From f31248fac9ac80b7728f556e2e62aa6268dbc0dd Mon Sep 17 00:00:00 2001 From: Yaroslav Bolyukin Date: Tue, 06 Jan 2026 04:23:21 +0000 Subject: [PATCH] feat: use builtin for getting secret --- --- a/Cargo.lock +++ b/Cargo.lock @@ -723,15 +723,6 @@ checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" [[package]] -name = "convert_case" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb402b8d4c85569410425650ce3eddc7d698ed96d39a73f941b08fb63082f1e7" -dependencies = [ - "unicode-segmentation", -] - -[[package]] name = "cookie-factory" version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -765,34 +756,6 @@ ] [[package]] -name = "crossterm" -version = "0.29.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8b9f2e4c67f833b660cdb0a3523065869fb35570177239812ed4c905aeff87b" -dependencies = [ - "bitflags", - "crossterm_winapi", - "derive_more", - "document-features", - "filedescriptor", - "mio", - "parking_lot", - "rustix 1.1.2", - "signal-hook", - "signal-hook-mio", - "winapi", -] - -[[package]] -name = "crossterm_winapi" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acdd7c62a3665c7f6830a51635d9ac9b23ed385797f70a83bb8bafe9c572ab2b" -dependencies = [ - "winapi", -] - -[[package]] name = "crypto-common" version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -932,27 +895,6 @@ dependencies = [ "powerfmt", "serde_core", -] - -[[package]] -name = "derive_more" -version = "2.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678" -dependencies = [ - "derive_more-impl", -] - -[[package]] -name = "derive_more-impl" -version = "2.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" -dependencies = [ - "convert_case", - "proc-macro2", - "quote", - "syn", ] [[package]] @@ -976,15 +918,6 @@ "proc-macro2", "quote", "syn", -] - -[[package]] -name = "document-features" -version = "0.2.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d" -dependencies = [ - "litrs", ] [[package]] @@ -1073,17 +1006,6 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" [[package]] -name = "filedescriptor" -version = "0.8.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e40758ed24c9b2eeb76c35fb0aebc66c626084edd827e07e1552279814c6682d" -dependencies = [ - "libc", - "thiserror 1.0.69", - "winapi", -] - -[[package]] name = "find-crate" version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1128,7 +1050,6 @@ "chrono", "clap", "clap_complete", - "crossterm", "fleet-base", "fleet-shared", "futures", @@ -1142,7 +1063,6 @@ "openssh", "opentelemetry", "opentelemetry_sdk", - "owo-colors", "peg", "regex", "serde", @@ -1503,12 +1423,6 @@ checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] -name = "hermit-abi" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c" - -[[package]] name = "hex" version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1961,24 +1875,7 @@ dependencies = [ "memchr", "serde", -] - -[[package]] -name = "is-terminal" -version = "0.4.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9" -dependencies = [ - "hermit-abi", - "libc", - "windows-sys 0.59.0", ] - -[[package]] -name = "is_ci" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7655c9839580ee829dfacba1d1278c2b7883e50a277ff7541299489d6bdfdc45" [[package]] name = "is_terminal_polyfill" @@ -2083,12 +1980,6 @@ version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956" - -[[package]] -name = "litrs" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5e54036fe321fd421e10d732f155734c4e4afd610dd556d9a82833ab3ee0bed" [[package]] name = "lock_api" @@ -2161,7 +2052,6 @@ checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c" dependencies = [ "libc", - "log", "wasi 0.11.1+wasi-snapshot-preview1", "windows-sys 0.59.0", ] @@ -2428,16 +2318,6 @@ ] [[package]] -name = "owo-colors" -version = "4.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c6901729fa79e91a0913333229e9ca5dc725089d1c363b2f4b4760709dc4a52" -dependencies = [ - "supports-color 2.1.0", - "supports-color 3.0.2", -] - -[[package]] name = "papergrid" version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -3335,27 +3215,6 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" - -[[package]] -name = "signal-hook" -version = "0.3.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2" -dependencies = [ - "libc", - "signal-hook-registry", -] - -[[package]] -name = "signal-hook-mio" -version = "0.2.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34db1a06d485c9142248b7a054f034b349b212551f3dfd19c94d45a754a217cd" -dependencies = [ - "libc", - "mio", - "signal-hook", -] [[package]] name = "signal-hook-registry" @@ -3449,25 +3308,6 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] -name = "supports-color" -version = "2.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6398cde53adc3c4557306a96ce67b302968513830a77a95b2b17305d9719a89" -dependencies = [ - "is-terminal", - "is_ci", -] - -[[package]] -name = "supports-color" -version = "3.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c64fc7232dd8d2e4ac5ce4ef302b1d81e0b80d055b9d77c7c4f51f6aa4c867d6" -dependencies = [ - "is_ci", -] - -[[package]] name = "syn" version = "2.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -4170,12 +4010,6 @@ checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d" [[package]] -name = "unicode-segmentation" -version = "1.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493" - -[[package]] name = "unicode-width" version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -4448,25 +4282,9 @@ "home", "once_cell", "rustix 0.38.44", -] - -[[package]] -name = "winapi" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" -dependencies = [ - "winapi-i686-pc-windows-gnu", - "winapi-x86_64-pc-windows-gnu", ] [[package]] -name = "winapi-i686-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" - -[[package]] name = "winapi-util" version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -4474,12 +4292,6 @@ dependencies = [ "windows-sys 0.61.2", ] - -[[package]] -name = "winapi-x86_64-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "windows-core" --- a/README.adoc +++ b/README.adoc @@ -211,7 +211,7 @@ ]; # And finally, I have secrets, which are shared between machines. # Note that this example is somewhat wrong, as this goes not into the machine configuration, but to fleet configuration. - sharedSecrets = { + secrets = { "ca.pem" = { # This is just the public key, no need to regenerate it to change owner list regenerateOnOwnerAdded = false; --- a/cmds/fleet/Cargo.toml +++ b/cmds/fleet/Cargo.toml @@ -28,12 +28,10 @@ async-trait = "0.1" base64 = "0.22.1" chrono = { version = "0.4", features = ["serde"] } -crossterm = { version = "0.29.0", features = ["use-dev-tty"] } futures = "0.3" hostname = "0.4.1" itertools = "0.14" openssh = "0.11" -owo-colors = { version = "4.2", features = ["supports-color", "supports-colors"] } peg = "0.8" regex = "1.11" shlex = "1.3" --- a/cmds/fleet/src/cmds/secrets/mod.rs +++ b/cmds/fleet/src/cmds/secrets/mod.rs @@ -11,11 +11,10 @@ fleetdata::{FleetSecretData, FleetSecretDistribution, FleetSecretPart, encrypt_secret_data}, host::Config, opts::FleetOpts, - secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration}, + secret::{Expectations, RegenerationReason, secret_needs_regeneration}, }; use fleet_shared::SecretData; use nix_eval::{NixType, Value, nix_go, nix_go_json}; -use owo_colors::OwoColorize; use serde::Deserialize; use tabled::{Table, Tabled}; use tokio::{fs::read, task::spawn_blocking}; @@ -69,6 +68,7 @@ }, } +/* #[allow(clippy::too_many_arguments)] #[tracing::instrument(skip(config, secret, definition, prefer_identities))] async fn maybe_regenerate_shared_secret( @@ -143,6 +143,7 @@ Ok(secret) } } +*/ #[derive(Deserialize)] #[serde(rename_all = "camelCase")] @@ -314,6 +315,7 @@ } } } +/* async fn generate_shared( config: &Config, display_name: &str, @@ -332,7 +334,7 @@ .await?, owners: expectations.owners.clone(), }) -} +}*/ async fn parse_public( public: Option, @@ -625,10 +627,11 @@ #[tabled(rename = "Owners")] owners: String, } - let mut table = vec![]; + // let mut table = vec![]; for name in configured.iter().cloned() { let config = config.clone(); let data = config.shared_secret(&name).expect("exists"); + /* let definition = config.shared_secret_definition(&name)?; let expectations = definition.expectations()?; let owners = data @@ -645,8 +648,9 @@ owners: owners.join(", "), name, }) +*/ } - info!("loaded\n{}", Table::new(table).to_string()) + // info!("loaded\n{}", Table::new(table).to_string()) } Secret::Edit { name, --- a/crates/fleet-base/src/host.rs +++ b/crates/fleet-base/src/host.rs @@ -23,7 +23,6 @@ use crate::{ command::MyCommand, fleetdata::{FleetData, FleetSecretData, FleetSecretDistribution, FleetSecretDistributions}, - secret::{HostSecretDefinition, SharedSecretDefinition}, }; pub struct FleetConfigInternals { @@ -31,7 +30,7 @@ pub directory: PathBuf, /// builtins.currentSystem pub local_system: String, - pub data: Mutex, + pub data: Arc>, pub nix_args: Vec, /// fleet_config.config pub config_field: Value, @@ -520,13 +519,6 @@ let nixos = self.nixos_unchecked_config()?; let secrets = nix_go!(nixos.secrets); secrets.list_fields() - } - pub fn secret_definition(&self, name: &str) -> Result { - let nixos = self.nixos_unchecked_config()?; - Ok(HostSecretDefinition( - self.name.clone(), - nix_go!(nixos.secrets[{ name }]), - )) } /// Packages for this host, resolved with nixpkgs overlays @@ -665,12 +657,6 @@ pub fn shared_secret(&self, secret: &str) -> Option { let data = self.data(); data.secrets.get(secret).cloned() - } - pub fn shared_secret_definition(&self, secret: &str) -> Result { - let config_field = &self.config_field; - Ok(SharedSecretDefinition(nix_go!( - config_field.sharedSecrets[{ secret }] - ))) } // TODO: Should this be something modifiable from other processes? --- a/crates/fleet-base/src/opts.rs +++ b/crates/fleet-base/src/opts.rs @@ -211,7 +211,7 @@ } let bytes = std::fs::read_to_string(&fleet_data_path).context("reading fleet state (fleet.nix)")?; - let data = Mutex::new(FleetData::from_str(&bytes)?); + let data = Arc::new(Mutex::new(FleetData::from_str(&bytes)?)); let mut fetch_settings = FetchSettings::new(); fetch_settings.set(c"warn-dirty", c"false"); @@ -239,8 +239,7 @@ let builtins_field = Value::eval("builtins")?; let fleet_root = flake.get_field("fleetConfigurations")?; - let data_val = Value::serialized(&data)?; - let fleet_field = nix_go!(fleet_root.default(data_val)); + let fleet_field = nix_go!(fleet_root.default(Obj {})); let config_field = nix_go!(fleet_field.config); --- a/crates/fleet-base/src/primops.rs +++ b/crates/fleet-base/src/primops.rs @@ -1,4 +1,9 @@ -use nix_eval::NativeFn; +use std::collections::HashMap; +use std::sync::{Arc, Mutex}; + +use nix_eval::{NativeFn, Value}; + +use crate::fleetdata::{FleetData, FleetSecrets}; #[derive(thiserror::Error, Debug)] enum Error {} @@ -15,30 +20,32 @@ fn host_parts(&self, host: &str, name: &str) -> Parts; } -struct FsSecretsBackend { +struct FsSecretsBackend {} -} - -pub fn init_primops() { +pub fn init_primops(secrets: Arc>) { NativeFn::new( - c"fleet_ensure_secret", + c"fleet_ensure_host_secret", c"Ensure secret existence for a host, regenerating it in case of some mismatch", - [ - c"host", - c"secret", - c"expected_parts", - c"expected_encrypted_parts", - c"generator", - ], - |[ - host, - secret, - expected_parts, - expected_encrypted_parts, - generator, - ]| { - - todo!() + [c"host", c"secret", c"generator"], + |[host, secret, generator]| { + todo!("ensure secret"); + Ok(Value::new_attrs(HashMap::from_iter([( + "raw", + Value::new_str("rawData"), + )]))) + }, + ) + .register(); + NativeFn::new( + c"fleet_ensure_host_secret", + c"Ensure secret existence for a host, regenerating it in case of some mismatch", + [c"host", c"secret", c"generator"], + |[host, secret, generator]| { + todo!("ensure secret"); + Ok(Value::new_attrs(HashMap::from_iter([( + "raw", + Value::new_str("rawData"), + )]))) }, ) .register(); --- a/crates/fleet-base/src/secret.rs +++ b/crates/fleet-base/src/secret.rs @@ -1,8 +1,6 @@ use std::collections::BTreeSet; -use anyhow::Result; use chrono::{DateTime, Utc}; -use nix_eval::{Value, nix_go, nix_go_json}; use crate::fleetdata::FleetSecretData; @@ -12,63 +10,6 @@ pub generation_data: serde_json::Value, pub public_parts: BTreeSet, pub private_parts: BTreeSet, -} - -pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value); -impl HostSecretDefinition { - pub fn is_managed(&self) -> Result { - let def = self.definition_value()?; - Ok(!nix_go!(def.generator).is_null()) - } - pub fn is_shared(&self) -> Result { - let def = self.definition_value()?; - Ok(nix_go_json!(def.shared)) - } - pub fn expectations(&self) -> Result { - let def = self.definition_value()?; - let parts = nix_go!(def.parts); - - let mut public_parts = BTreeSet::new(); - let mut private_parts = BTreeSet::new(); - for part in parts.list_fields()? { - if nix_go_json!(parts[&part].encrypted) { - private_parts.insert(part.clone()); - } else { - public_parts.insert(part.clone()); - } - } - - Ok(Expectations { - owners: BTreeSet::from([self.0.clone()]), - generation_data: nix_go_json!(def.expectedGenerationData), - public_parts, - private_parts, - }) - } - pub fn definition_value(&self) -> Result { - let value = &self.1; - Ok(nix_go!(value.definition)) - } -} - -pub struct SharedSecretDefinition(pub(crate) Value); -impl SharedSecretDefinition { - pub fn is_managed(&self) -> Result { - let value = &self.0; - Ok(!nix_go!(value.generator).is_null()) - } - pub fn expectations(&self) -> Result { - let value = &self.0; - Ok(Expectations { - owners: nix_go_json!(value.expectedOwners), - generation_data: nix_go_json!(value.expectedGenerationData), - public_parts: nix_go_json!(value.expectedPublicParts), - private_parts: nix_go_json!(value.expectedPrivateParts), - }) - } - pub fn definition_value(&self) -> Value { - self.0.clone() - } } #[derive(thiserror::Error, Debug)] --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -6,5 +6,4 @@ ./nixos.nix ./nixpkgs.nix ./secrets.nix - ./secrets-data.nix ] --- a/modules/nixos/secrets.nix +++ b/modules/nixos/secrets.nix @@ -8,50 +8,26 @@ let inherit (builtins) hashString - elemAt - length toJSON - filter ; inherit (lib.stringsWithDeps) stringAfter; inherit (lib.options) mkOption literalExpression; inherit (lib.lists) optional; - inherit (lib.attrsets) mapAttrs mapAttrsToList; - inherit (lib.modules) mkIf mkMerge; + inherit (lib.attrsets) mapAttrs; + inherit (lib.modules) mkIf; inherit (lib.types) submodule str attrsOf nullOr unspecified - lazyAttrsOf uniq functionTo package - listOf - bool ; inherit (fleetLib.strings) decodeRawSecret; sysConfig = config; - secretPartDataType = submodule { - options = { - raw = mkOption { - type = str; - internal = true; - description = "Encoded & Encrypted secret part data, passed from fleet.nix"; - }; - }; - }; - secretDataType = submodule { - freeformType = lazyAttrsOf secretPartDataType; - options = { - shared = mkOption { - description = "Is this secret owned by this machine, or propagated from shared secrets"; - default = false; - }; - }; - }; secretPartType = secretName: submodule ( @@ -61,11 +37,6 @@ in { options = { - encrypted = mkOption { - type = bool; - description = "Is this secret part supposed to be encrypted?"; - }; - hash = mkOption { type = str; description = "Hash of secret in encoded format"; @@ -82,17 +53,17 @@ type = str; description = "Secret public data (only available for plaintext)"; }; + raw = mkOption { + type = str; + description = "Raw (encoded/encrypted secret part data)"; + }; + }; + config = { + hash = hashString "sha1" config.raw; + data = decodeRawSecret config.raw; + path = "/run/secrets/${secretName}/${config.hash}-${partName}"; + stablePath = "/run/secrets/${secretName}/${partName}"; }; - config = - let - raw = sysConfig.data.secrets.${secretName}.${partName}.raw; - in - { - hash = hashString "sha1" raw; - data = decodeRawSecret raw; - path = "/run/secrets/${secretName}/${config.hash}-${partName}"; - stablePath = "/run/secrets/${secretName}/${partName}"; - }; } ); secretType = submodule ( @@ -105,14 +76,9 @@ in { options = { - shared = mkOption { - type = bool; - description = "Was this secret propagated from a shared secret?"; - }; parts = mkOption { - type = lazyAttrsOf (secretPartType secretName); + type = attrsOf (secretPartType secretName); description = "Definition of secret parts"; - default = { }; }; generator = mkOption { type = uniq (nullOr (functionTo package)); @@ -134,47 +100,14 @@ description = "Group of the secret"; default = sysConfig.users.users.${config.owner}.group; defaultText = literalExpression "config.users.users.$${owner}.group"; - }; - expectedGenerationData = mkOption { - type = unspecified; - description = "Data that gets embedded into secret part"; - default = null; }; }; config = { - shared = (sysConfig.data.secrets.${secretName} or { shared = false; }).shared; - parts = mkMerge [ - (mkIf (config.generator != null) - ( - # Get fake derivation body, in future it should be implemented the same way as in Rust. - lib.callPackageWith ( - pkgs - // { - mkSecretGenerator = pkgs.stdenv.mkDerivation; - mkImpureSecretGenerator = pkgs.stdenv.mkDerivation; - } - ) config.generator { } - ).parts - ) - (mapAttrs (_: _: { }) ( - removeAttrs (sysConfig.data.secrets.${secretName} or { }) [ - "shared" - "managed" - ] - )) - ]; + parts = builtins.fleet_ensure_host_secret sysConfig.networking.hostName secretName config.generator; }; } ); - processPart = secretName: partName: part: { - inherit (part) path stablePath; - raw = config.data.secrets.${secretName}.${partName}.raw; - }; - processSecret = secretName: secret: { - inherit (secret.definition) group mode owner; - parts = (mapAttrs (processPart secretName) (secret.definition.parts)); - }; - secretsData = (mapAttrs (processSecret) config.secrets); + secretsData = (mapAttrs (_: s: s.definition) config.secrets); secretsFile = pkgs.writeTextFile { name = "secrets.json"; text = toJSON secretsData; @@ -185,11 +118,6 @@ in { options = { - data.secrets = mkOption { - type = attrsOf secretDataType; - default = { }; - description = "Host-local secret data"; - }; secrets = mkOption { type = attrsOf secretType; default = { }; --- a/modules/secrets-data.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - lib, - fleetLib, - ... -}: -let - inherit (fleetLib.options) mkDataOption; - inherit (lib.options) mkOption; - inherit (lib.types) - nullOr - listOf - str - attrsOf - submodule - bool - unspecified - ; - - secretDataValue = { - options = { - raw = mkOption { - type = nullOr str; - description = "Raw secret data in unspecified encoded and optionally encrypted format."; - default = null; - }; - }; - }; - - sharedSecretData = { - freeformType = attrsOf (submodule secretDataValue); - options = { - managed = mkOption { - type = nullOr bool; - description = "Is current fleet data value is generated by generator"; - default = null; - }; - - createdAt = mkOption { - type = str; - description = "Timestamp of secret generation/last rotation."; - default = null; - }; - expiresAt = mkOption { - type = nullOr str; - description = "Expiration timestamp triggering mandatory secret rotation."; - default = null; - }; - - owners = mkOption { - type = listOf str; - description = '' - List of hosts currently authorized to decrypt this shared secret. - - If owners differ from expected owners, the secret is considered outdated - and requires regeneration or re-encryption. - ''; - default = [ ]; - }; - generationData = mkOption { - type = unspecified; - description = "Contextual metadata associated with secret part."; - default = null; - }; - }; - }; - - managerKey = { - options = { - name = mkOption { - type = str; - description = "Who does this manager key belongs to."; - }; - key = mkOption { - type = str; - description = "Age-compatible key"; - }; - }; - config = { }; - }; -in -{ - options.data = mkDataOption ({ config, ... }: - { - options = { - managerKeys = mkOption { - type = listOf (submodule managerKey); - }; - secrets = mkOption { - type = attrsOf (listOf submodule sharedSecretData); - default = { }; - description = "Shared secret data."; - }; - }; - }); -} --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -5,7 +5,6 @@ let inherit (lib.options) mkOption literalExpression; inherit (lib.types) - unspecified nullOr listOf str @@ -66,22 +65,7 @@ An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data, use `mkSecretGenerator` helpers to implement own generators. ''; - default = null; - }; - expectedGenerationData = mkOption { - type = unspecified; - description = "Contextual metadata embedded within the secret part value"; default = null; - }; - expectedPrivateParts = mkOption { - type = listOf str; - default = [ ]; - description = "List of parts that are expected to be encrypted"; - }; - expectedPublicParts = mkOption { - type = listOf str; - default = [ ]; - description = "List of parts that are expected to be public"; }; }; }; -- gitstuff