is_null())
+ let def = self.definition_value()?;
+ Ok(!nix_go!(def.generator).is_null())
}
+ pub fn is_shared(&self) -> Result<bool> {
+ let def = self.definition_value()?;
+ Ok(nix_go_json!(def.shared))
+ }
pub fn expectations(&self) -> Result<Expectations> {
- let value = &self.1;
+ let def = self.definition_value()?;
+ let parts = nix_go!(def.parts);
+
+ let mut public_parts = BTreeSet::new();
+ let mut private_parts = BTreeSet::new();
+ for part in parts.list_fields()? {
+ if nix_go_json!(parts[&part].encrypted) {
+ private_parts.insert(part.clone());
+ } else {
+ public_parts.insert(part.clone());
+ }
+ }
+
Ok(Expectations {
owners: BTreeSet::from([self.0.clone()]),
- generation_data: nix_go_json!(value.expectedGenerationData),
- public_parts: nix_go_json!(value.expectedPublicParts),
- private_parts: nix_go_json!(value.expectedPrivateParts),
+ generation_data: nix_go_json!(def.expectedGenerationData),
+ public_parts,
+ private_parts,
})
}
- pub fn inner(&self) -> Value {
- self.1.clone()
+ pub fn definition_value(&self) -> Result<Value> {
+ let value = &self.1;
+ Ok(nix_go!(value.definition))
}
}
@@ -49,7 +66,7 @@
private_parts: nix_go_json!(value.expectedPrivateParts),
})
}
- pub fn inner(&self) -> Value {
+ pub fn definition_value(&self) -> Value {
self.0.clone()
}
}
lib/default.nixdiffbeforeafterboth58 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;58 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;595960 secrets =60 secrets = {61 let62 describedGenerator =63 generator: {parts ? {}}:64 {parts = {};}65 // {66 __functionArgs = functionArgs generator;67 __functor = _: generator;68 };69 in70 {71 inherit describedGenerator;726173 /**62 /**74 Generate a random secret password, 32 ascii characters by default63 Generate a random secret password, 32 ascii characters by default85 {74 {86 size ? 32,75 size ? 32,87 }:76 }:88 describedGenerator89 (77 (90 {78 {91 coreutils,79 coreutils,92 mkSecretGenerator,80 mkSecretGenerator,93 }:81 }:94 mkSecretGenerator {82 mkSecretGenerator {95 script = ''83 script = ''96 mkdir $out84 mkdir $out97 gh generate password -o $out/secret --size ${toString size}85 gh generate password -o $out/secret --size ${toString size}98 '';86 '';87 parts.secret.encrypted = true;99 }88 }100 )89 );101 {102 parts.secret.encrypted = true;103 };10490105 /**91 /**106 Generate a random ed25519 keypair92 Generate a random ed25519 keypair120 noEmbedPublic ? false,106 noEmbedPublic ? false,121 encoding ? null,107 encoding ? null,122 }:108 }:123 describedGenerator124 (109 (125 { mkSecretGenerator }:110 { mkSecretGenerator }:126 mkSecretGenerator {127 script = ''128 mkdir $out129 gh generate ed25519 -p $out/public -s $out/secret \130 ${optionalString noEmbedPublic "--no-embed-public"} \131 ${optionalString (encoding != null) "--encoding=${encoding}"}132 '';133 }134 )135 {111 mkSecretGenerator {112 script = ''113 mkdir $out114 gh generate ed25519 -p $out/public -s $out/secret \115 ${optionalString noEmbedPublic "--no-embed-public"} \116 ${optionalString (encoding != null) "--encoding=${encoding}"}117 '';136 parts.secret.encrypted = true;118 parts.secret.encrypted = true;137 parts.public.encrypted = false;119 parts.public.encrypted = false;138 };120 }121 );139122140 /**123 /**141 Generate a random x25519 keypair124 Generate a random x25519 keypair152 {135 {153 encoding ? null,136 encoding ? null,154 }:137 }:155 describedGenerator156 (138 (157 { mkSecretGenerator }:139 { mkSecretGenerator }:158 mkSecretGenerator {159 script = ''160 mkdir $out161 gh generate x25519 -p $out/public -s $out/secret \162 ${optionalString (encoding != null) "--encoding=${encoding}"}163 '';164 }165 )166 {140 mkSecretGenerator {141 script = ''142 mkdir $out143 gh generate x25519 -p $out/public -s $out/secret \144 ${optionalString (encoding != null) "--encoding=${encoding}"}145 '';146167 parts.secret.encrypted = true;147 parts.secret.encrypted = true;168 parts.public.encrypted = false;148 parts.public.encrypted = false;169 };149 }150 );170151171 /**152 /**172 Generate a random RSA keypair153 Generate a random RSA keypair182 {163 {183 size ? 4096,164 size ? 4096,184 }:165 }:185 describedGenerator186 (166 (187 {167 {188 openssl,168 openssl,189 mkSecretGenerator,169 mkSecretGenerator,190 }:170 }:191 mkSecretGenerator {192 script = ''193 mkdir $out194195 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}196 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key197198 cat rsa_private.key | gh private -o $out/secret199 cat rsa_public.key | gh public -o $out/public200 '';201 }202 )203 {171 mkSecretGenerator {172 script = ''173 mkdir $out174175 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}176 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key177178 cat rsa_private.key | gh private -o $out/secret179 cat rsa_public.key | gh public -o $out/public180 '';181204 parts.secret.encrypted = true;182 parts.secret.encrypted = true;205 parts.public.encrypted = false;183 parts.public.encrypted = false;206 };184 }185 );207186208 /**187 /**209 Generate a random byte sequence188 Generate a random byte sequence225 encoding,204 encoding,226 noNuls ? false,205 noNuls ? false,227 }:206 }:228 describedGenerator229 (207 (230 { mkSecretGenerator }:208 { mkSecretGenerator }:231 mkSecretGenerator {209 mkSecretGenerator {232 script = ''210 script = ''233 mkdir $out211 mkdir $out234 gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \212 gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \235 ${optionalString noNuls "--no-nuls"}213 ${optionalString noNuls "--no-nuls"}236 '';214 '';215 parts.secret.encrypted = true;237 }216 }238 )217 );239 {240 parts.secret.encrypted = true;241 };242 /**218 /**243 Shorthand for `mkBytes`, which defaults to "hex" encoding219 Shorthand for `mkBytes`, which defaults to "hex" encoding244 */220 */modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -105,10 +105,14 @@
in
{
options = {
+ shared = mkOption {
+ type = bool;
+ description = "Was this secret propagated from a shared secret?";
+ };
parts = mkOption {
type = lazyAttrsOf (secretPartType secretName);
description = "Definition of secret parts";
- default = {};
+ default = { };
};
generator = mkOption {
type = uniq (nullOr (functionTo package));
@@ -137,24 +141,39 @@
default = null;
};
};
- config.parts = mkMerge [
- (mkIf (config.generator != null && config.generator ? parts) config.generator.parts)
- (mapAttrs (_: _: {}) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) ["shared" "managed"]))
- ];
+ config = {
+ shared = (sysConfig.data.secrets.${secretName} or { shared = false; }).shared;
+ parts = mkMerge [
+ (mkIf (config.generator != null)
+ (
+ # Get fake derivation body, in future it should be implemented the same way as in Rust.
+ lib.callPackageWith (
+ pkgs
+ // {
+ mkSecretGenerator = pkgs.stdenv.mkDerivation;
+ mkImpureSecretGenerator = pkgs.stdenv.mkDerivation;
+ }
+ ) config.generator { }
+ ).parts
+ )
+ (mapAttrs (_: _: { }) (
+ removeAttrs (sysConfig.data.secrets.${secretName} or { }) [
+ "shared"
+ "managed"
+ ]
+ ))
+ ];
+ };
}
);
processPart = secretName: partName: part: {
inherit (part) path stablePath;
raw = config.data.secrets.${secretName}.${partName}.raw;
};
- processSecret =
- secretName: secret:
- {
- inherit (secret.definition) group mode owner;
- parts = (mapAttrs (processPart secretName) (
- secret.definition.parts
- ));
- };
+ processSecret = secretName: secret: {
+ inherit (secret.definition) group mode owner;
+ parts = (mapAttrs (processPart secretName) (secret.definition.parts));
+ };
secretsData = (mapAttrs (processSecret) config.secrets);
secretsFile = pkgs.writeTextFile {
name = "secrets.json";
@@ -174,7 +193,7 @@
secrets = mkOption {
type = attrsOf secretType;
default = { };
- apply = v: (mapAttrs (_: secret: secret.parts // {definition = secret;}) v);
+ apply = v: (mapAttrs (_: secret: secret.parts // { definition = secret; }) v);
description = "Host-local secrets";
};
system.secretsData = mkOption {
modules/secrets.nixdiffbeforeafterboth--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -124,6 +124,7 @@
# If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD
# (Some secrets-encryption-in-git/managed PKI solution is expected)
impureOn ? null,
+ parts,
}:
(prev.writeShellScript "impureGenerator.sh" ''
#!/bin/sh
@@ -151,12 +152,12 @@
'').overrideAttrs
(old: {
passthru = {
- inherit impureOn;
+ inherit impureOn parts;
generatorKind = "impure";
};
});
# Pure generators are disabled for now
- mkSecretGenerator = { script }: mkImpureSecretGenerator { inherit script; };
+ mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };
# TODO: Implement consistent naming
# Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...