difftreelog
feat expected secret parts
in: trunk
16 files changed
Cargo.lockdiffbeforeafterboth1055 "shlex",1055 "shlex",1056 "tabled",1056 "tabled",1057 "tempfile",1057 "tempfile",1058 "thiserror 2.0.17",1058 "time",1059 "time",1059 "tokio",1060 "tokio",1060 "tokio-util",1061 "tokio-util",1087 "serde_json",1088 "serde_json",1088 "tabled",1089 "tabled",1089 "tempfile",1090 "tempfile",1091 "thiserror 2.0.17",1090 "time",1092 "time",1091 "tokio",1093 "tokio",1092 "tokio-util",1094 "tokio-util",cmds/fleet/Cargo.tomldiffbeforeafterboth47nom = "8.0.0"47nom = "8.0.0"48opentelemetry = "0.30.0"48opentelemetry = "0.30.0"49opentelemetry_sdk = "0.30.0"49opentelemetry_sdk = "0.30.0"50thiserror.workspace = true50tracing-indicatif = { version = "0.3", optional = true }51tracing-indicatif = { version = "0.3", optional = true }51tracing-opentelemetry = "0.31.0"52tracing-opentelemetry = "0.31.0"5253cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth2 collections::{BTreeMap, BTreeSet, HashSet},2 collections::{BTreeMap, BTreeSet, HashSet},3 io::{self, Read, Write, stdin, stdout},3 io::{self, Read, Write, stdin, stdout},4 path::PathBuf,4 path::PathBuf,5 slice,6};5};768use age::Recipient;9use anyhow::{Context, Result, anyhow, bail, ensure};7use anyhow::{Context, Result, anyhow, bail, ensure};10use chrono::{DateTime, Utc};8use chrono::{DateTime, Utc};11use clap::Parser;9use clap::Parser;12use fleet_base::{10use fleet_base::{13 fleetdata::{FleetSecret, FleetSecretPart, FleetSharedSecret, encrypt_secret_data},11 fleetdata::{12 FleetHostSecret, FleetSecretData, FleetSecretPart, FleetSharedSecret, encrypt_secret_data,13 },14 host::Config,14 host::Config,15 opts::FleetOpts,15 opts::FleetOpts,16 secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},16};17};17use fleet_shared::SecretData;18use fleet_shared::SecretData;18use nix_eval::{NixType, Value, nix_go, nix_go_json};19use nix_eval::{NixType, Value, nix_go, nix_go_json};146 },147 },147}148}148149149fn secret_needs_regeneration(150 secret: &FleetSecret,151 expected_generation_data: &serde_json::Value,152) -> bool {153 let data_is_expected = secret.generation_data == *expected_generation_data;154 // TODO: Leeway?155 let expired = secret156 .expires_at157 .map(|expiration| expiration < Utc::now())158 .unwrap_or(false);159 expired || !data_is_expected160}161162#[allow(clippy::too_many_arguments)]150#[allow(clippy::too_many_arguments)]163#[tracing::instrument(skip(config, secret, field, prefer_identities))]151#[tracing::instrument(skip(config, secret, definition, prefer_identities))]164async fn maybe_regenerate_shared_secret(152async fn maybe_regenerate_shared_secret(165 secret_name: &str,153 secret_name: &str,166 config: &Config,154 config: &Config,167 mut secret: FleetSharedSecret,155 mut secret: FleetSharedSecret,168 field: Value,156 definition: SharedSecretDefinition,169 expected_owners: &[String],170 expected_generation_data: serde_json::Value,171 prefer_identities: &[String],157 prefer_identities: &[String],158 expectations: &Expectations,172) -> Result<FleetSharedSecret> {159) -> Result<FleetSharedSecret> {173 let original_set = secret.owners.clone();160 let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);161 let value = definition.inner();174162175 let set = original_set.iter().collect::<BTreeSet<_>>();163 let (should_reencrypt, reason) = match reason {176 let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();164 Some(RegenerationReason::OwnersAdded(_)) => {177178 let regeneration_required =179 secret_needs_regeneration(&secret.secret, &expected_generation_data);165 // Secret always needs to be reencrypted for new owners to be able to read it180181 if set == expected_set && !regeneration_required {182 info!("no need to update owner list, it is already correct");183 return Ok(secret);166 (184 }167 true,185186 let should_regenerate = if regeneration_required {168 if nix_go_json!(value.regenerateOnOwnerAdded) {187 info!("secret has its generation data changed, regeneration is required");169 reason188 true189 } else if set.difference(&expected_set).next().is_some() {170 } else {190 // TODO: Remove this warning for revokable secrets.171 None191 warn!(172 },192 "host was removed from secret owners, but until this host rebuild, the secret will still be stored on it."173 )174 }175 Some(RegenerationReason::OwnersRemoved(_)) => {176 // No need to reencrypt, we can just leave stanzas in place.193 );177 if nix_go_json!(value.regenerateOnOwnerRemoved) {194 nix_go_json!(field.regenerateOnOwnerRemoved)195 } else if expected_set.difference(&set).next().is_some() {178 (true, reason)179 } else {196 nix_go_json!(field.regenerateOnOwnerAdded)180 (false, None)197 } else {181 }182 }183 Some(_) => (true, reason),198 false184 None => (false, None),199 };185 };200186201 if should_regenerate {187 if let Some(reason) = reason {202 info!("secret needs to be regenerated");188 info!("secret needs to be regenerated: {reason}");203 let generated = generate_shared(189 let generated = generate_shared(config, secret_name, definition, expectations).await?;204 config,205 secret_name,206 field,207 expected_owners.to_vec(),208 expected_generation_data,209 )210 .await?;211 Ok(generated)190 Ok(generated)212 } else {191 } else if should_reencrypt {192 info!("secret needs to be reencrypted");213 let identity_holder = if !prefer_identities.is_empty() {193 let identity_holder = if !prefer_identities.is_empty() {214 prefer_identities194 prefer_identities215 .iter()195 .iter()216 .find(|i| original_set.iter().any(|s| s == *i))196 .find(|i| secret.owners.iter().any(|s| s == *i))217 } else {197 } else {218 secret.owners.first()198 secret.owners.first()219 };199 };228 }208 }229 let host = config.host(identity_holder).await?;209 let host = config.host(identity_holder).await?;230 let encrypted = host210 let encrypted = host231 .reencrypt(part.raw.clone(), expected_owners.to_vec())211 .reencrypt(212 part.raw.clone(),213 expectations.owners.iter().cloned().collect(),214 )232 .await?;215 .await?;233 part.raw = encrypted;216 part.raw = encrypted;234 }217 }235236 secret.owners = expected_owners.to_vec();218 secret.owners = expectations.owners.clone();237 Ok(secret)219 Ok(secret)220 } else {221 Ok(secret)238 }222 }239}223}240224250 _display_name: &str,234 _display_name: &str,251 _secret: Value,235 _secret: Value,252 _default_generator: Value,236 _default_generator: Value,253 _owners: &[String],237 _expectations: &Expectations,254) -> Result<FleetSecret> {238) -> Result<FleetSecretData> {255 bail!("pure generators are broken for now")239 bail!("pure generators are broken for now")256}240}257async fn generate_impure(241async fn generate_impure(258 config: &Config,242 config: &Config,259 _display_name: &str,243 _display_name: &str,260 secret: Value,244 secret: Value,261 default_generator: Value,245 default_generator: Value,262 expected_owners: &[String],246 expectations: &Expectations,263 expected_generation_data: serde_json::Value,264) -> Result<FleetSecret> {247) -> Result<FleetSecretData> {265 let generator = nix_go!(secret.generator);248 let generator = nix_go!(secret.generator);266 let on: Option<String> = nix_go_json!(default_generator.impureOn);249 let on: Option<String> = nix_go_json!(default_generator.impureOn);267250276 let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);259 let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);277260278 let mut recipients = Vec::new();261 let mut recipients = Vec::new();279 for owner in expected_owners {262 for owner in &expectations.owners {280 let key = config.key(owner).await?;263 let key = config.key(owner).await?;281 recipients.push(key);264 recipients.push(key);282 }265 }283 let generators = nix_go!(mk_secret_generators(Obj { recipients }));266 let generators = nix_go!(mk_secret_generators(Obj { recipients }));284 // FIXME: Apparently, // operator is slow in nix285 let pkgs_and_generators = on_pkgs.attrs_update(generators)?;267 let pkgs_and_generators = on_pkgs.attrs_update(generators)?;286268287 let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));269 let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));331 let created_at = host.read_file_value(format!("{out}/created_at")).await?;313 let created_at = host.read_file_value(format!("{out}/created_at")).await?;332 let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();314 let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();333315334 Ok(FleetSecret {316 let new_data = FleetSecretData {335 created_at,317 created_at,336 expires_at,318 expires_at,337 parts,319 parts,338 generation_data: expected_generation_data,320 generation_data: expectations.generation_data.clone(),339 })321 };322323 if let Some(reason) = secret_needs_regeneration(&new_data, &expectations.owners, expectations) {324 bail!("newly generated secret needs to be regenerated: {reason}")325 }326327 Ok(new_data)340}328}329341async fn generate(330async fn generate(342 config: &Config,331 config: &Config,343 display_name: &str,332 display_name: &str,344 secret: Value,333 secret: Value,345 expected_owners: &[String],334 expectations: &Expectations,346 expected_generation_data: serde_json::Value,347) -> Result<FleetSecret> {335) -> Result<FleetSecretData> {348 let generator = nix_go!(secret.generator);336 let generator = nix_go!(secret.generator);349 // Can't properly check on nix module system level337 // Can't properly check on nix module system level350 {338 {388 display_name,376 display_name,389 secret,377 secret,390 default_generator,378 default_generator,391 expected_owners,379 expectations,392 expected_generation_data,393 )380 )394 .await381 .await395 }382 }399 display_name,386 display_name,400 secret,387 secret,401 default_generator,388 default_generator,402 expected_owners,389 expectations,403 )390 )404 .await391 .await405 }392 }408async fn generate_shared(395async fn generate_shared(409 config: &Config,396 config: &Config,410 display_name: &str,397 display_name: &str,411 secret: Value,398 secret: SharedSecretDefinition,412 expected_owners: Vec<String>,399 expectations: &Expectations,413 expected_generation_data: serde_json::Value,414) -> Result<FleetSharedSecret> {400) -> Result<FleetSharedSecret> {415 // let owners: Vec<String> = nix_go_json!(secret.expectedOwners);401 // let owners: Vec<String> = nix_go_json!(secret.expectedOwners);416 Ok(FleetSharedSecret {402 Ok(FleetSharedSecret {417 secret: generate(403 managed: Some(true),418 config,404 secret: generate(config, display_name, secret.inner(), expectations).await?,419 display_name,420 secret,421 &expected_owners,422 expected_generation_data,423 )424 .await?,425 owners: expected_owners,405 owners: expectations.owners.clone(),426 })406 })427}407}428408457}437}458438459fn parse_machines(439fn parse_machines(460 initial: Vec<String>,440 initial: BTreeSet<String>,461 machines: Option<Vec<String>>,441 machines: Option<Vec<String>>,462 mut add_machines: Vec<String>,442 mut add_machines: Vec<String>,463 mut remove_machines: Vec<String>,443 mut remove_machines: Vec<String>,464) -> Result<Vec<String>> {444) -> Result<BTreeSet<String>> {465 if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {445 if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {466 bail!("no operation");446 bail!("no operation");467 }447 }470 let mut target_machines = initial;450 let mut target_machines = initial;471 info!("Currently encrypted for {initial_machines:?}");451 info!("Currently encrypted for {initial_machines:?}");472452473 // ensure!(machines.is_some() || !add_machines.is_empty() || )474 if let Some(machines) = machines {453 if let Some(machines) = machines {475 ensure!(454 ensure!(476 add_machines.is_empty() && remove_machines.is_empty(),455 add_machines.is_empty() && remove_machines.is_empty(),487 }466 }488467489 for machine in &remove_machines {468 for machine in &remove_machines {490 let mut removed = false;469 if !target_machines.remove(machine) {491 while let Some(pos) = target_machines.iter().position(|m| m == machine) {492 target_machines.swap_remove(pos);493 removed = true;494 }495 if !removed {496 warn!("secret is not enabled for {machine}");470 warn!("secret is not enabled for {machine}");497 }471 }498 }472 }499 for machine in &add_machines {473 for machine in &add_machines {500 if target_machines.iter().any(|m| m == machine) {474 if !target_machines.insert(machine.to_owned()) {501 warn!("secret is already added to {machine}");475 warn!("secret is already added to {machine}");502 } else {503 target_machines.push(machine.to_owned());504 }476 }505 }477 }506 if !remove_machines.is_empty() {478 if !remove_machines.is_empty() {527 }499 }528 }500 }529 Secret::AddShared {501 Secret::AddShared {530 mut machines,502 machines,531 name,503 name,532 force,504 force,533 public,505 public,537 re_add,509 re_add,538 part: part_name,510 part: part_name,539 } => {511 } => {512 let mut machines: BTreeSet<String> = machines.into_iter().collect();540 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).513 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).541514542 let exists = config.has_shared(&name);515 if let Some(old_shared) = config.shared_secret(&name)? {543 if exists && !force && !re_add {516 if !force && !re_add {544 bail!("secret already defined");517 bail!("secret already defined");545 }518 };546 if re_add {519 if old_shared.managed.unwrap_or(false) {520 bail!("secret is marked as managed, should not be updated manually");521 };522 if re_add {547 // Fixme: use clap to limit this usage523 // Fixme: use clap to limit this usage548 ensure!(!force, "--force and --readd are not compatible");524 ensure!(!force, "--force and --readd are not compatible");549 ensure!(exists, "secret doesn't exists");525 ensure!(550 ensure!(526 machines.is_empty(),551 machines.is_empty(),552 "you can't use machines argument for --readd"527 "you can't use machines argument for --readd"553 );528 );554 let shared = config.shared_secret(&name)?;529 machines = old_shared.owners;555 machines = shared.owners;530 }531 } else if re_add {532 bail!("secret doesn't exists");556 }533 };557534558 let recipients = config.recipients(machines.clone()).await?;535 let recipients = config536 .recipients(machines.iter().cloned().collect())537 .await?;559538560 let mut parts = BTreeMap::new();539 let mut parts = BTreeMap::new();561540562 let mut input = vec![];541 let mut input = vec![];563 io::stdin().read_to_end(&mut input)?;542 io::stdin().read_to_end(&mut input)?;564543565 if !input.is_empty() {544 if !input.is_empty() {566 let encrypted =545 let encrypted = encrypt_secret_data(recipients.iter(), input)567 encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)568 .ok_or_else(|| anyhow!("no recipients provided"))?;546 .ok_or_else(|| anyhow!("no recipients provided"))?;569 parts.insert(part_name, FleetSecretPart { raw: encrypted });547 parts.insert(part_name, FleetSecretPart { raw: encrypted });570 }548 }571549576 config.replace_shared(554 config.replace_shared(577 name,555 name,578 FleetSharedSecret {556 FleetSharedSecret {557 managed: Some(false),579 owners: machines,558 owners: machines,580 secret: FleetSecret {559 secret: FleetSecretData {581 created_at: Utc::now(),560 created_at: Utc::now(),582 expires_at,561 expires_at,583 parts,562 parts,607 .host_secret(&machine, &name)586 .host_secret(&machine, &name)608 .context("failed to read existing secret for --merge")?587 .context("failed to read existing secret for --merge")?609 } else {588 } else {610 FleetSecret {589 FleetHostSecret {611 created_at: Utc::now(),590 managed: Some(false),591 secret: FleetSecretData {592 created_at: Utc::now(),612 expires_at: None,593 expires_at: None,613 parts: BTreeMap::new(),594 parts: BTreeMap::new(),614 generation_data: serde_json::Value::Null,595 generation_data: serde_json::Value::Null,596 },615 }597 }616 };598 };599 if out.managed.unwrap_or(false) {600 bail!("secret is managed by fleet and should not be updated manually");601 }602 out.managed = Some(false);617603618 if let Some(secret) = parse_secret().await? {604 if let Some(secret) = parse_secret().await? {619 let recipient = config.recipient(&machine).await?;605 let recipient = config.recipient(&machine).await?;620 let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)606 let encrypted =621 .expect("recipient provided");607 encrypt_secret_data([&recipient], secret).expect("recipient provided");622 if out608 if out609 .secret623 .parts610 .parts624 .insert(part_name.clone(), FleetSecretPart { raw: encrypted })611 .insert(part_name.clone(), FleetSecretPart { raw: encrypted })625 .is_some() && !replace612 .is_some() && !replace626 {613 {627 bail!("part {part_name:?} is already defined");614 bail!(615 "part {part_name:?} is already defined, use --replace if you wish to replace it"616 );628 }617 }629 }618 }630619631 if let Some(public) = parse_public(public, public_file).await? {620 if let Some(public) = parse_public(public, public_file).await? {632 if out621 if out622 .secret633 .parts623 .parts634 .insert(public_name.clone(), FleetSecretPart { raw: public })624 .insert(public_name.clone(), FleetSecretPart { raw: public })635 .is_some() && !replace625 .is_some() && !replace636 {626 {637 bail!("part {public_name:?} is already defined");627 bail!(628 "part {public_name:?} is already defined, use --replace if you wish to replace it"629 );638 }630 }639 };631 };640632647 part: part_name,639 part: part_name,648 } => {640 } => {649 let secret = config.host_secret(&machine, &name)?;641 let secret = config.host_secret(&machine, &name)?;650 let Some(secret) = secret.parts.get(&part_name) else {642 let Some(secret) = secret.secret.parts.get(&part_name) else {651 bail!("no part {part_name} in secret {name}");643 bail!("no part {part_name} in secret {name}");652 };644 };653 let data = if secret.raw.encrypted {645 let data = if secret.raw.encrypted {664 part: part_name,656 part: part_name,665 prefer_identities,657 prefer_identities,666 } => {658 } => {667 let secret = config.shared_secret(&name)?;659 let Some(secret) = config.shared_secret(&name)? else {660 bail!("secret doesn't exists");661 };668 let Some(part) = secret.secret.parts.get(&part_name) else {662 let Some(part) = secret.secret.parts.get(&part_name) else {669 bail!("no part {part_name} in secret {name}");663 bail!("no part {part_name} in secret {name}");670 };664 };695 } => {689 } => {696 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).690 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).697691698 let secret = config.shared_secret(&name)?;692 let Some(secret) = config.shared_secret(&name)? else {693 bail!("secret doesn't exists");694 };699 if secret.secret.parts.values().all(|v| !v.raw.encrypted) {695 if secret.secret.parts.values().all(|v| !v.raw.encrypted) {700 bail!("no secret");696 bail!("no secret");701 }697 }714 return Ok(());710 return Ok(());715 }711 }716712717 let config_field = &config.config_field;713 let definition = config.shared_secret_definition(&name)?;718 let name_clone = name.clone();719 let field = nix_go!(config_field.sharedSecrets[name_clone]);714 let expectations = definition.expectations()?;720 let expected_generation_data = nix_go_json!(field.expectedGenerationData);721715722 let updated = maybe_regenerate_shared_secret(716 let updated = maybe_regenerate_shared_secret(723 &name,717 &name,724 config,718 config,725 secret,719 secret,726 field,720 definition,727 &target_machines,728 expected_generation_data,729 &prefer_identities,721 &prefer_identities,730 // None,722 &expectations,731 )723 )732 .await?;724 .await?;733 config.replace_shared(name, updated);725 config.replace_shared(name, updated);737 skip_hosts,729 skip_hosts,738 } => {730 } => {739 info!("checking for secrets to regenerate");731 info!("checking for secrets to regenerate");732 let expected_shared_set = config733 .list_configured_shared()734 .await?735 .into_iter()736 .collect::<HashSet<_>>();740 let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();737 let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();741 {738 {742 // Generate missing shared739 // Generate missing shared743 let _span = info_span!("shared").entered();740 let _span = info_span!("shared").entered();744 let expected_shared_set = config745 .list_configured_shared()746 .await?747 .into_iter()748 .collect::<HashSet<_>>();749 for missing in expected_shared_set.difference(&stored_shared_set) {741 for missing in expected_shared_set.difference(&stored_shared_set) {750 let config_field = &config.config_field;742 let definition = config.shared_secret_definition(missing)?;751 let secret = nix_go!(config_field.sharedSecrets[{ missing }]);752 let expected_generation_data: serde_json::Value =743 if !definition.is_managed()? {753 nix_go_json!(secret.expectedGenerationData);754 let expected_owners: Option<Vec<String>> =755 nix_go_json!(secret.expectedOwners);744 info!("skipping unmanaged secret: {missing}");756 let Some(expected_owners) = expected_owners else {757 // Can't generate this missing secret, as it has no defined owners.758 continue;745 continue;759 };746 }747 let expectations = definition.expectations()?;760 info!("generating secret: {missing}");748 info!("generating secret: {missing}");761 let shared = generate_shared(749 let shared = generate_shared(config, missing, definition, &expectations)762 config,763 missing,764 secret,765 expected_owners,766 expected_generation_data,767 )768 .in_current_span()750 .in_current_span()769 .await?;751 .await?;770 config.replace_shared(missing.to_string(), shared)752 config.replace_shared(missing.to_string(), shared)771 }753 }772 }754 }778760779 let _span = info_span!("host", host = host.name).entered();761 let _span = info_span!("host", host = host.name).entered();780 let expected_set = host762 let expected_set = host781 .list_configured_secrets()763 .list_defined_secrets()?782 .in_current_span()783 .await?784 .into_iter()764 .into_iter()785 .collect::<HashSet<_>>();765 .collect::<HashSet<_>>();786 let stored_set = config766 let stored_set = config787 .list_secrets(&host.name)767 .list_secrets(&host.name)788 .into_iter()768 .into_iter()789 .collect::<HashSet<_>>();769 .collect::<HashSet<_>>();790 for missing in expected_set.difference(&stored_set) {770 for missing_secret in expected_set.difference(&stored_set) {791 info!("generating secret: {missing}");771 info!("generating missing secret: {missing_secret}");792 let secret = host.secret_field(missing).in_current_span().await?;772 let definition = host.secret_definition(missing_secret)?;793 let expected_generation_data =773 let expectations = definition.expectations()?;794 nix_go_json!(secret.expectedGenerationData);795 let generated = match generate(774 let generated = match generate(796 config,775 config,797 missing,776 missing_secret,798 secret,777 definition.inner(),799 slice::from_ref(&host.name),800 expected_generation_data,778 &expectations,801 )779 )802 .in_current_span()780 .in_current_span()803 .await781 .await808 continue;786 continue;809 }787 }810 };788 };811 config.insert_secret(&host.name, missing.to_string(), generated)789 config.insert_secret(790 &host.name,791 missing_secret.to_string(),792 FleetHostSecret {793 managed: Some(true),794 secret: generated,795 },796 )812 }797 }813 for name in stored_set {798 for known_secret in stored_set.intersection(&expected_set) {814 info!("updating secret: {name}");799 info!("updating secret: {known_secret}");815 let data = config.host_secret(&host.name, &name)?;800 let data = config.host_secret(&host.name, known_secret)?;816 let secret = host.secret_field(&name).in_current_span().await?;801 let definition = host.secret_definition(known_secret)?;817 let expected_generation_data =802 let expectations = definition.expectations()?;818 nix_go_json!(secret.expectedGenerationData);803 if let Some(regen_reason) = data.needs_regeneration(&expectations) {819 if secret_needs_regeneration(&data, &expected_generation_data) {804 info!("needs regeneration: {regen_reason}");820 let generated = match generate(805 let generated = match generate(821 config,806 config,822 &name,807 known_secret,823 secret,808 definition.inner(),824 slice::from_ref(&host.name),825 expected_generation_data,809 &expectations,826 )810 )827 .in_current_span()811 .in_current_span()828 .await812 .await833 continue;817 continue;834 }818 }835 };819 };836 config.insert_secret(&host.name, name.to_string(), generated)820 config.insert_secret(821 &host.name,822 known_secret.to_string(),823 FleetHostSecret {824 managed: Some(true),825 secret: generated,826 },827 )837 }828 }838 }829 }830 for removed_secret in stored_set.difference(&expected_set) {831 info!("removing secret: {removed_secret}");832 config.remove_secret(&host.name, removed_secret);833 }839 }834 }840 }835 }841 let mut to_remove = Vec::new();836 for known_secret in stored_shared_set.intersection(&expected_shared_set) {842 for name in &stored_shared_set {843 info!("updating secret: {name}");837 info!("updating shared secret: {known_secret}");844 let data = config.shared_secret(name)?;838 let data = config.shared_secret(known_secret)?.expect("exists");845 let config_field = &config.config_field;846 let expected_owners: Option<Vec<String>> =847 nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);848 let Some(expected_owners) = expected_owners else {849 warn!("secret was removed from fleet config: {name}, removing from data");850 to_remove.push(name.to_string());851 continue;852 };853839854 let secret = nix_go!(config_field.sharedSecrets[{ name }]);840 let definition = config.shared_secret_definition(known_secret)?;855 let expected_generation_data = nix_go_json!(secret.expectedGenerationData);841 let expectations = definition.expectations()?;856 config.replace_shared(842 config.replace_shared(857 name.to_owned(),843 known_secret.to_owned(),858 maybe_regenerate_shared_secret(844 maybe_regenerate_shared_secret(859 name,845 known_secret,860 config,846 config,861 data,847 data,862 secret,848 definition,863 &expected_owners,864 expected_generation_data,865 &prefer_identities,849 &prefer_identities,866 // None,850 &expectations,867 )851 )868 .await?,852 .await?,869 );853 );870 }854 }871 for k in to_remove {855 for removed_secret in stored_shared_set.difference(&expected_shared_set) {872 config.remove_shared(&k);856 info!("removing shared secret: {removed_secret}");857 config.remove_shared(removed_secret);873 }858 }874 }859 }875 Secret::List {} => {860 Secret::List {} => {885 let mut table = vec![];870 let mut table = vec![];886 for name in configured.iter().cloned() {871 for name in configured.iter().cloned() {887 let config = config.clone();872 let config = config.clone();888 let expected_owners = config.shared_secret_expected_owners(&name).await?;873 let data = config.shared_secret(&name)?.expect("exists");889 let data = config.shared_secret(&name)?;874 let definition = config.shared_secret_definition(&name)?;875 let expectations = definition.expectations()?;890 let owners = data876 let owners = data891 .owners877 .owners892 .iter()878 .iter()893 .map(|o| {879 .map(|o| {894 if expected_owners.contains(o) {880 if expectations.owners.contains(o) {895 o.green().to_string()881 o.green().to_string()896 } else {882 } else {897 o.red().to_string()883 o.red().to_string()912 add,898 add,913 } => {899 } => {914 let secret = config.host_secret(&machine, &name)?;900 let secret = config.host_secret(&machine, &name)?;915 if let Some(data) = secret.parts.get(&part) {901 if let Some(data) = secret.secret.parts.get(&part) {916 let host = config.host(&machine).await?;902 let host = config.host(&machine).await?;917 let secret = host.decrypt(data.raw.clone()).await?;903 let secret = host.decrypt(data.raw.clone()).await?;918 String::from_utf8(secret).context("secret is not utf8")?904 String::from_utf8(secret).context("secret is not utf8")?cmds/fleet/src/main.rsdiffbeforeafterboth27use tracing::{Instrument, error, info, info_span};27use tracing::{Instrument, error, info, info_span};28#[cfg(feature = "indicatif")]28#[cfg(feature = "indicatif")]29use tracing_indicatif::IndicatifLayer;29use tracing_indicatif::IndicatifLayer;30use tracing_subscriber::{EnvFilter, fmt::format::Format, prelude::*};30use tracing_subscriber::{EnvFilter, prelude::*};313132#[derive(Parser)]32#[derive(Parser)]33struct Prefetch {}33struct Prefetch {}crates/fleet-base/Cargo.tomldiffbeforeafterboth24serde_json = "1.0.140"24serde_json = "1.0.140"25tabled = "0.20.0"25tabled = "0.20.0"26tempfile.workspace = true26tempfile.workspace = true27thiserror.workspace = true27time = { version = "0.3.41", features = ["parsing"] }28time = { version = "0.3.41", features = ["parsing"] }28tokio.workspace = true29tokio.workspace = true29tokio-util = "0.7.15"30tokio-util = "0.7.15"crates/fleet-base/src/fleetdata.rsdiffbeforeafterboth1use std::{1use std::{2 collections::BTreeMap,2 collections::{BTreeMap, BTreeSet},3 io::{self, Cursor},3 io::{self, Cursor},4};4};5513use serde::{Deserialize, Serialize, de::Error};13use serde::{Deserialize, Serialize, de::Error};14use serde_json::Value;14use serde_json::Value;1516use crate::secret::{Expectations, RegenerationReason, secret_needs_regeneration};151716#[derive(Serialize, Deserialize, Default)]18#[derive(Serialize, Deserialize, Default)]17#[serde(rename_all = "camelCase")]19#[serde(rename_all = "camelCase")]75 pub shared_secrets: BTreeMap<String, FleetSharedSecret>,77 pub shared_secrets: BTreeMap<String, FleetSharedSecret>,76 #[serde(default)]78 #[serde(default)]77 #[serde(skip_serializing_if = "BTreeMap::is_empty")]79 #[serde(skip_serializing_if = "BTreeMap::is_empty")]78 pub host_secrets: BTreeMap<String, BTreeMap<String, FleetSecret>>,80 pub host_secrets: BTreeMap<String, BTreeMap<String, FleetHostSecret>>,798180 // extra_name => anything82 // extra_name => anything81 #[serde(default)]83 #[serde(default)]82 #[serde(skip_serializing_if = "BTreeMap::is_empty")]84 #[serde(skip_serializing_if = "BTreeMap::is_empty")]83 pub extra: BTreeMap<String, Value>,85 pub extra: BTreeMap<String, Value>,84}86}8586#[derive(Serialize, Deserialize, Clone)]87#[serde(rename_all = "camelCase")]88#[must_use]89pub struct FleetSharedSecret {90 pub owners: Vec<String>,91 #[serde(flatten)]92 pub secret: FleetSecret,93}948795/// Returns None if recipients.is_empty()88/// Returns None if recipients.is_empty()96pub fn encrypt_secret_data<'a>(89pub fn encrypt_secret_data<'r>(97 recipients: impl IntoIterator<Item = &'a dyn Recipient>,90 recipients: impl IntoIterator<Item = &'r Box<dyn Recipient>>,98 data: Vec<u8>,91 data: Vec<u8>,99) -> Option<SecretData> {92) -> Option<SecretData> {100 let mut encrypted = vec![];93 let mut encrypted = vec![];101 let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter())94 let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter().map(|v| &**v))102 .ok()?95 .ok()?103 .wrap_output(&mut encrypted)96 .wrap_output(&mut encrypted)104 .expect("in memory write");97 .expect("in memory write");118#[derive(Serialize, Deserialize, Clone)]111#[derive(Serialize, Deserialize, Clone)]119#[serde(rename_all = "camelCase")]112#[serde(rename_all = "camelCase")]120#[must_use]113#[must_use]121pub struct FleetSecret {114pub struct FleetSecretData {122 #[serde(default = "Utc::now")]115 #[serde(default = "Utc::now")]123 pub created_at: DateTime<Utc>,116 pub created_at: DateTime<Utc>,124 #[serde(default)]117 #[serde(default)]133 pub generation_data: Value,126 pub generation_data: Value,134}127}128129#[derive(Serialize, Deserialize, Clone)]130#[serde(rename_all = "camelCase")]131#[must_use]132pub struct FleetHostSecret {133 #[serde(default)]134 #[serde(skip_serializing_if = "Option::is_none")]135 pub managed: Option<bool>,136 #[serde(flatten)]137 pub secret: FleetSecretData,138}139impl FleetHostSecret {140 pub fn needs_regeneration(&self, expectations: &Expectations) -> Option<RegenerationReason> {141 secret_needs_regeneration(&self.secret, &expectations.owners, expectations)142 }143}144145#[derive(Serialize, Deserialize, Clone)]146#[serde(rename_all = "camelCase")]147#[must_use]148pub struct FleetSharedSecret {149 #[serde(default)]150 #[serde(skip_serializing_if = "Option::is_none")]151 pub managed: Option<bool>,152 pub owners: BTreeSet<String>,153 #[serde(flatten)]154 pub secret: FleetSecretData,155}135156crates/fleet-base/src/host.rsdiffbeforeafterboth222223use crate::{23use crate::{24 command::MyCommand,24 command::MyCommand,25 fleetdata::{FleetData, FleetSecret, FleetSharedSecret},25 fleetdata::{FleetData, FleetHostSecret, FleetSharedSecret},26 secret::{HostSecretDefinition, SharedSecretDefinition},26};27};272828pub struct FleetConfigInternals {29pub struct FleetConfigInternals {234 let is_fleet_managed = match self.file_exists("/etc/FLEET_HOST").await {235 let is_fleet_managed = match self.file_exists("/etc/FLEET_HOST").await {235 Ok(v) => v,236 Ok(v) => v,236 Err(e) => {237 Err(e) => {237 bail!("failed to query remote system kind: {}", e);238 bail!("failed to query remote system kind: {e}");238 }239 }239 };240 };240 if !is_fleet_managed {241 if !is_fleet_managed {501502502 Ok(nixos_config)503 Ok(nixos_config)503 }504 }504 pub async fn nixos_unchecked_config(&self) -> Result<Value> {505 pub fn nixos_unchecked_config(&self) -> Result<Value> {505 if let Some(v) = self.nixos_unchecked_config.get() {506 if let Some(v) = self.nixos_unchecked_config.get() {506 return Ok(v.clone());507 return Ok(v.clone());507 }508 }515 Ok(nixos_config)516 Ok(nixos_config)516 }517 }517518518 pub async fn list_configured_secrets(&self) -> Result<Vec<String>> {519 pub fn list_defined_secrets(&self) -> Result<Vec<String>> {519 let nixos = self.nixos_unchecked_config().await?;520 let nixos = self.nixos_unchecked_config()?;520 let secrets = nix_go!(nixos.secrets);521 let secrets = nix_go!(nixos.secrets);521 let mut out = Vec::new();522 for name in secrets.list_fields()? {522 secrets.list_fields()523 let secret = secrets.get_field(&name).context("getting secret")?;524 let is_shared: bool = nix_go_json!(secret.shared);525 if is_shared {526 continue;527 }528 out.push(name);529 }530 Ok(out)531 }523 }532 pub async fn secret_field(&self, name: &str) -> Result<Value> {524 pub fn secret_definition(&self, name: &str) -> Result<HostSecretDefinition> {533 let nixos = self.nixos_unchecked_config().await?;525 let nixos = self.nixos_unchecked_config()?;534 Ok(nix_go!(nixos.secrets[{ name }]))526 Ok(HostSecretDefinition(527 self.name.clone(),528 nix_go!(nixos.secrets[{ name }]),529 ))535 }530 }536531537 /// Packages for this host, resolved with nixpkgs overlays532 /// Packages for this host, resolved with nixpkgs overlays648643649 pub fn list_secrets(&self, host: &str) -> Vec<String> {644 pub fn list_secrets(&self, host: &str) -> Vec<String> {650 let data = self.data();645 let data = self.data();651 let Some(secrets) = data.host_secrets.get(host) else {646 let mut out = data647 .host_secrets648 .get(host)652 return Vec::new();649 .map(|s| s.keys().cloned().collect::<Vec<String>>())653 };650 .unwrap_or_default();651652 for (name, shared) in data.shared_secrets.iter() {654 secrets.keys().cloned().collect()653 if shared.owners.contains(host) {654 out.push(name.clone());655 }656 }657658 out655 }659 }656660657 pub fn has_secret(&self, host: &str, secret: &str) -> bool {661 pub fn has_secret(&self, host: &str, secret: &str) -> bool {661 };665 };662 host_secrets.contains_key(secret)666 host_secrets.contains_key(secret)663 }667 }664 pub fn insert_secret(&self, host: &str, secret: String, value: FleetSecret) {668 pub fn insert_secret(&self, host: &str, secret: String, value: FleetHostSecret) {665 let mut data = self.data_mut();669 let mut data = self.data_mut();666 let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();670 let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();667 host_secrets.insert(secret, value);671 host_secrets.insert(secret, value);668 }672 }673 pub fn remove_secret(&self, host: &str, secret: &str) {674 let mut data = self.data_mut();675 let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();676 host_secrets.remove(secret);677 }669678670 pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetSecret> {679 pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetHostSecret> {671 let data = self.data();680 let data = self.data();672 let Some(host_secrets) = data.host_secrets.get(host) else {681 if let Some(host_secrets) = data.host_secrets.get(host) {673 bail!("no secrets for machine {host}");682 if let Some(secret) = host_secrets.get(secret) {683 return Ok(secret.clone());684 }674 };685 };675 let Some(secret) = host_secrets.get(secret) else {686 let Some(shared) = data.shared_secrets.get(secret) else {676 bail!("machine {host} has no secret {secret}");687 bail!("machine {host} has no secret {secret}");677 };688 };689 if !shared.owners.contains(host) {690 bail!("shared secret {secret} is not owned by {host}");691 };678 Ok(secret.clone())692 Ok(FleetHostSecret {693 managed: shared.managed,694 secret: shared.secret.clone(),695 })679 }696 }680 pub fn shared_secret(&self, secret: &str) -> Result<FleetSharedSecret> {697 pub fn shared_secret(&self, secret: &str) -> Result<Option<FleetSharedSecret>> {681 let data = self.data();698 let data = self.data();682 let Some(secret) = data.shared_secrets.get(secret) else {699 Ok(data.shared_secrets.get(secret).cloned())683 bail!("no shared secret {secret}");684 };685 Ok(secret.clone())686 }700 }687 pub async fn shared_secret_expected_owners(&self, secret: &str) -> Result<Vec<String>> {701 pub fn shared_secret_definition(&self, secret: &str) -> Result<SharedSecretDefinition> {688 let config_field = &self.config_field;702 let config_field = &self.config_field;689 Ok(nix_go_json!(703 Ok(SharedSecretDefinition(nix_go!(690 config_field.sharedSecrets[{ secret }].expectedOwners704 config_field.sharedSecrets[{ secret }]691 ))705 )))692 }706 }693707694 // TODO: Should this be something modifiable from other processes?708 // TODO: Should this be something modifiable from other processes?crates/fleet-base/src/keys.rsdiffbeforeafterboth39 }39 }40 }40 }41 /// Insecure, requires root41 /// Insecure, requires root42 pub async fn recipient(&self, host: &str) -> anyhow::Result<impl Recipient + use<>> {42 pub async fn recipient(&self, host: &str) -> anyhow::Result<Box<dyn Recipient>> {43 let key = self.key(host).await?;43 let key = self.key(host).await?;44 age::ssh::Recipient::from_str(&key).map_err(|e| anyhow!("parse recipient error: {:?}", e))44 age::ssh::Recipient::from_str(&key)45 .map_err(|e| anyhow!("parse recipient error: {e:?}"))46 .map(|v| Box::new(v) as Box<dyn Recipient>)45 }47 }464847 pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<impl Recipient + use<>>> {49 pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<Box<dyn Recipient>>> {48 let hosts = self.expand_owner_set(hosts).await?;50 let hosts = self.expand_owner_set(hosts).await?;49 futures::stream::iter(hosts.iter())51 futures::stream::iter(hosts.iter())50 .then(|m| self.recipient(m.as_ref()))52 .then(|m| self.recipient(m.as_ref()))crates/fleet-base/src/lib.rsdiffbeforeafterboth4pub mod host;4pub mod host;5mod keys;5mod keys;6pub mod opts;6pub mod opts;7pub mod secret;78crates/fleet-base/src/secret.rsdiffbeforeafterbothno changes
crates/nix-eval/src/lib.rsdiffbeforeafterboth840 pub fn is_function(&self) -> bool {843 pub fn is_function(&self) -> bool {841 self.functor_kind().is_some()844 self.functor_kind().is_some()842 }845 }846 pub fn is_null(&self) -> bool {847 matches!(self.type_of(), NixType::Null)848 }843}849}844850845impl From<String> for Value {851impl From<String> for Value {flake.nixdiffbeforeafterbothno syntactic changes
modules/extras/tf.nixdiffbeforeafterbothno syntactic changes
modules/nixos/secrets.nixdiffbeforeafterboth6 ...6 ...7}:7}:8let8let9 inherit (builtins) hashString;9 inherit (builtins) hashString elemAt length toJSON filter;10 inherit (lib.stringsWithDeps) stringAfter;10 inherit (lib.stringsWithDeps) stringAfter;11 inherit (lib.options) mkOption literalExpression;11 inherit (lib.options) mkOption literalExpression;12 inherit (lib.lists) optional;12 inherit (lib.lists) optional;13 inherit (lib.attrsets) mapAttrs;13 inherit (lib.attrsets) mapAttrs mapAttrsToList;14 inherit (lib.modules) mkIf;14 inherit (lib.modules) mkIf;15 inherit (lib.types)15 inherit (lib.types)16 submodule16 submodule22 uniq22 uniq23 functionTo23 functionTo24 package24 package25 listOf25 ;26 ;26 inherit (fleetLib.strings) decodeRawSecret;27 inherit (fleetLib.strings) decodeRawSecret;272828 sysConfig = config;29 sysConfig = config;30 secretPartDataType = submodule {31 options = {32 raw = mkOption {33 type = str;34 internal = true;35 description = "Encoded & Encrypted secret part data, passed from fleet.nix";36 };37 };38 };39 secretDataType = submodule {40 freeformType = lazyAttrsOf secretPartDataType;41 options = {42 shared = mkOption {43 description = "Is this secret owned by this machine, or propagated from shared secrets";44 default = false;45 };46 };47 };29 secretPartType =48 secretPartType =30 secretName:49 secretName:31 submodule (50 submodule (35 in54 in36 {55 {37 options = {56 options = {38 raw = mkOption {39 type = str;40 internal = true;41 description = "Encoded & Encrypted secret part data, passed from fleet.nix";42 };43 hash = mkOption {57 hash = mkOption {44 type = str;58 type = str;45 description = "Hash of secret in encoded format";59 description = "Hash of secret in encoded format";50 };64 };51 stablePath = mkOption {65 stablePath = mkOption {52 type = str;66 type = str;53 description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";67 description = "Path to secret part, stable path (users are expected to watch for file changes/re-read secret on demand)";54 };68 };55 data = mkOption {69 data = mkOption {56 type = str;70 type = str;57 description = "Secret public data (only available for plaintext)";71 description = "Secret public data (only available for plaintext)";58 };72 };59 };73 };60 config = {74 config =75 let76 raw = sysConfig.data.secrets.${secretName}.${partName}.raw;77 in78 {61 hash = hashString "sha1" config.raw;79 hash = hashString "sha1" raw;62 data = decodeRawSecret config.raw;80 data = decodeRawSecret raw;63 path = "/run/secrets/${secretName}/${config.hash}-${partName}";81 path = "/run/secrets/${secretName}/${config.hash}-${partName}";64 stablePath = "/run/secrets/${secretName}/${partName}";82 stablePath = "/run/secrets/${secretName}/${partName}";65 };83 };66 }84 }67 );85 );68 secretType = submodule (86 secretType = submodule (69 { config, ... }:87 {88 config,89 loc,90 options,91 ...92 }:70 let93 let71 secretName = config._module.args.name;94 secretName =95 # Due to config definition for freeformType, we can't just use _module.args due to infinite recursion, instead96 # extract the secret name the ugly way...97 let98 saLoc = options._module.specialArgs.loc;99 comp = elemAt saLoc;100 in101 assert102 (length saLoc == 2 ||103 length saLoc == 4 &&104 comp 0 == "secrets" && comp 2 == "_module" && comp 3 == "specialArgs") ||105 throw "Unexpected module structure ${toJSON saLoc}";106 if length saLoc == 2 then "documentation generator stub" else comp 1;72 in107 in73 {108 {74 freeformType = lazyAttrsOf (secretPartType secretName);109 freeformType = lazyAttrsOf (secretPartType secretName);75 options = {110 options = {76 shared = mkOption {77 description = "Is this secret owned by this machine, or propagated from shared secrets";78 default = false;79 };8081 generator = mkOption {111 generator = mkOption {82 type = uniq (nullOr (functionTo package));112 type = uniq (nullOr (functionTo package));104 description = "Data that gets embedded into secret part";134 description = "Data that gets embedded into secret part";105 default = null;135 default = null;106 };136 };137 expectedPrivateParts = mkOption {138 type = listOf str;139 default = [ ];140 description = "List of parts that are expected to be encrypted";141 };142 expectedPublicParts = mkOption {143 type = listOf str;144 default = [ ];145 description = "List of parts that are expected to be public";146 };107 };147 };148 config = mapAttrs (_: _: { }) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) [ "shared" ]);108 }149 }109 );150 );110 processPart = part: {151 processPart = secretName: partName: part: {111 inherit (part) raw path stablePath;152 inherit (part) path stablePath;153 raw = config.data.secrets.${secretName}.${partName}.raw;112 };154 };113 processSecret =155 processSecret =114 secret:156 secretName: secret:115 {157 {116 inherit (secret) group mode owner;158 inherit (secret) group mode owner;117 }159 }118 // (mapAttrs (_: processPart) (160 // (mapAttrs (processPart secretName) (119 removeAttrs secret [161 removeAttrs secret [120 "shared"162 "shared"121 "generator"163 "generator"122 "mode"164 "mode"123 "group"165 "group"124 "owner"166 "owner"125 "expectedGenerationData"167 "expectedGenerationData"168 "expectedPrivateParts"169 "expectedPublicParts"126 ]170 ]127 ));171 ));172 secretsData = (mapAttrs (processSecret) config.secrets);128 secretsFile = pkgs.writeTextFile {173 secretsFile = pkgs.writeTextFile {129 name = "secrets.json";174 name = "secrets.json";130 text = builtins.toJSON (mapAttrs (_: processSecret) config.secrets);175 text = toJSON secretsData;131 };176 };132 useSysusers =177 useSysusers =133 (config.systemd ? sysusers && config.systemd.sysusers.enable)178 (config.systemd ? sysusers && config.systemd.sysusers.enable)134 || (config ? userborn && config.userborn.enable);179 || (config ? userborn && config.userborn.enable);135in180in136{181{137 options = {182 options = {183 data.secrets = mkOption {184 type = attrsOf secretDataType;185 default = { };186 description = "Host-local secret data";187 };138 secrets = mkOption {188 secrets = mkOption {139 type = attrsOf secretType;189 type = attrsOf secretType;140 default = { };190 default = { };141 description = "Host-local secrets";191 description = "Host-local secrets";142 };192 };193 system.secretsData = mkOption {194 type = unspecified;195 default = {};196 description = "secrets.json contents";197 };143 };198 };144 config = {199 config = {200 system = {inherit secretsData;};145 environment.systemPackages = [ pkgs.fleet-install-secrets ];201 environment.systemPackages = [ pkgs.fleet-install-secrets ];202203 warnings = filter (v: v!=null) (mapAttrsToList (204 name: secret:205 if206 secret.expectedPrivateParts == [ ]207 && secret.expectedPublicParts == [ ]208 && !(config.data.secrets.${name} or { shared = false; }).shared209 then210 "Secret ${name} has no expected parts defined, this is deprecated for better visibility"211 else212 null213 ) config.secrets);146214147 systemd.services.fleet-install-secrets = mkIf useSysusers {215 systemd.services.fleet-install-secrets = mkIf useSysusers {148 wantedBy = [ "sysinit.target" ];216 wantedBy = [ "sysinit.target" ];modules/secrets-data.nixdiffbeforeafterboth153 }) config.sharedSecrets)153 }) config.sharedSecrets)154154 ++ (mapAttrsToList (name: secret: {155 ++ (mapAttrsToList (name: secret: {155 # TODO: Same aassertion should be in host secrets156 # TODO: Same assertion should be in host secrets156 assertion =157 assertion =157 (config.data.sharedSecrets.${name} or { generationData = null; }).generationData158 (config.data.sharedSecrets.${name} or { generationData = null; }).generationData158 == secret.expectedGenerationData;159 == secret.expectedGenerationData;159 message = "Shared secret ${name} has unexpected generation data ${toJSON secret.expectedGenerationData} != ${160 message = "Shared secret ${name} has unexpected generation data ${toJSON secret.expectedGenerationData} != ${160 toJSON (config.data.sharedSecrets.${name} or { generationData = null; }).generationData161 toJSON (config.data.sharedSecrets.${name} or { generationData = null; }).generationData161 }. Run fleet secrets regenerate to fix";162 }. Run fleet secrets regenerate to fix";162 }) config.sharedSecrets);163 }) config.sharedSecrets);163 sharedSecrets = mapAttrs (_: _: { }) config.data.sharedSecrets;164 };164 };165}165}166166modules/secrets.nixdiffbeforeafterboth69 description = "Contextual metadata embedded within the secret part value";69 description = "Contextual metadata embedded within the secret part value";70 default = null;70 default = null;71 };71 };72 expectedPrivateParts = mkOption {73 type = listOf str;74 default = [ ];75 description = "List of parts that are expected to be encrypted";76 };77 expectedPublicParts = mkOption {78 type = listOf str;79 default = [ ];80 description = "List of parts that are expected to be public";81 };72 };82 };73 };83 };74in84in83 config = {93 config = {84 hosts = mapAttrs (_: secretMap: {94 hosts = mapAttrs (95 _: secretMap:96 let97 partsOf =98 s:99 removeAttrs s [100 "createdAt"101 "expiresAt"102 "generationData"103 ];104105 in106 {85 nixos.secrets = mapAttrs (107 nixos.data.secrets = mapAttrs (_: s: partsOf s) secretMap;86 _: s:108 # nixos.secrets = mapAttrs (87 removeAttrs s [109 # _: s: mapAttrs (_: _: {}) (partsOf s)88 "createdAt"110 # ) secretMap;89 "expiresAt"90 "generationData"91 ]92 ) secretMap;93 }) config.data.hostSecrets;111 }112 ) config.data.hostSecrets;