git.delta.rocks / jrsonnet / refs/commits / e8c42d8d3245

difftreelog

fix post secret management refactor

Yaroslav Bolyukin2024-04-26parent: #d8c8e6d.patch.diff
in: trunk

3 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use crate::{2	better_nix_eval::Field,3	fleetdata::{FleetSecret, FleetSharedSecret, SecretData},4	host::Config,5	nix_go, nix_go_json,6};7use anyhow::{anyhow, bail, ensure, Context, Result};8use chrono::{DateTime, Utc};9use clap::Parser;10use owo_colors::OwoColorize;11use serde::Deserialize;12use std::{13	collections::{BTreeSet, HashSet},14	io::{self, Cursor, Read},15	path::PathBuf,16};17use tabled::{Table, Tabled};18use tokio::fs::read_to_string;19use tracing::{error, info, info_span, warn, Instrument};2021#[derive(Parser)]22pub enum Secret {23	/// Force load host keys for all defined hosts24	ForceKeys,25	/// Add secret, data should be provided in stdin26	AddShared {27		/// Secret name28		name: String,29		/// Secret owners30		machines: Vec<String>,31		/// Override secret if already present32		#[clap(long)]33		force: bool,34		/// Secret public part35		#[clap(long)]36		public: Option<String>,37		/// Load public part from specified file38		#[clap(long)]39		public_file: Option<PathBuf>,4041		/// Create a notification on secret expiration42		#[clap(long)]43		expires_at: Option<DateTime<Utc>>,4445		/// Secret with this name already exists, override its value while keeping the same owners.46		#[clap(long)]47		re_add: bool,48	},49	/// Add secret, data should be provided in stdin50	Add {51		/// Secret name52		name: String,53		/// Secret owners54		machine: String,55		/// Override secret if already present56		#[clap(long)]57		force: bool,58		#[clap(long)]59		public: Option<String>,60		#[clap(long)]61		public_file: Option<PathBuf>,62	},63	/// Read secret from remote host, requires sudo on said host64	Read {65		name: String,66		machine: String,67		#[clap(long)]68		plaintext: bool,69	},70	ReadPublic {71		name: String,72		machine: String,73	},74	UpdateShared {75		name: String,7677		#[clap(long)]78		machines: Option<Vec<String>>,7980		#[clap(long)]81		add_machines: Vec<String>,82		#[clap(long)]83		remove_machines: Vec<String>,8485		/// Which host should we use to decrypt86		#[clap(long)]87		prefer_identities: Vec<String>,88	},89	Regenerate {90		/// Which host should we use to decrypt, in case if reencryption is required, without91		/// regeneration92		#[clap(long)]93		prefer_identities: Vec<String>,94	},95	List {},96}9798#[tracing::instrument(skip(config, secret, field, prefer_identities))]99async fn update_owner_set(100	secret_name: &str,101	config: &Config,102	mut secret: FleetSharedSecret,103	field: Field,104	updated_set: &[String],105	prefer_identities: &[String],106) -> Result<FleetSharedSecret> {107	let original_set = secret.owners.clone();108109	let set = original_set.iter().collect::<BTreeSet<_>>();110	let expected_set = updated_set.iter().collect::<BTreeSet<_>>();111112	if set == expected_set {113		info!("no need to update owner list, it is already correct");114		return Ok(secret);115	}116117	let should_regenerate = if set.difference(&expected_set).next().is_some() {118		// TODO: Remove this warning for revokable secrets.119		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");120		nix_go_json!(field.regenerateOnOwnerRemoved)121	} else if expected_set.difference(&set).next().is_some() {122		nix_go_json!(field.regenerateOnOwnerAdded)123	} else {124		false125	};126127	if should_regenerate {128		info!("secret is owner-dependent, will regenerate");129		let generated = generate_shared(config, secret_name, field, updated_set.to_vec()).await?;130		Ok(generated)131	} else {132		let identity_holder = if !prefer_identities.is_empty() {133			prefer_identities134				.iter()135				.find(|i| original_set.iter().any(|s| s == *i))136		} else {137			secret.owners.first()138		};139		let Some(identity_holder) = identity_holder else {140			bail!("no available holder found");141		};142143		if let Some(data) = secret.secret.secret {144			let host = config.host(identity_holder).await?;145			let encrypted = host.reencrypt(data, updated_set.to_vec()).await?;146			secret.secret.secret = Some(encrypted);147		}148149		secret.owners = updated_set.to_vec();150		Ok(secret)151	}152}153154#[derive(Deserialize)]155#[serde(rename_all = "camelCase")]156enum GeneratorKind {157	Impure,158	Pure,159}160161async fn generate_pure(162	_config: &Config,163	_display_name: &str,164	_secret: Field,165	_default_generator: Field,166	_owners: &[String],167) -> Result<FleetSecret> {168	bail!("pure generators are broken for now")169}170async fn generate_impure(171	config: &Config,172	_display_name: &str,173	secret: Field,174	default_generator: Field,175	owners: &[String],176) -> Result<FleetSecret> {177	let generator = nix_go!(secret.generator);178	let on: Option<String> = nix_go_json!(default_generator.impureOn);179180	let host = if let Some(on) = &on {181		config.host(on).await?182	} else {183		config.local_host()184	};185	let on_pkgs = host.pkgs().await?;186	let call_package = nix_go!(on_pkgs.callPackage);187	let mk_encrypt_secret = nix_go!(on_pkgs.mkEncryptSecret);188189	let mut recipients = Vec::new();190	for owner in owners {191		let key = config.key(owner).await?;192		recipients.push(key);193	}194	let encrypt = nix_go!(mk_encrypt_secret(Obj {195		recipients: { recipients },196	}));197198	let generator = nix_go!(call_package(generator)(Obj {199		encrypt,200		rustfmt_please_newline: { true },201	}));202203	let generator = generator.build().await?;204	let generator = generator205		.get("out")206		.ok_or_else(|| anyhow!("missing generateImpure out"))?;207	let generator = host.remote_derivation(generator).await?;208209	let out_parent = host.mktemp_dir().await?;210	let out = format!("{out_parent}/out");211212	let mut gen = host.cmd(generator).await?;213	gen.env("out", &out);214	if on.is_none() {215		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.216		let project_path: String = config217			.directory218			.clone()219			.into_os_string()220			.into_string()221			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;222		gen.env("FLEET_PROJECT", project_path);223	}224	gen.run().await.context("impure generator")?;225226	{227		let marker = host.read_file_text(format!("{out}/marker")).await?;228		ensure!(marker == "SUCCESS", "generation not succeeded");229	}230231	let public = host.read_file_text(format!("{out}/public")).await.ok();232	let secret = host.read_file_bin(format!("{out}/secret")).await.ok();233	if let Some(secret) = &secret {234		ensure!(235			age::Decryptor::new(Cursor::new(&secret)).is_ok(),236			"builder produced non-encrypted value as secret, this is highly insecure, and not allowed."237		);238	}239240	let created_at = host.read_file_value(format!("{out}/created_at")).await?;241	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();242243	Ok(FleetSecret {244		created_at,245		expires_at,246		public,247		secret: secret.map(SecretData),248	})249}250async fn generate(251	config: &Config,252	display_name: &str,253	secret: Field,254	owners: &[String],255) -> Result<FleetSecret> {256	let generator = nix_go!(secret.generator);257	// Can't properly check on nix module system level258	{259		let gen_ty = generator.type_of().await?;260		if gen_ty == "null" {261			bail!("secret has no generator defined, can't automatically generate it.");262		}263		if gen_ty != "lambda" {264			bail!("generator should be lambda, got {gen_ty}");265		}266	}267	let default_pkgs = &config.default_pkgs;268	let default_call_package = nix_go!(default_pkgs.callPackage);269	// Generators provide additional information in passthru, to access270	// passthru we should call generator, but information about where this generator is supposed to build271	// is located in passthru... Thus evaluating generator on host.272	//273	// Maybe it is also possible to do some magic with __functor?274	//275	// I don't want to make modules always responsible for additional secret data anyway,276	// so it should be in derivation, and not in the secret data itself.277	let default_generator = nix_go!(default_call_package(generator)(Obj {}));278279	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);280281	match kind {282		GeneratorKind::Impure => {283			generate_impure(config, display_name, secret, default_generator, owners).await284		}285		GeneratorKind::Pure => {286			generate_pure(config, display_name, secret, default_generator, owners).await287		}288	}289}290async fn generate_shared(291	config: &Config,292	display_name: &str,293	secret: Field,294	expected_owners: Vec<String>,295) -> Result<FleetSharedSecret> {296	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);297	Ok(FleetSharedSecret {298		secret: generate(config, display_name, secret, &expected_owners).await?,299		owners: expected_owners,300	})301}302303async fn parse_public(304	public: Option<String>,305	public_file: Option<PathBuf>,306) -> Result<Option<String>> {307	Ok(match (public, public_file) {308		(Some(v), None) => Some(v),309		(None, Some(v)) => Some(read_to_string(v).await?),310		(Some(_), Some(_)) => {311			bail!("only public or public_file should be set")312		}313		(None, None) => None,314	})315}316317fn parse_machines(318	initial: Vec<String>,319	machines: Option<Vec<String>>,320	mut add_machines: Vec<String>,321	mut remove_machines: Vec<String>,322) -> Result<Vec<String>> {323	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {324		bail!("no operation");325	}326327	let initial_machines = initial.clone();328	let mut target_machines = initial;329	info!("Currently encrypted for {initial_machines:?}");330331	// ensure!(machines.is_some() || !add_machines.is_empty() || )332	if let Some(machines) = machines {333		ensure!(334			add_machines.is_empty() && remove_machines.is_empty(),335			"can't combine --machines and --add-machines/--remove-machines"336		);337		let target = initial_machines.iter().collect::<HashSet<_>>();338		let source = machines.iter().collect::<HashSet<_>>();339		for removed in target.difference(&source) {340			remove_machines.push((*removed).clone());341		}342		for added in source.difference(&target) {343			add_machines.push((*added).clone());344		}345	}346347	for machine in &remove_machines {348		let mut removed = false;349		while let Some(pos) = target_machines.iter().position(|m| m == machine) {350			target_machines.swap_remove(pos);351			removed = true;352		}353		if !removed {354			warn!("secret is not enabled for {machine}");355		}356	}357	for machine in &add_machines {358		if target_machines.iter().any(|m| m == machine) {359			warn!("secret is already added to {machine}");360		} else {361			target_machines.push(machine.to_owned());362		}363	}364	if !remove_machines.is_empty() {365		// TODO: maybe force secret regeneration?366		// Not that useful without revokation.367		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");368	}369	Ok(target_machines)370}371impl Secret {372	pub async fn run(self, config: &Config) -> Result<()> {373		match self {374			Secret::ForceKeys => {375				for host in config.list_hosts().await? {376					if config.should_skip(&host.name) {377						continue;378					}379					config.key(&host.name).await?;380				}381			}382			Secret::AddShared {383				mut machines,384				name,385				force,386				public,387				public_file,388				expires_at,389				re_add,390			} => {391				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).392393				let exists = config.has_shared(&name);394				if exists && !force && !re_add {395					bail!("secret already defined");396				}397				if re_add {398					// Fixme: use clap to limit this usage399					ensure!(!force, "--force and --readd are not compatible");400					ensure!(exists, "secret doesn't exists");401					ensure!(402						machines.is_empty(),403						"you can't use machines argument for --readd"404					);405					let shared = config.shared_secret(&name)?;406					machines = shared.owners;407				}408409				let recipients = config.recipients(machines.clone()).await?;410411				let secret = {412					let mut input = vec![];413					io::stdin().read_to_end(&mut input)?;414415					if input.is_empty() {416						None417					} else {418						Some(419							SecretData::encrypt(recipients, input)420								.ok_or_else(|| anyhow!("no recipients provided"))?,421						)422					}423				};424				let public = parse_public(public, public_file).await?;425				config.replace_shared(426					name,427					FleetSharedSecret {428						owners: machines,429						secret: FleetSecret {430							created_at: Utc::now(),431							expires_at,432							secret,433							public,434						},435					},436				);437			}438			Secret::Add {439				machine,440				name,441				force,442				public,443				public_file,444			} => {445				let recipient = config.recipient(&machine).await?;446447				let secret = {448					let mut input = vec![];449					io::stdin().read_to_end(&mut input)?;450					if input.is_empty() {451						bail!("no data provided")452					}453454					Some(SecretData::encrypt(vec![recipient], input).expect("recipient provided"))455				};456457				if config.has_secret(&machine, &name) && !force {458					bail!("secret already defined");459				}460				let public = parse_public(public, public_file).await?;461462				config.insert_secret(463					&machine,464					name,465					FleetSecret {466						created_at: Utc::now(),467						expires_at: None,468						secret,469						public,470					},471				);472			}473			#[allow(clippy::await_holding_refcell_ref)]474			Secret::Read {475				name,476				machine,477				plaintext,478			} => {479				let secret = config.host_secret(&machine, &name)?;480				let Some(secret) = secret.secret else {481					bail!("no secret {name}");482				};483				let host = config.host(&machine).await?;484				let data = host.decrypt(secret).await?;485				if plaintext {486					let s = String::from_utf8(data).context("output is not utf8")?;487					print!("{s}");488				} else {489					println!("{}", z85::encode(&data));490				}491			}492			Secret::ReadPublic { name, machine } => {493				let secret = config.host_secret(&machine, &name)?;494				let Some(public) = secret.public else {495					bail!("no secret {name}");496				};497				print!("{public}");498			}499			Secret::UpdateShared {500				name,501				machines,502				add_machines,503				remove_machines,504				prefer_identities,505			} => {506				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).507508				let secret = config.shared_secret(&name)?;509				if secret.secret.secret.is_none() {510					bail!("no secret");511				}512513				let initial_machines = secret.owners.clone();514				let target_machines = parse_machines(515					initial_machines.clone(),516					machines,517					add_machines,518					remove_machines,519				)?;520521				if target_machines.is_empty() {522					info!("no machines left for secret, removing it");523					config.remove_shared(&name);524					return Ok(());525				}526527				let config_field = &config.config_unchecked_field;528				let field = nix_go!(config_field.sharedSecrets[{ name }]);529530				let updated = update_owner_set(531					&name,532					config,533					secret,534					field,535					&target_machines,536					&prefer_identities,537				)538				.await?;539				config.replace_shared(name, updated);540			}541			Secret::Regenerate { prefer_identities } => {542				info!("checking for secrets to regenerate");543				{544					let _span = info_span!("shared").entered();545					let expected_shared_set = config546						.list_configured_shared()547						.await?548						.into_iter()549						.collect::<HashSet<_>>();550					let shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();551					for missing in expected_shared_set.difference(&shared_set) {552						let config_field = &config.config_unchecked_field;553						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);554						let expected_owners: Option<Vec<String>> =555							nix_go_json!(secret.expectedOwners);556						let Some(expected_owners) = expected_owners else {557							// TODO: Might still need to regenerate558							continue;559						};560						info!("generating secret: {missing}");561						let shared = generate_shared(config, missing, secret, expected_owners)562							.in_current_span()563							.await?;564						config.replace_shared(missing.to_string(), shared)565					}566				}567				for host in config.list_hosts().await? {568					let _span = info_span!("host", host = host.name).entered();569					let expected_set = host570						.list_configured_secrets()571						.in_current_span()572						.await?573						.into_iter()574						.collect::<HashSet<_>>();575					let stored_set = config576						.list_secrets(&host.name)577						.into_iter()578						.collect::<HashSet<_>>();579					for missing in expected_set.difference(&stored_set) {580						info!("generating secret: {missing}");581						let secret = host.secret_field(missing).in_current_span().await?;582						let generated =583							match generate(config, missing, secret, &[host.name.clone()])584								.in_current_span()585								.await586							{587								Ok(v) => v,588								Err(e) => {589									error!("{e}");590									continue;591								}592							};593						config.insert_secret(&host.name, missing.to_string(), generated)594					}595				}596				let mut to_remove = Vec::new();597				for name in &config.list_shared() {598					info!("updating secret: {name}");599					let data = config.shared_secret(name)?;600					let config_field = &config.config_unchecked_field;601					let expected_owners: Vec<String> =602						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);603					if expected_owners.is_empty() {604						warn!("secret was removed from fleet config: {name}, removing from data");605						to_remove.push(name.to_string());606						continue;607					}608609					let secret = nix_go!(config_field.sharedSecrets[{ name }]);610					config.replace_shared(611						name.to_owned(),612						update_owner_set(613							name,614							config,615							data,616							secret,617							&expected_owners,618							&prefer_identities,619						)620						.await?,621					);622				}623				for k in to_remove {624					config.remove_shared(&k);625				}626			}627			Secret::List {} => {628				let _span = info_span!("loading secrets").entered();629				let configured = config.list_configured_shared().await?;630				#[derive(Tabled)]631				struct SecretDisplay {632					#[tabled(rename = "Name")]633					name: String,634					#[tabled(rename = "Owners")]635					owners: String,636				}637				let mut table = vec![];638				for name in configured.iter().cloned() {639					let config = config.clone();640					let expected_owners = config.shared_secret_expected_owners(&name).await?;641					let data = config.shared_secret(&name)?;642					let owners = data643						.owners644						.iter()645						.map(|o| {646							if expected_owners.contains(o) {647								o.green().to_string()648							} else {649								o.red().to_string()650							}651						})652						.collect::<Vec<_>>();653					table.push(SecretDisplay {654						owners: owners.join(", "),655						name,656					})657				}658				info!("loaded\n{}", Table::new(table).to_string())659			}660		}661		Ok(())662	}663}
after · cmds/fleet/src/cmds/secrets/mod.rs
1use crate::{2	better_nix_eval::Field,3	fleetdata::{FleetSecret, FleetSharedSecret, SecretData},4	host::Config,5	nix_go, nix_go_json,6};7use anyhow::{anyhow, bail, ensure, Context, Result};8use chrono::{DateTime, Utc};9use clap::{error::ErrorKind, Parser};10use crossterm::{terminal, tty::IsTty};11use itertools::Itertools;12use owo_colors::OwoColorize;13use serde::Deserialize;14use std::{15	collections::{BTreeSet, HashSet},16	ffi::OsString,17	io::{self, stdin, Cursor, Read, Write},18	path::PathBuf,19};20use tabled::{Table, Tabled};21use tempfile::NamedTempFile;22use tokio::{fs::read_to_string, process::Command};23use tracing::{error, info, info_span, warn, Instrument};2425#[derive(Parser)]26pub enum Secret {27	/// Force load host keys for all defined hosts28	ForceKeys,29	/// Add secret, data should be provided in stdin30	AddShared {31		/// Secret name32		name: String,33		/// Secret owners34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,52	},53	/// Add secret, data should be provided in stdin54	Add {55		/// Secret name56		name: String,57		/// Secret owners58		machine: String,59		/// Override secret if already present60		#[clap(long)]61		force: bool,62		#[clap(long)]63		public: Option<String>,64		#[clap(long)]65		public_file: Option<PathBuf>,66	},67	/// Read secret from remote host, requires sudo on said host68	Read {69		name: String,70		machine: String,71		#[clap(long)]72		plaintext: bool,73	},74	ReadPublic {75		name: String,76		machine: String,77	},78	UpdateShared {79		name: String,8081		#[clap(long)]82		machines: Option<Vec<String>>,8384		#[clap(long)]85		add_machines: Vec<String>,86		#[clap(long)]87		remove_machines: Vec<String>,8889		/// Which host should we use to decrypt90		#[clap(long)]91		prefer_identities: Vec<String>,92	},93	Regenerate {94		/// Which host should we use to decrypt, in case if reencryption is required, without95		/// regeneration96		#[clap(long)]97		prefer_identities: Vec<String>,98	},99	List {},100}101102#[tracing::instrument(skip(config, secret, field, prefer_identities))]103async fn update_owner_set(104	secret_name: &str,105	config: &Config,106	mut secret: FleetSharedSecret,107	field: Field,108	updated_set: &[String],109	prefer_identities: &[String],110) -> Result<FleetSharedSecret> {111	let original_set = secret.owners.clone();112113	let set = original_set.iter().collect::<BTreeSet<_>>();114	let expected_set = updated_set.iter().collect::<BTreeSet<_>>();115116	if set == expected_set {117		info!("no need to update owner list, it is already correct");118		return Ok(secret);119	}120121	let should_regenerate = if set.difference(&expected_set).next().is_some() {122		// TODO: Remove this warning for revokable secrets.123		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");124		nix_go_json!(field.regenerateOnOwnerRemoved)125	} else if expected_set.difference(&set).next().is_some() {126		nix_go_json!(field.regenerateOnOwnerAdded)127	} else {128		false129	};130131	if should_regenerate {132		info!("secret is owner-dependent, will regenerate");133		let generated = generate_shared(config, secret_name, field, updated_set.to_vec()).await?;134		Ok(generated)135	} else {136		let identity_holder = if !prefer_identities.is_empty() {137			prefer_identities138				.iter()139				.find(|i| original_set.iter().any(|s| s == *i))140		} else {141			secret.owners.first()142		};143		let Some(identity_holder) = identity_holder else {144			bail!("no available holder found");145		};146147		if let Some(data) = secret.secret.secret {148			let host = config.host(identity_holder).await?;149			let encrypted = host.reencrypt(data, updated_set.to_vec()).await?;150			secret.secret.secret = Some(encrypted);151		}152153		secret.owners = updated_set.to_vec();154		Ok(secret)155	}156}157158#[derive(Deserialize)]159#[serde(rename_all = "camelCase")]160enum GeneratorKind {161	Impure,162	Pure,163}164165async fn generate_pure(166	_config: &Config,167	_display_name: &str,168	_secret: Field,169	_default_generator: Field,170	_owners: &[String],171) -> Result<FleetSecret> {172	bail!("pure generators are broken for now")173}174async fn generate_impure(175	config: &Config,176	_display_name: &str,177	secret: Field,178	default_generator: Field,179	owners: &[String],180) -> Result<FleetSecret> {181	let generator = nix_go!(secret.generator);182	let on: Option<String> = nix_go_json!(default_generator.impureOn);183184	let host = if let Some(on) = &on {185		config.host(on).await?186	} else {187		config.local_host()188	};189	let on_pkgs = host.pkgs().await?;190	let call_package = nix_go!(on_pkgs.callPackage);191	let mk_encrypt_secret = nix_go!(on_pkgs.mkEncryptSecret);192193	let mut recipients = Vec::new();194	for owner in owners {195		let key = config.key(owner).await?;196		recipients.push(key);197	}198	let encrypt = nix_go!(mk_encrypt_secret(Obj {199		recipients: { recipients },200	}));201202	let generator = nix_go!(call_package(generator)(Obj {203		encrypt,204		rustfmt_please_newline: { true },205	}));206207	let generator = generator.build().await?;208	let generator = generator209		.get("out")210		.ok_or_else(|| anyhow!("missing generateImpure out"))?;211	let generator = host.remote_derivation(generator).await?;212213	let out_parent = host.mktemp_dir().await?;214	let out = format!("{out_parent}/out");215216	let mut gen = host.cmd(generator).await?;217	gen.env("out", &out);218	if on.is_none() {219		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.220		let project_path: String = config221			.directory222			.clone()223			.into_os_string()224			.into_string()225			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;226		gen.env("FLEET_PROJECT", project_path);227	}228	gen.run().await.context("impure generator")?;229230	{231		let marker = host.read_file_text(format!("{out}/marker")).await?;232		ensure!(marker == "SUCCESS", "generation not succeeded");233	}234235	let public = host.read_file_text(format!("{out}/public")).await.ok();236	let secret = host.read_file_bin(format!("{out}/secret")).await.ok();237	if let Some(secret) = &secret {238		ensure!(239			age::Decryptor::new(Cursor::new(&secret)).is_ok(),240			"builder produced non-encrypted value as secret, this is highly insecure, and not allowed."241		);242	}243244	let created_at = host.read_file_value(format!("{out}/created_at")).await?;245	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();246247	Ok(FleetSecret {248		created_at,249		expires_at,250		public,251		secret: secret.map(SecretData),252	})253}254async fn generate(255	config: &Config,256	display_name: &str,257	secret: Field,258	owners: &[String],259) -> Result<FleetSecret> {260	let generator = nix_go!(secret.generator);261	// Can't properly check on nix module system level262	{263		let gen_ty = generator.type_of().await?;264		if gen_ty == "null" {265			bail!("secret has no generator defined, can't automatically generate it.");266		}267		if gen_ty != "lambda" {268			bail!("generator should be lambda, got {gen_ty}");269		}270	}271	let default_pkgs = &config.default_pkgs;272	let default_call_package = nix_go!(default_pkgs.callPackage);273	// Generators provide additional information in passthru, to access274	// passthru we should call generator, but information about where this generator is supposed to build275	// is located in passthru... Thus evaluating generator on host.276	//277	// Maybe it is also possible to do some magic with __functor?278	//279	// I don't want to make modules always responsible for additional secret data anyway,280	// so it should be in derivation, and not in the secret data itself.281	let default_generator = nix_go!(default_call_package(generator)(Obj {}));282283	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);284285	match kind {286		GeneratorKind::Impure => {287			generate_impure(config, display_name, secret, default_generator, owners).await288		}289		GeneratorKind::Pure => {290			generate_pure(config, display_name, secret, default_generator, owners).await291		}292	}293}294async fn generate_shared(295	config: &Config,296	display_name: &str,297	secret: Field,298	expected_owners: Vec<String>,299) -> Result<FleetSharedSecret> {300	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);301	Ok(FleetSharedSecret {302		secret: generate(config, display_name, secret, &expected_owners).await?,303		owners: expected_owners,304	})305}306307async fn parse_public(308	public: Option<String>,309	public_file: Option<PathBuf>,310) -> Result<Option<String>> {311	Ok(match (public, public_file) {312		(Some(v), None) => Some(v),313		(None, Some(v)) => Some(read_to_string(v).await?),314		(Some(_), Some(_)) => {315			bail!("only public or public_file should be set")316		}317		(None, None) => None,318	})319}320321fn parse_machines(322	initial: Vec<String>,323	machines: Option<Vec<String>>,324	mut add_machines: Vec<String>,325	mut remove_machines: Vec<String>,326) -> Result<Vec<String>> {327	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {328		bail!("no operation");329	}330331	let initial_machines = initial.clone();332	let mut target_machines = initial;333	info!("Currently encrypted for {initial_machines:?}");334335	// ensure!(machines.is_some() || !add_machines.is_empty() || )336	if let Some(machines) = machines {337		ensure!(338			add_machines.is_empty() && remove_machines.is_empty(),339			"can't combine --machines and --add-machines/--remove-machines"340		);341		let target = initial_machines.iter().collect::<HashSet<_>>();342		let source = machines.iter().collect::<HashSet<_>>();343		for removed in target.difference(&source) {344			remove_machines.push((*removed).clone());345		}346		for added in source.difference(&target) {347			add_machines.push((*added).clone());348		}349	}350351	for machine in &remove_machines {352		let mut removed = false;353		while let Some(pos) = target_machines.iter().position(|m| m == machine) {354			target_machines.swap_remove(pos);355			removed = true;356		}357		if !removed {358			warn!("secret is not enabled for {machine}");359		}360	}361	for machine in &add_machines {362		if target_machines.iter().any(|m| m == machine) {363			warn!("secret is already added to {machine}");364		} else {365			target_machines.push(machine.to_owned());366		}367	}368	if !remove_machines.is_empty() {369		// TODO: maybe force secret regeneration?370		// Not that useful without revokation.371		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");372	}373	Ok(target_machines)374}375impl Secret {376	pub async fn run(self, config: &Config) -> Result<()> {377		match self {378			Secret::ForceKeys => {379				for host in config.list_hosts().await? {380					if config.should_skip(&host.name) {381						continue;382					}383					config.key(&host.name).await?;384				}385			}386			Secret::AddShared {387				mut machines,388				name,389				force,390				public,391				public_file,392				expires_at,393				re_add,394			} => {395				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).396397				let exists = config.has_shared(&name);398				if exists && !force && !re_add {399					bail!("secret already defined");400				}401				if re_add {402					// Fixme: use clap to limit this usage403					ensure!(!force, "--force and --readd are not compatible");404					ensure!(exists, "secret doesn't exists");405					ensure!(406						machines.is_empty(),407						"you can't use machines argument for --readd"408					);409					let shared = config.shared_secret(&name)?;410					machines = shared.owners;411				}412413				let recipients = config.recipients(machines.clone()).await?;414415				let secret = {416					let mut input = vec![];417					io::stdin().read_to_end(&mut input)?;418419					if input.is_empty() {420						None421					} else {422						Some(423							SecretData::encrypt(recipients, input)424								.ok_or_else(|| anyhow!("no recipients provided"))?,425						)426					}427				};428				let public = parse_public(public, public_file).await?;429				config.replace_shared(430					name,431					FleetSharedSecret {432						owners: machines,433						secret: FleetSecret {434							created_at: Utc::now(),435							expires_at,436							secret,437							public,438						},439					},440				);441			}442			Secret::Add {443				machine,444				name,445				force,446				public,447				public_file,448			} => {449				let recipient = config.recipient(&machine).await?;450451				let secret = {452					let mut input = vec![];453					io::stdin().read_to_end(&mut input)?;454					if input.is_empty() {455						bail!("no data provided")456					}457458					Some(SecretData::encrypt(vec![recipient], input).expect("recipient provided"))459				};460461				if config.has_secret(&machine, &name) && !force {462					bail!("secret already defined");463				}464				let public = parse_public(public, public_file).await?;465466				config.insert_secret(467					&machine,468					name,469					FleetSecret {470						created_at: Utc::now(),471						expires_at: None,472						secret,473						public,474					},475				);476			}477			#[allow(clippy::await_holding_refcell_ref)]478			Secret::Read {479				name,480				machine,481				plaintext,482			} => {483				let secret = config.host_secret(&machine, &name)?;484				let Some(secret) = secret.secret else {485					bail!("no secret {name}");486				};487				let host = config.host(&machine).await?;488				let data = host.decrypt(secret).await?;489				if plaintext {490					let s = String::from_utf8(data).context("output is not utf8")?;491					print!("{s}");492				} else {493					println!("{}", z85::encode(&data));494				}495			}496			Secret::ReadPublic { name, machine } => {497				let secret = config.host_secret(&machine, &name)?;498				let Some(public) = secret.public else {499					bail!("no secret {name}");500				};501				print!("{public}");502			}503			Secret::UpdateShared {504				name,505				machines,506				add_machines,507				remove_machines,508				prefer_identities,509			} => {510				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).511512				let secret = config.shared_secret(&name)?;513				if secret.secret.secret.is_none() {514					bail!("no secret");515				}516517				let initial_machines = secret.owners.clone();518				let target_machines = parse_machines(519					initial_machines.clone(),520					machines,521					add_machines,522					remove_machines,523				)?;524525				if target_machines.is_empty() {526					info!("no machines left for secret, removing it");527					config.remove_shared(&name);528					return Ok(());529				}530531				let config_field = &config.config_unchecked_field;532				let field = nix_go!(config_field.sharedSecrets[{ name }]);533534				let updated = update_owner_set(535					&name,536					config,537					secret,538					field,539					&target_machines,540					&prefer_identities,541				)542				.await?;543				config.replace_shared(name, updated);544			}545			Secret::Regenerate { prefer_identities } => {546				info!("checking for secrets to regenerate");547				{548					let _span = info_span!("shared").entered();549					let expected_shared_set = config550						.list_configured_shared()551						.await?552						.into_iter()553						.collect::<HashSet<_>>();554					let shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();555					for missing in expected_shared_set.difference(&shared_set) {556						let config_field = &config.config_unchecked_field;557						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);558						let expected_owners: Option<Vec<String>> =559							nix_go_json!(secret.expectedOwners);560						let Some(expected_owners) = expected_owners else {561							// TODO: Might still need to regenerate562							continue;563						};564						info!("generating secret: {missing}");565						let shared = generate_shared(config, missing, secret, expected_owners)566							.in_current_span()567							.await?;568						config.replace_shared(missing.to_string(), shared)569					}570				}571				for host in config.list_hosts().await? {572					let _span = info_span!("host", host = host.name).entered();573					let expected_set = host574						.list_configured_secrets()575						.in_current_span()576						.await?577						.into_iter()578						.collect::<HashSet<_>>();579					let stored_set = config580						.list_secrets(&host.name)581						.into_iter()582						.collect::<HashSet<_>>();583					for missing in expected_set.difference(&stored_set) {584						info!("generating secret: {missing}");585						let secret = host.secret_field(missing).in_current_span().await?;586						let generated =587							match generate(config, missing, secret, &[host.name.clone()])588								.in_current_span()589								.await590							{591								Ok(v) => v,592								Err(e) => {593									error!("{e:?}");594									continue;595								}596							};597						config.insert_secret(&host.name, missing.to_string(), generated)598					}599				}600				let mut to_remove = Vec::new();601				for name in &config.list_shared() {602					info!("updating secret: {name}");603					let data = config.shared_secret(name)?;604					let config_field = &config.config_unchecked_field;605					let expected_owners: Vec<String> =606						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);607					if expected_owners.is_empty() {608						warn!("secret was removed from fleet config: {name}, removing from data");609						to_remove.push(name.to_string());610						continue;611					}612613					let secret = nix_go!(config_field.sharedSecrets[{ name }]);614					config.replace_shared(615						name.to_owned(),616						update_owner_set(617							name,618							config,619							data,620							secret,621							&expected_owners,622							&prefer_identities,623						)624						.await?,625					);626				}627				for k in to_remove {628					config.remove_shared(&k);629				}630			}631			Secret::List {} => {632				let _span = info_span!("loading secrets").entered();633				let configured = config.list_configured_shared().await?;634				#[derive(Tabled)]635				struct SecretDisplay {636					#[tabled(rename = "Name")]637					name: String,638					#[tabled(rename = "Owners")]639					owners: String,640				}641				let mut table = vec![];642				for name in configured.iter().cloned() {643					let config = config.clone();644					let expected_owners = config.shared_secret_expected_owners(&name).await?;645					let data = config.shared_secret(&name)?;646					let owners = data647						.owners648						.iter()649						.map(|o| {650							if expected_owners.contains(o) {651								o.green().to_string()652							} else {653								o.red().to_string()654							}655						})656						.collect::<Vec<_>>();657					table.push(SecretDisplay {658						owners: owners.join(", "),659						name,660					})661				}662				info!("loaded\n{}", Table::new(table).to_string())663			}664		}665		Ok(())666	}667}
modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -385,7 +385,7 @@
 		let config_unchecked_field = nix_go!(fleet_field.unchecked.config);
 
 		let import = nix_go!(builtins_field.import);
-		let overlays = nix_go!(fleet_field.overlays);
+		let overlays = nix_go!(config_unchecked_field.overlays);
 		let nixpkgs = nix_go!(fleet_field.nixpkgs | import);
 
 		let default_pkgs = nix_go!(nixpkgs(Obj {
modifiedmodules/fleet/secrets.nixdiffbeforeafterboth
--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -153,7 +153,7 @@
     overlays = [
       (final: prev: let
         lib = final.lib;
-        inherit (lib) strings;
+        inherit (lib) strings concatMap;
         inherit (strings) escapeShellArgs;
       in {
         mkEncryptSecret = {
@@ -162,7 +162,7 @@
         }:
           prev.writeShellScript "encryptor" ''
             #!/bin/sh
-            exec ${rage}/bin/rage ${escapeShellArgs recipients} -e "$@"
+            exec ${rage}/bin/rage ${escapeShellArgs (concatMap (r: ["-r" r]) recipients)} -e "$@"
           '';
         # TODO: Move to fleet
         # TODO: Merge both generators to one with consistent options syntax?
@@ -177,8 +177,12 @@
           (prev.writeShellScript "impureGenerator.sh" ''
             #!/bin/sh
             set -eu
-            cd /var/empty
 
+            # TODO: Provide tempdir from outside, to make it securely erasurable as needed?
+            tmp=$(mktemp -d)
+            cd $tmp
+            # cd /var/empty
+
             created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")
 
             ${script}