difftreelog
feat expected secret parts
in: trunk
16 files changed
Cargo.lockdiffbeforeafterboth--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1055,6 +1055,7 @@
"shlex",
"tabled",
"tempfile",
+ "thiserror 2.0.17",
"time",
"tokio",
"tokio-util",
@@ -1087,6 +1088,7 @@
"serde_json",
"tabled",
"tempfile",
+ "thiserror 2.0.17",
"time",
"tokio",
"tokio-util",
cmds/fleet/Cargo.tomldiffbeforeafterboth--- a/cmds/fleet/Cargo.toml
+++ b/cmds/fleet/Cargo.toml
@@ -47,6 +47,7 @@
nom = "8.0.0"
opentelemetry = "0.30.0"
opentelemetry_sdk = "0.30.0"
+thiserror.workspace = true
tracing-indicatif = { version = "0.3", optional = true }
tracing-opentelemetry = "0.31.0"
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth1use std::{2 collections::{BTreeMap, BTreeSet, HashSet},3 io::{self, Read, Write, stdin, stdout},4 path::PathBuf,5};67use anyhow::{Context, Result, anyhow, bail, ensure};8use chrono::{DateTime, Utc};9use clap::Parser;10use fleet_base::{11 fleetdata::{12 FleetHostSecret, FleetSecretData, FleetSecretPart, FleetSharedSecret, encrypt_secret_data,13 },14 host::Config,15 opts::FleetOpts,16 secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},17};18use fleet_shared::SecretData;19use nix_eval::{NixType, Value, nix_go, nix_go_json};20use owo_colors::OwoColorize;21use serde::Deserialize;22use tabled::{Table, Tabled};23use tokio::{fs::read, task::spawn_blocking};24use tracing::{Instrument, error, info, info_span, warn};2526#[derive(Parser)]27pub enum Secret {28 AddManager,29 /// Force load host keys for all defined hosts30 ForceKeys,31 /// Add secret, data should be provided in stdin32 AddShared {33 /// Secret name34 name: String,35 /// Secret owners36 #[clap(long, short)]37 machines: Vec<String>,38 /// Override secret if already present39 #[clap(long)]40 force: bool,41 /// Secret public part42 #[clap(long)]43 public: Option<String>,44 /// Load public part from specified file45 #[clap(long)]46 public_file: Option<PathBuf>,4748 /// Create a notification on secret expiration49 #[clap(long)]50 expires_at: Option<DateTime<Utc>>,5152 /// Secret with this name already exists, override its value while keeping the same owners.53 #[clap(long)]54 re_add: bool,5556 /// How to name public secret part57 #[clap(long, short = 'p', default_value = "public")]58 public_part: String,59 /// How to name private secret part60 #[clap(short = 's', long, default_value = "secret")]61 part: String,62 },63 /// Add secret, data should be provided in stdin64 Add {65 /// Secret name66 name: String,67 /// Secret owner68 #[clap(short = 'm', long)]69 machine: String,70 /// Replace secret if already present71 #[clap(long)]72 replace: bool,73 /// Add new parts to existing secret74 #[clap(long)]75 merge: bool,76 /// Secret public part77 #[clap(long)]78 public: Option<String>,79 /// Load public part from specified file80 #[clap(long)]81 public_file: Option<PathBuf>,8283 /// How to name public secret part84 #[clap(short = 'p', long, default_value = "public")]85 public_part: String,86 /// How to name private secret part87 #[clap(short = 's', long, default_value = "secret")]88 part: String,89 },90 /// Read secret from remote host, requires sudo on said host91 Read {92 name: String,93 #[clap(short = 'm', long)]94 machine: String,9596 /// Which private secret part to read97 #[clap(short = 'p', long, default_value = "secret")]98 part: String,99 },100 /// Read secret from remote host, requires sudo on said host101 ReadShared {102 name: String,103 /// Which private secret part to read104 #[clap(short = 'p', long, default_value = "secret")]105 part: String,106 /// Which host should we use to decrypt, in case if reencryption is required, without107 /// regeneration108 #[clap(long)]109 prefer_identities: Vec<String>,110 },111 UpdateShared {112 name: String,113114 #[clap(short = 'm', long)]115 machine: Option<Vec<String>>,116117 #[clap(long)]118 add_machine: Vec<String>,119 #[clap(long)]120 remove_machine: Vec<String>,121122 /// Which host should we use to decrypt123 #[clap(long)]124 prefer_identities: Vec<String>,125 },126 Regenerate {127 /// Which host should we use to decrypt, in case if reencryption is required, without128 /// regeneration129 #[clap(long)]130 prefer_identities: Vec<String>,131 /// Only regenerate shared secrets132 #[clap(long)]133 skip_hosts: bool,134 },135 List {},136 Edit {137 name: String,138 #[clap(short = 'm', long)]139 machine: String,140141 #[clap(long)]142 add: bool,143144 /// Which private secret part to read145 #[clap(short = 'p', long, default_value = "secret")]146 part: String,147 },148}149150#[allow(clippy::too_many_arguments)]151#[tracing::instrument(skip(config, secret, definition, prefer_identities))]152async fn maybe_regenerate_shared_secret(153 secret_name: &str,154 config: &Config,155 mut secret: FleetSharedSecret,156 definition: SharedSecretDefinition,157 prefer_identities: &[String],158 expectations: &Expectations,159) -> Result<FleetSharedSecret> {160 let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);161 let value = definition.inner();162163 let (should_reencrypt, reason) = match reason {164 Some(RegenerationReason::OwnersAdded(_)) => {165 // Secret always needs to be reencrypted for new owners to be able to read it166 (167 true,168 if nix_go_json!(value.regenerateOnOwnerAdded) {169 reason170 } else {171 None172 },173 )174 }175 Some(RegenerationReason::OwnersRemoved(_)) => {176 // No need to reencrypt, we can just leave stanzas in place.177 if nix_go_json!(value.regenerateOnOwnerRemoved) {178 (true, reason)179 } else {180 (false, None)181 }182 }183 Some(_) => (true, reason),184 None => (false, None),185 };186187 if let Some(reason) = reason {188 info!("secret needs to be regenerated: {reason}");189 let generated = generate_shared(config, secret_name, definition, expectations).await?;190 Ok(generated)191 } else if should_reencrypt {192 info!("secret needs to be reencrypted");193 let identity_holder = if !prefer_identities.is_empty() {194 prefer_identities195 .iter()196 .find(|i| secret.owners.iter().any(|s| s == *i))197 } else {198 secret.owners.first()199 };200 let Some(identity_holder) = identity_holder else {201 bail!("no available holder found");202 };203204 for (part_name, part) in secret.secret.parts.iter_mut() {205 let _span = info_span!("part reencryption", part_name);206 if !part.raw.encrypted {207 continue;208 }209 let host = config.host(identity_holder).await?;210 let encrypted = host211 .reencrypt(212 part.raw.clone(),213 expectations.owners.iter().cloned().collect(),214 )215 .await?;216 part.raw = encrypted;217 }218 secret.owners = expectations.owners.clone();219 Ok(secret)220 } else {221 Ok(secret)222 }223}224225#[derive(Deserialize)]226#[serde(rename_all = "camelCase")]227enum GeneratorKind {228 Impure,229 Pure,230}231232async fn generate_pure(233 _config: &Config,234 _display_name: &str,235 _secret: Value,236 _default_generator: Value,237 _expectations: &Expectations,238) -> Result<FleetSecretData> {239 bail!("pure generators are broken for now")240}241async fn generate_impure(242 config: &Config,243 _display_name: &str,244 secret: Value,245 default_generator: Value,246 expectations: &Expectations,247) -> Result<FleetSecretData> {248 let generator = nix_go!(secret.generator);249 let on: Option<String> = nix_go_json!(default_generator.impureOn);250251 let nixpkgs = &config.nixpkgs;252253 let host = if let Some(on) = &on {254 config.host(on).await?255 } else {256 config.local_host()257 };258 let on_pkgs = host.pkgs().await?;259 let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);260261 let mut recipients = Vec::new();262 for owner in &expectations.owners {263 let key = config.key(owner).await?;264 recipients.push(key);265 }266 let generators = nix_go!(mk_secret_generators(Obj { recipients }));267 let pkgs_and_generators = on_pkgs.attrs_update(generators)?;268269 let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));270271 let generator = nix_go!(call_package(generator)(Obj {}));272273 let generator = spawn_blocking(move || generator.build("out"))274 .await275 .expect("nix build shouldn't fail")?;276 let generator = host.remote_derivation(&generator).await?;277278 let out_parent = host.mktemp_dir().await?;279 let out = format!("{out_parent}/out");280281 let mut r#gen = host.cmd(generator).await?;282 r#gen.env("out", &out);283 if on.is_none() {284 // This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.285 let project_path: String = config286 .directory287 .clone()288 .into_os_string()289 .into_string()290 .map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;291 r#gen.env("FLEET_PROJECT", project_path);292 }293 r#gen.run().await.context("impure generator")?;294295 {296 let marker = host.read_file_text(format!("{out}/marker")).await?;297 ensure!(marker == "SUCCESS", "generation not succeeded");298 }299300 let mut parts = BTreeMap::new();301 for part in host.read_dir(&out).await? {302 if part == "created_at" || part == "expires_at" || part == "marker" {303 continue;304 }305 let contents: SecretData = host306 .read_file_text(format!("{out}/{part}"))307 .await?308 .parse()309 .map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;310 parts.insert(part.to_owned(), FleetSecretPart { raw: contents });311 }312313 let created_at = host.read_file_value(format!("{out}/created_at")).await?;314 let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();315316 let new_data = FleetSecretData {317 created_at,318 expires_at,319 parts,320 generation_data: expectations.generation_data.clone(),321 };322323 if let Some(reason) = secret_needs_regeneration(&new_data, &expectations.owners, expectations) {324 bail!("newly generated secret needs to be regenerated: {reason}")325 }326327 Ok(new_data)328}329330async fn generate(331 config: &Config,332 display_name: &str,333 secret: Value,334 expectations: &Expectations,335) -> Result<FleetSecretData> {336 let generator = nix_go!(secret.generator);337 // Can't properly check on nix module system level338 {339 let gen_ty = generator.type_of();340 if matches!(gen_ty, NixType::Null) {341 bail!("secret has no generator defined, can't automatically generate it.");342 }343 if matches!(gen_ty, NixType::Attrs) {344 if !generator.has_field("__functor")? {345 bail!("generator should be functor, got {gen_ty:?}");346 }347 } else if matches!(gen_ty, NixType::Function) {348 bail!("generator should be functor, got {gen_ty:?}");349 }350 }351 let nixpkgs = &config.nixpkgs;352 let default_pkgs = &config.default_pkgs;353 let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);354 // Generators provide additional information in passthru, to access355 // passthru we should call generator, but information about where this generator is supposed to build356 // is located in passthru... Thus evaluating generator on host.357 //358 // Maybe it is also possible to do some magic with __functor?359 //360 // I don't want to make modules always responsible for additional secret data anyway,361 // so it should be in derivation, and not in the secret data itself.362 let generators = nix_go!(default_mk_secret_generators(Obj {363 recipients: <Vec<String>>::new(),364 }));365 let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;366367 let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));368 let default_generator = nix_go!(call_package(generator)(Obj {}));369370 let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);371372 match kind {373 GeneratorKind::Impure => {374 generate_impure(375 config,376 display_name,377 secret,378 default_generator,379 expectations,380 )381 .await382 }383 GeneratorKind::Pure => {384 generate_pure(385 config,386 display_name,387 secret,388 default_generator,389 expectations,390 )391 .await392 }393 }394}395async fn generate_shared(396 config: &Config,397 display_name: &str,398 secret: SharedSecretDefinition,399 expectations: &Expectations,400) -> Result<FleetSharedSecret> {401 // let owners: Vec<String> = nix_go_json!(secret.expectedOwners);402 Ok(FleetSharedSecret {403 managed: Some(true),404 secret: generate(config, display_name, secret.inner(), expectations).await?,405 owners: expectations.owners.clone(),406 })407}408409async fn parse_public(410 public: Option<String>,411 public_file: Option<PathBuf>,412) -> Result<Option<SecretData>> {413 Ok(match (public, public_file) {414 (Some(v), None) => Some(SecretData {415 data: v.into(),416 encrypted: false,417 }),418 (None, Some(v)) => Some(SecretData {419 data: read(v).await?,420 encrypted: false,421 }),422 (Some(_), Some(_)) => {423 bail!("only public or public_file should be set")424 }425 (None, None) => None,426 })427}428429async fn parse_secret() -> Result<Option<Vec<u8>>> {430 let mut input = vec![];431 stdin().read_to_end(&mut input)?;432 if input.is_empty() {433 Ok(None)434 } else {435 Ok(Some(input))436 }437}438439fn parse_machines(440 initial: BTreeSet<String>,441 machines: Option<Vec<String>>,442 mut add_machines: Vec<String>,443 mut remove_machines: Vec<String>,444) -> Result<BTreeSet<String>> {445 if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {446 bail!("no operation");447 }448449 let initial_machines = initial.clone();450 let mut target_machines = initial;451 info!("Currently encrypted for {initial_machines:?}");452453 if let Some(machines) = machines {454 ensure!(455 add_machines.is_empty() && remove_machines.is_empty(),456 "can't combine --machines and --add-machines/--remove-machines"457 );458 let target = initial_machines.iter().collect::<HashSet<_>>();459 let source = machines.iter().collect::<HashSet<_>>();460 for removed in target.difference(&source) {461 remove_machines.push((*removed).clone());462 }463 for added in source.difference(&target) {464 add_machines.push((*added).clone());465 }466 }467468 for machine in &remove_machines {469 if !target_machines.remove(machine) {470 warn!("secret is not enabled for {machine}");471 }472 }473 for machine in &add_machines {474 if !target_machines.insert(machine.to_owned()) {475 warn!("secret is already added to {machine}");476 }477 }478 if !remove_machines.is_empty() {479 // TODO: maybe force secret regeneration?480 // Not that useful without revokation.481 warn!(482 "secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret"483 );484 }485 Ok(target_machines)486}487impl Secret {488 pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {489 match self {490 Secret::AddManager => {491 todo!("part of fleet-pusher")492 }493 Secret::ForceKeys => {494 for host in config.list_hosts().await? {495 if opts.should_skip(&host).await? {496 continue;497 }498 config.key(&host.name).await?;499 }500 }501 Secret::AddShared {502 machines,503 name,504 force,505 public,506 public_part: public_name,507 public_file,508 expires_at,509 re_add,510 part: part_name,511 } => {512 let mut machines: BTreeSet<String> = machines.into_iter().collect();513 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).514515 if let Some(old_shared) = config.shared_secret(&name)? {516 if !force && !re_add {517 bail!("secret already defined");518 };519 if old_shared.managed.unwrap_or(false) {520 bail!("secret is marked as managed, should not be updated manually");521 };522 if re_add {523 // Fixme: use clap to limit this usage524 ensure!(!force, "--force and --readd are not compatible");525 ensure!(526 machines.is_empty(),527 "you can't use machines argument for --readd"528 );529 machines = old_shared.owners;530 }531 } else if re_add {532 bail!("secret doesn't exists");533 };534535 let recipients = config536 .recipients(machines.iter().cloned().collect())537 .await?;538539 let mut parts = BTreeMap::new();540541 let mut input = vec![];542 io::stdin().read_to_end(&mut input)?;543544 if !input.is_empty() {545 let encrypted = encrypt_secret_data(recipients.iter(), input)546 .ok_or_else(|| anyhow!("no recipients provided"))?;547 parts.insert(part_name, FleetSecretPart { raw: encrypted });548 }549550 if let Some(public) = parse_public(public, public_file).await? {551 parts.insert(public_name, FleetSecretPart { raw: public });552 }553554 config.replace_shared(555 name,556 FleetSharedSecret {557 managed: Some(false),558 owners: machines,559 secret: FleetSecretData {560 created_at: Utc::now(),561 expires_at,562 parts,563 generation_data: serde_json::Value::Null,564 },565 },566 );567 }568 Secret::Add {569 machine,570 name,571 replace,572 merge,573 public,574 public_part: public_name,575 public_file,576 part: part_name,577 } => {578 if config.has_secret(&machine, &name) && !replace && !merge {579 bail!(580 "secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret"581 );582 }583584 let mut out = if merge && !replace {585 config586 .host_secret(&machine, &name)587 .context("failed to read existing secret for --merge")?588 } else {589 FleetHostSecret {590 managed: Some(false),591 secret: FleetSecretData {592 created_at: Utc::now(),593 expires_at: None,594 parts: BTreeMap::new(),595 generation_data: serde_json::Value::Null,596 },597 }598 };599 if out.managed.unwrap_or(false) {600 bail!("secret is managed by fleet and should not be updated manually");601 }602 out.managed = Some(false);603604 if let Some(secret) = parse_secret().await? {605 let recipient = config.recipient(&machine).await?;606 let encrypted =607 encrypt_secret_data([&recipient], secret).expect("recipient provided");608 if out609 .secret610 .parts611 .insert(part_name.clone(), FleetSecretPart { raw: encrypted })612 .is_some() && !replace613 {614 bail!(615 "part {part_name:?} is already defined, use --replace if you wish to replace it"616 );617 }618 }619620 if let Some(public) = parse_public(public, public_file).await? {621 if out622 .secret623 .parts624 .insert(public_name.clone(), FleetSecretPart { raw: public })625 .is_some() && !replace626 {627 bail!(628 "part {public_name:?} is already defined, use --replace if you wish to replace it"629 );630 }631 };632633 config.insert_secret(&machine, name, out);634 }635 #[allow(clippy::await_holding_refcell_ref)]636 Secret::Read {637 name,638 machine,639 part: part_name,640 } => {641 let secret = config.host_secret(&machine, &name)?;642 let Some(secret) = secret.secret.parts.get(&part_name) else {643 bail!("no part {part_name} in secret {name}");644 };645 let data = if secret.raw.encrypted {646 let host = config.host(&machine).await?;647 host.decrypt(secret.raw.clone()).await?648 } else {649 secret.raw.data.clone()650 };651652 stdout().write_all(&data)?;653 }654 Secret::ReadShared {655 name,656 part: part_name,657 prefer_identities,658 } => {659 let Some(secret) = config.shared_secret(&name)? else {660 bail!("secret doesn't exists");661 };662 let Some(part) = secret.secret.parts.get(&part_name) else {663 bail!("no part {part_name} in secret {name}");664 };665 let data = if part.raw.encrypted {666 let identity_holder = if !prefer_identities.is_empty() {667 prefer_identities668 .iter()669 .find(|i| secret.owners.iter().any(|s| s == *i))670 } else {671 secret.owners.first()672 };673 let Some(identity_holder) = identity_holder else {674 bail!("no available holder found");675 };676 let host = config.host(identity_holder).await?;677 host.decrypt(part.raw.clone()).await?678 } else {679 part.raw.data.clone()680 };681 stdout().write_all(&data)?;682 }683 Secret::UpdateShared {684 name,685 machine,686 add_machine,687 remove_machine,688 prefer_identities,689 } => {690 // TODO: Forbid updating secrets with set expectedOwners (= not user-managed).691692 let Some(secret) = config.shared_secret(&name)? else {693 bail!("secret doesn't exists");694 };695 if secret.secret.parts.values().all(|v| !v.raw.encrypted) {696 bail!("no secret");697 }698699 let initial_machines = secret.owners.clone();700 let target_machines = parse_machines(701 initial_machines.clone(),702 machine,703 add_machine,704 remove_machine,705 )?;706707 if target_machines.is_empty() {708 info!("no machines left for secret, removing it");709 config.remove_shared(&name);710 return Ok(());711 }712713 let definition = config.shared_secret_definition(&name)?;714 let expectations = definition.expectations()?;715716 let updated = maybe_regenerate_shared_secret(717 &name,718 config,719 secret,720 definition,721 &prefer_identities,722 &expectations,723 )724 .await?;725 config.replace_shared(name, updated);726 }727 Secret::Regenerate {728 prefer_identities,729 skip_hosts,730 } => {731 info!("checking for secrets to regenerate");732 let expected_shared_set = config733 .list_configured_shared()734 .await?735 .into_iter()736 .collect::<HashSet<_>>();737 let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();738 {739 // Generate missing shared740 let _span = info_span!("shared").entered();741 for missing in expected_shared_set.difference(&stored_shared_set) {742 let definition = config.shared_secret_definition(missing)?;743 if !definition.is_managed()? {744 info!("skipping unmanaged secret: {missing}");745 continue;746 }747 let expectations = definition.expectations()?;748 info!("generating secret: {missing}");749 let shared = generate_shared(config, missing, definition, &expectations)750 .in_current_span()751 .await?;752 config.replace_shared(missing.to_string(), shared)753 }754 }755 if !skip_hosts {756 for host in config.list_hosts().await? {757 if opts.should_skip(&host).await? {758 continue;759 }760761 let _span = info_span!("host", host = host.name).entered();762 let expected_set = host763 .list_defined_secrets()?764 .into_iter()765 .collect::<HashSet<_>>();766 let stored_set = config767 .list_secrets(&host.name)768 .into_iter()769 .collect::<HashSet<_>>();770 for missing_secret in expected_set.difference(&stored_set) {771 info!("generating missing secret: {missing_secret}");772 let definition = host.secret_definition(missing_secret)?;773 let expectations = definition.expectations()?;774 let generated = match generate(775 config,776 missing_secret,777 definition.inner(),778 &expectations,779 )780 .in_current_span()781 .await782 {783 Ok(v) => v,784 Err(e) => {785 error!("{e:?}");786 continue;787 }788 };789 config.insert_secret(790 &host.name,791 missing_secret.to_string(),792 FleetHostSecret {793 managed: Some(true),794 secret: generated,795 },796 )797 }798 for known_secret in stored_set.intersection(&expected_set) {799 info!("updating secret: {known_secret}");800 let data = config.host_secret(&host.name, known_secret)?;801 let definition = host.secret_definition(known_secret)?;802 let expectations = definition.expectations()?;803 if let Some(regen_reason) = data.needs_regeneration(&expectations) {804 info!("needs regeneration: {regen_reason}");805 let generated = match generate(806 config,807 known_secret,808 definition.inner(),809 &expectations,810 )811 .in_current_span()812 .await813 {814 Ok(v) => v,815 Err(e) => {816 error!("{e:?}");817 continue;818 }819 };820 config.insert_secret(821 &host.name,822 known_secret.to_string(),823 FleetHostSecret {824 managed: Some(true),825 secret: generated,826 },827 )828 }829 }830 for removed_secret in stored_set.difference(&expected_set) {831 info!("removing secret: {removed_secret}");832 config.remove_secret(&host.name, removed_secret);833 }834 }835 }836 for known_secret in stored_shared_set.intersection(&expected_shared_set) {837 info!("updating shared secret: {known_secret}");838 let data = config.shared_secret(known_secret)?.expect("exists");839840 let definition = config.shared_secret_definition(known_secret)?;841 let expectations = definition.expectations()?;842 config.replace_shared(843 known_secret.to_owned(),844 maybe_regenerate_shared_secret(845 known_secret,846 config,847 data,848 definition,849 &prefer_identities,850 &expectations,851 )852 .await?,853 );854 }855 for removed_secret in stored_shared_set.difference(&expected_shared_set) {856 info!("removing shared secret: {removed_secret}");857 config.remove_shared(removed_secret);858 }859 }860 Secret::List {} => {861 let _span = info_span!("loading secrets").entered();862 let configured = config.list_configured_shared().await?;863 #[derive(Tabled)]864 struct SecretDisplay {865 #[tabled(rename = "Name")]866 name: String,867 #[tabled(rename = "Owners")]868 owners: String,869 }870 let mut table = vec![];871 for name in configured.iter().cloned() {872 let config = config.clone();873 let data = config.shared_secret(&name)?.expect("exists");874 let definition = config.shared_secret_definition(&name)?;875 let expectations = definition.expectations()?;876 let owners = data877 .owners878 .iter()879 .map(|o| {880 if expectations.owners.contains(o) {881 o.green().to_string()882 } else {883 o.red().to_string()884 }885 })886 .collect::<Vec<_>>();887 table.push(SecretDisplay {888 owners: owners.join(", "),889 name,890 })891 }892 info!("loaded\n{}", Table::new(table).to_string())893 }894 Secret::Edit {895 name,896 machine,897 part,898 add,899 } => {900 let secret = config.host_secret(&machine, &name)?;901 if let Some(data) = secret.secret.parts.get(&part) {902 let host = config.host(&machine).await?;903 let secret = host.decrypt(data.raw.clone()).await?;904 String::from_utf8(secret).context("secret is not utf8")?905 } else if add {906 String::new()907 } else {908 bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");909 };910 }911 }912 Ok(())913 }914}915916/*917async fn edit_temp_file(918 builder: tempfile::Builder<'_, '_>,919 r: Vec<u8>,920 header: &str,921 comment: &str,922) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {923 if !stdin().is_tty() {924 // TODO: Also try to open /dev/tty directly?925 bail!("stdin is not tty, can't open editor");926 }927928 use std::fmt::Write;929 let mut file = builder.tempfile()?;930931 let mut full_header = String::new();932 let mut had = false;933 for line in header.trim_end().lines() {934 had = true;935 writeln!(&mut full_header, "{comment}{line}")?;936 }937 if had {938 writeln!(&mut full_header, "{}", comment.trim_end())?;939 }940 writeln!(941 &mut full_header,942 "{comment}Do not touch this header! It will be removed automatically"943 )?;944945 file.write_all(full_header.as_bytes())?;946 file.write_all(&r)?;947948 let abs_path = file.into_temp_path();949 let editor = std::env::var_os("VISUAL")950 .or_else(|| std::env::var_os("EDITOR"))951 .unwrap_or_else(|| "vi".into());952 let editor_args = shlex::bytes::split(editor.as_encoded_bytes())953 .ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;954 let editor_args = editor_args955 .into_iter()956 .map(|v| {957 // Only ASCII subsequences are replaced958 unsafe { OsString::from_encoded_bytes_unchecked(v) }959 })960 .collect_vec();961 let Some((editor, args)) = editor_args.split_first() else {962 bail!("EDITOR env var has no command");963 };964 let mut command = Command::new(editor);965 command.args(args);966967 let path_arg = abs_path.canonicalize()?;968969 // TODO: Save full state, using tcget/_getmode/_setmode970 let was_raw = terminal::is_raw_mode_enabled()?;971 terminal::enable_raw_mode()?;972973 let status = command.arg(path_arg).status().await;974975 if !was_raw {976 terminal::disable_raw_mode()?;977 }978979 let success = match status {980 Ok(s) => s.success(),981 Err(e) if e.kind() == io::ErrorKind::NotFound => {982 bail!("editor not found")983 }984 Err(e) => bail!("editor spawn error: {e}"),985 };986987 let mut file = std::fs::read(&abs_path).context("read editor output")?;988 let Some(v) = file.strip_prefix(full_header.as_bytes()) else {989 todo!();990 };991 todo!();992993 // Ok((success, abs_path))994}995*/cmds/fleet/src/main.rsdiffbeforeafterboth--- a/cmds/fleet/src/main.rs
+++ b/cmds/fleet/src/main.rs
@@ -27,7 +27,7 @@
use tracing::{Instrument, error, info, info_span};
#[cfg(feature = "indicatif")]
use tracing_indicatif::IndicatifLayer;
-use tracing_subscriber::{EnvFilter, fmt::format::Format, prelude::*};
+use tracing_subscriber::{EnvFilter, prelude::*};
#[derive(Parser)]
struct Prefetch {}
crates/fleet-base/Cargo.tomldiffbeforeafterboth--- a/crates/fleet-base/Cargo.toml
+++ b/crates/fleet-base/Cargo.toml
@@ -24,6 +24,7 @@
serde_json = "1.0.140"
tabled = "0.20.0"
tempfile.workspace = true
+thiserror.workspace = true
time = { version = "0.3.41", features = ["parsing"] }
tokio.workspace = true
tokio-util = "0.7.15"
crates/fleet-base/src/fleetdata.rsdiffbeforeafterboth--- a/crates/fleet-base/src/fleetdata.rs
+++ b/crates/fleet-base/src/fleetdata.rs
@@ -1,5 +1,5 @@
use std::{
- collections::BTreeMap,
+ collections::{BTreeMap, BTreeSet},
io::{self, Cursor},
};
@@ -13,6 +13,8 @@
use serde::{Deserialize, Serialize, de::Error};
use serde_json::Value;
+use crate::secret::{Expectations, RegenerationReason, secret_needs_regeneration};
+
#[derive(Serialize, Deserialize, Default)]
#[serde(rename_all = "camelCase")]
pub struct HostData {
@@ -75,30 +77,21 @@
pub shared_secrets: BTreeMap<String, FleetSharedSecret>,
#[serde(default)]
#[serde(skip_serializing_if = "BTreeMap::is_empty")]
- pub host_secrets: BTreeMap<String, BTreeMap<String, FleetSecret>>,
+ pub host_secrets: BTreeMap<String, BTreeMap<String, FleetHostSecret>>,
// extra_name => anything
#[serde(default)]
#[serde(skip_serializing_if = "BTreeMap::is_empty")]
pub extra: BTreeMap<String, Value>,
-}
-
-#[derive(Serialize, Deserialize, Clone)]
-#[serde(rename_all = "camelCase")]
-#[must_use]
-pub struct FleetSharedSecret {
- pub owners: Vec<String>,
- #[serde(flatten)]
- pub secret: FleetSecret,
}
/// Returns None if recipients.is_empty()
-pub fn encrypt_secret_data<'a>(
- recipients: impl IntoIterator<Item = &'a dyn Recipient>,
+pub fn encrypt_secret_data<'r>(
+ recipients: impl IntoIterator<Item = &'r Box<dyn Recipient>>,
data: Vec<u8>,
) -> Option<SecretData> {
let mut encrypted = vec![];
- let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter())
+ let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter().map(|v| &**v))
.ok()?
.wrap_output(&mut encrypted)
.expect("in memory write");
@@ -118,7 +111,7 @@
#[derive(Serialize, Deserialize, Clone)]
#[serde(rename_all = "camelCase")]
#[must_use]
-pub struct FleetSecret {
+pub struct FleetSecretData {
#[serde(default = "Utc::now")]
pub created_at: DateTime<Utc>,
#[serde(default)]
@@ -132,3 +125,31 @@
#[serde(skip_serializing_if = "Value::is_null")]
pub generation_data: Value,
}
+
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+#[must_use]
+pub struct FleetHostSecret {
+ #[serde(default)]
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub managed: Option<bool>,
+ #[serde(flatten)]
+ pub secret: FleetSecretData,
+}
+impl FleetHostSecret {
+ pub fn needs_regeneration(&self, expectations: &Expectations) -> Option<RegenerationReason> {
+ secret_needs_regeneration(&self.secret, &expectations.owners, expectations)
+ }
+}
+
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+#[must_use]
+pub struct FleetSharedSecret {
+ #[serde(default)]
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub managed: Option<bool>,
+ pub owners: BTreeSet<String>,
+ #[serde(flatten)]
+ pub secret: FleetSecretData,
+}
crates/fleet-base/src/host.rsdiffbeforeafterboth--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -22,7 +22,8 @@
use crate::{
command::MyCommand,
- fleetdata::{FleetData, FleetSecret, FleetSharedSecret},
+ fleetdata::{FleetData, FleetHostSecret, FleetSharedSecret},
+ secret::{HostSecretDefinition, SharedSecretDefinition},
};
pub struct FleetConfigInternals {
@@ -234,7 +235,7 @@
let is_fleet_managed = match self.file_exists("/etc/FLEET_HOST").await {
Ok(v) => v,
Err(e) => {
- bail!("failed to query remote system kind: {}", e);
+ bail!("failed to query remote system kind: {e}");
}
};
if !is_fleet_managed {
@@ -501,7 +502,7 @@
Ok(nixos_config)
}
- pub async fn nixos_unchecked_config(&self) -> Result<Value> {
+ pub fn nixos_unchecked_config(&self) -> Result<Value> {
if let Some(v) = self.nixos_unchecked_config.get() {
return Ok(v.clone());
}
@@ -515,23 +516,17 @@
Ok(nixos_config)
}
- pub async fn list_configured_secrets(&self) -> Result<Vec<String>> {
- let nixos = self.nixos_unchecked_config().await?;
+ pub fn list_defined_secrets(&self) -> Result<Vec<String>> {
+ let nixos = self.nixos_unchecked_config()?;
let secrets = nix_go!(nixos.secrets);
- let mut out = Vec::new();
- for name in secrets.list_fields()? {
- let secret = secrets.get_field(&name).context("getting secret")?;
- let is_shared: bool = nix_go_json!(secret.shared);
- if is_shared {
- continue;
- }
- out.push(name);
- }
- Ok(out)
+ secrets.list_fields()
}
- pub async fn secret_field(&self, name: &str) -> Result<Value> {
- let nixos = self.nixos_unchecked_config().await?;
- Ok(nix_go!(nixos.secrets[{ name }]))
+ pub fn secret_definition(&self, name: &str) -> Result<HostSecretDefinition> {
+ let nixos = self.nixos_unchecked_config()?;
+ Ok(HostSecretDefinition(
+ self.name.clone(),
+ nix_go!(nixos.secrets[{ name }]),
+ ))
}
/// Packages for this host, resolved with nixpkgs overlays
@@ -648,10 +643,19 @@
pub fn list_secrets(&self, host: &str) -> Vec<String> {
let data = self.data();
- let Some(secrets) = data.host_secrets.get(host) else {
- return Vec::new();
- };
- secrets.keys().cloned().collect()
+ let mut out = data
+ .host_secrets
+ .get(host)
+ .map(|s| s.keys().cloned().collect::<Vec<String>>())
+ .unwrap_or_default();
+
+ for (name, shared) in data.shared_secrets.iter() {
+ if shared.owners.contains(host) {
+ out.push(name.clone());
+ }
+ }
+
+ out
}
pub fn has_secret(&self, host: &str, secret: &str) -> bool {
@@ -661,34 +665,44 @@
};
host_secrets.contains_key(secret)
}
- pub fn insert_secret(&self, host: &str, secret: String, value: FleetSecret) {
+ pub fn insert_secret(&self, host: &str, secret: String, value: FleetHostSecret) {
let mut data = self.data_mut();
let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
host_secrets.insert(secret, value);
}
+ pub fn remove_secret(&self, host: &str, secret: &str) {
+ let mut data = self.data_mut();
+ let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
+ host_secrets.remove(secret);
+ }
- pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetSecret> {
+ pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetHostSecret> {
let data = self.data();
- let Some(host_secrets) = data.host_secrets.get(host) else {
- bail!("no secrets for machine {host}");
+ if let Some(host_secrets) = data.host_secrets.get(host) {
+ if let Some(secret) = host_secrets.get(secret) {
+ return Ok(secret.clone());
+ }
};
- let Some(secret) = host_secrets.get(secret) else {
+ let Some(shared) = data.shared_secrets.get(secret) else {
bail!("machine {host} has no secret {secret}");
};
- Ok(secret.clone())
+ if !shared.owners.contains(host) {
+ bail!("shared secret {secret} is not owned by {host}");
+ };
+ Ok(FleetHostSecret {
+ managed: shared.managed,
+ secret: shared.secret.clone(),
+ })
}
- pub fn shared_secret(&self, secret: &str) -> Result<FleetSharedSecret> {
+ pub fn shared_secret(&self, secret: &str) -> Result<Option<FleetSharedSecret>> {
let data = self.data();
- let Some(secret) = data.shared_secrets.get(secret) else {
- bail!("no shared secret {secret}");
- };
- Ok(secret.clone())
+ Ok(data.shared_secrets.get(secret).cloned())
}
- pub async fn shared_secret_expected_owners(&self, secret: &str) -> Result<Vec<String>> {
+ pub fn shared_secret_definition(&self, secret: &str) -> Result<SharedSecretDefinition> {
let config_field = &self.config_field;
- Ok(nix_go_json!(
- config_field.sharedSecrets[{ secret }].expectedOwners
- ))
+ Ok(SharedSecretDefinition(nix_go!(
+ config_field.sharedSecrets[{ secret }]
+ )))
}
// TODO: Should this be something modifiable from other processes?
crates/fleet-base/src/keys.rsdiffbeforeafterboth--- a/crates/fleet-base/src/keys.rs
+++ b/crates/fleet-base/src/keys.rs
@@ -39,12 +39,14 @@
}
}
/// Insecure, requires root
- pub async fn recipient(&self, host: &str) -> anyhow::Result<impl Recipient + use<>> {
+ pub async fn recipient(&self, host: &str) -> anyhow::Result<Box<dyn Recipient>> {
let key = self.key(host).await?;
- age::ssh::Recipient::from_str(&key).map_err(|e| anyhow!("parse recipient error: {:?}", e))
+ age::ssh::Recipient::from_str(&key)
+ .map_err(|e| anyhow!("parse recipient error: {e:?}"))
+ .map(|v| Box::new(v) as Box<dyn Recipient>)
}
- pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<impl Recipient + use<>>> {
+ pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<Box<dyn Recipient>>> {
let hosts = self.expand_owner_set(hosts).await?;
futures::stream::iter(hosts.iter())
.then(|m| self.recipient(m.as_ref()))
crates/fleet-base/src/lib.rsdiffbeforeafterboth--- a/crates/fleet-base/src/lib.rs
+++ b/crates/fleet-base/src/lib.rs
@@ -4,3 +4,4 @@
pub mod host;
mod keys;
pub mod opts;
+pub mod secret;
crates/fleet-base/src/secret.rsdiffbeforeafterboth--- /dev/null
+++ b/crates/fleet-base/src/secret.rs
@@ -0,0 +1,136 @@
+use std::collections::BTreeSet;
+
+use anyhow::Result;
+use chrono::{DateTime, Utc};
+use nix_eval::{Value, nix_go, nix_go_json};
+
+use crate::fleetdata::FleetSecretData;
+
+#[derive(Debug)]
+pub struct Expectations {
+ pub owners: BTreeSet<String>,
+ pub generation_data: serde_json::Value,
+ pub public_parts: BTreeSet<String>,
+ pub private_parts: BTreeSet<String>,
+}
+
+pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
+impl HostSecretDefinition {
+ pub fn is_managed(&self) -> Result<bool> {
+ let value = &self.1;
+ Ok(!nix_go!(value.generator).is_null())
+ }
+ pub fn expectations(&self) -> Result<Expectations> {
+ let value = &self.1;
+ Ok(Expectations {
+ owners: BTreeSet::from([self.0.clone()]),
+ generation_data: nix_go_json!(value.expectedGenerationData),
+ public_parts: nix_go_json!(value.expectedPublicParts),
+ private_parts: nix_go_json!(value.expectedPrivateParts),
+ })
+ }
+ pub fn inner(&self) -> Value {
+ self.1.clone()
+ }
+}
+
+pub struct SharedSecretDefinition(pub(crate) Value);
+impl SharedSecretDefinition {
+ pub fn is_managed(&self) -> Result<bool> {
+ let value = &self.0;
+ Ok(!nix_go!(value.generator).is_null())
+ }
+ pub fn expectations(&self) -> Result<Expectations> {
+ let value = &self.0;
+ Ok(Expectations {
+ owners: nix_go_json!(value.expectedOwners),
+ generation_data: nix_go_json!(value.expectedGenerationData),
+ public_parts: nix_go_json!(value.expectedPublicParts),
+ private_parts: nix_go_json!(value.expectedPrivateParts),
+ })
+ }
+ pub fn inner(&self) -> Value {
+ self.0.clone()
+ }
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum RegenerationReason {
+ #[error("owners added: {0:?}")]
+ OwnersAdded(BTreeSet<String>),
+ #[error("owners added: {0:?}")]
+ OwnersRemoved(BTreeSet<String>),
+ #[error("unexpected generation data, expected: {expected:?}, found: {found:?}")]
+ GenerationData {
+ expected: serde_json::Value,
+ found: serde_json::Value,
+ },
+ #[error("unexpected part list, expected: {expected:?}, found: {found:?}")]
+ PartList {
+ expected: BTreeSet<String>,
+ found: BTreeSet<String>,
+ },
+ #[error("part {0} is expected to be encrypted")]
+ ExpectedPrivate(String),
+ #[error("part {0} is not expected to be encrypted")]
+ ExpectedPublic(String),
+ #[error("secret is expired at {0}")]
+ Expired(DateTime<Utc>),
+}
+
+pub fn secret_needs_regeneration(
+ secret: &FleetSecretData,
+ owners: &BTreeSet<String>,
+ expectations: &Expectations,
+) -> Option<RegenerationReason> {
+ if !owners.is_empty() {
+ let added: BTreeSet<String> = expectations.owners.difference(owners).cloned().collect();
+ if !added.is_empty() {
+ return Some(RegenerationReason::OwnersAdded(added));
+ }
+
+ let removed: BTreeSet<String> = owners.difference(&expectations.owners).cloned().collect();
+ if !removed.is_empty() {
+ return Some(RegenerationReason::OwnersRemoved(removed));
+ }
+ }
+
+ if secret.generation_data != expectations.generation_data {
+ return Some(RegenerationReason::GenerationData {
+ expected: expectations.generation_data.clone(),
+ found: secret.generation_data.clone(),
+ });
+ }
+
+ if !expectations.public_parts.is_empty() || !expectations.private_parts.is_empty() {
+ let expected: BTreeSet<String> = expectations
+ .public_parts
+ .union(&expectations.private_parts)
+ .cloned()
+ .collect();
+ let found: BTreeSet<String> = secret.parts.keys().cloned().collect();
+
+ if found != expected {
+ return Some(RegenerationReason::PartList { expected, found });
+ }
+
+ for (name, value) in secret.parts.iter() {
+ if value.raw.encrypted {
+ if !expectations.private_parts.contains(name) {
+ return Some(RegenerationReason::ExpectedPrivate(name.clone()));
+ }
+ } else if !expectations.public_parts.contains(name) {
+ return Some(RegenerationReason::ExpectedPublic(name.clone()));
+ }
+ }
+ }
+
+ if let Some(expiration) = secret.expires_at {
+ // TODO: Leeway?
+ if expiration < Utc::now() {
+ return Some(RegenerationReason::Expired(expiration));
+ }
+ }
+
+ None
+}
crates/nix-eval/src/lib.rsdiffbeforeafterboth--- a/crates/nix-eval/src/lib.rs
+++ b/crates/nix-eval/src/lib.rs
@@ -729,10 +729,13 @@
with_default_context(|c, es| unsafe { get_list_byidx(c, self.0, es, v as u32) }).map(Self)
}
- pub fn attrs_update(self, other: Value/*, ignore_errors: bool*/) -> Result<Self> {
+ pub fn attrs_update(self, other: Value /*, ignore_errors: bool*/) -> Result<Self> {
let attrs_update_fn = Self::eval("a: b: a // b")?;
- attrs_update_fn.call(self)?.call(other).context("attrs update")
+ attrs_update_fn
+ .call(self)?
+ .call(other)
+ .context("attrs update")
}
pub fn get_field(&self, name: impl AsFieldName) -> Result<Self> {
if !matches!(self.type_of(), NixType::Attrs) {
@@ -840,6 +843,9 @@
pub fn is_function(&self) -> bool {
self.functor_kind().is_some()
}
+ pub fn is_null(&self) -> bool {
+ matches!(self.type_of(), NixType::Null)
+ }
}
impl From<String> for Value {
flake.nixdiffbeforeafterboth--- a/flake.nix
+++ b/flake.nix
@@ -181,7 +181,7 @@
inputs'.nix.packages.nix-fetchers-c
inputs'.nix.packages.nix-store-c
- (rage.overrideAttrs {cargoFeatures = ["plugin"];})
+ (rage.overrideAttrs { cargoFeatures = [ "plugin" ]; })
];
environment.PROTOC = "${pkgs.protobuf}/bin/protoc";
};
modules/extras/tf.nixdiffbeforeafterboth--- a/modules/extras/tf.nix
+++ b/modules/extras/tf.nix
@@ -38,17 +38,19 @@
# will be somehow processed by fleet tf.
sensitive = true;
};
- fleetConfigurations.default = {config, ...}: {
- options.data = mkDataOption {
- # host => hostData
- options.extra.terraformHosts = mkOption {
- default = { };
- type = attrsOf (attrsOf unspecified);
- description = "Hosts data provided by fleet tf";
+ fleetConfigurations.default =
+ { config, ... }:
+ {
+ options.data = mkDataOption {
+ # host => hostData
+ options.extra.terraformHosts = mkOption {
+ default = { };
+ type = attrsOf (attrsOf unspecified);
+ description = "Hosts data provided by fleet tf";
+ };
};
+ config.hosts = config.data.extra.terraformHosts;
};
- config.hosts = config.data.extra.terraformHosts;
- };
perSystem.imports = [ ./tf-bootstrap.nix ];
};
modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -6,11 +6,11 @@
...
}:
let
- inherit (builtins) hashString;
+ inherit (builtins) hashString elemAt length toJSON filter;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
inherit (lib.lists) optional;
- inherit (lib.attrsets) mapAttrs;
+ inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
submodule
@@ -22,10 +22,29 @@
uniq
functionTo
package
+ listOf
;
inherit (fleetLib.strings) decodeRawSecret;
sysConfig = config;
+ secretPartDataType = submodule {
+ options = {
+ raw = mkOption {
+ type = str;
+ internal = true;
+ description = "Encoded & Encrypted secret part data, passed from fleet.nix";
+ };
+ };
+ };
+ secretDataType = submodule {
+ freeformType = lazyAttrsOf secretPartDataType;
+ options = {
+ shared = mkOption {
+ description = "Is this secret owned by this machine, or propagated from shared secrets";
+ default = false;
+ };
+ };
+ };
secretPartType =
secretName:
submodule (
@@ -35,11 +54,6 @@
in
{
options = {
- raw = mkOption {
- type = str;
- internal = true;
- description = "Encoded & Encrypted secret part data, passed from fleet.nix";
- };
hash = mkOption {
type = str;
description = "Hash of secret in encoded format";
@@ -50,34 +64,50 @@
};
stablePath = mkOption {
type = str;
- description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";
+ description = "Path to secret part, stable path (users are expected to watch for file changes/re-read secret on demand)";
};
data = mkOption {
type = str;
description = "Secret public data (only available for plaintext)";
};
};
- config = {
- hash = hashString "sha1" config.raw;
- data = decodeRawSecret config.raw;
- path = "/run/secrets/${secretName}/${config.hash}-${partName}";
- stablePath = "/run/secrets/${secretName}/${partName}";
- };
+ config =
+ let
+ raw = sysConfig.data.secrets.${secretName}.${partName}.raw;
+ in
+ {
+ hash = hashString "sha1" raw;
+ data = decodeRawSecret raw;
+ path = "/run/secrets/${secretName}/${config.hash}-${partName}";
+ stablePath = "/run/secrets/${secretName}/${partName}";
+ };
}
);
secretType = submodule (
- { config, ... }:
+ {
+ config,
+ loc,
+ options,
+ ...
+ }:
let
- secretName = config._module.args.name;
+ secretName =
+ # Due to config definition for freeformType, we can't just use _module.args due to infinite recursion, instead
+ # extract the secret name the ugly way...
+ let
+ saLoc = options._module.specialArgs.loc;
+ comp = elemAt saLoc;
+ in
+ assert
+ (length saLoc == 2 ||
+ length saLoc == 4 &&
+ comp 0 == "secrets" && comp 2 == "_module" && comp 3 == "specialArgs") ||
+ throw "Unexpected module structure ${toJSON saLoc}";
+ if length saLoc == 2 then "documentation generator stub" else comp 1;
in
{
freeformType = lazyAttrsOf (secretPartType secretName);
options = {
- shared = mkOption {
- description = "Is this secret owned by this machine, or propagated from shared secrets";
- default = false;
- };
-
generator = mkOption {
type = uniq (nullOr (functionTo package));
description = "Derivation to evaluate for secret generation";
@@ -104,18 +134,30 @@
description = "Data that gets embedded into secret part";
default = null;
};
+ expectedPrivateParts = mkOption {
+ type = listOf str;
+ default = [ ];
+ description = "List of parts that are expected to be encrypted";
+ };
+ expectedPublicParts = mkOption {
+ type = listOf str;
+ default = [ ];
+ description = "List of parts that are expected to be public";
+ };
};
+ config = mapAttrs (_: _: { }) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) [ "shared" ]);
}
);
- processPart = part: {
- inherit (part) raw path stablePath;
+ processPart = secretName: partName: part: {
+ inherit (part) path stablePath;
+ raw = config.data.secrets.${secretName}.${partName}.raw;
};
processSecret =
- secret:
+ secretName: secret:
{
inherit (secret) group mode owner;
}
- // (mapAttrs (_: processPart) (
+ // (mapAttrs (processPart secretName) (
removeAttrs secret [
"shared"
"generator"
@@ -123,11 +165,14 @@
"group"
"owner"
"expectedGenerationData"
+ "expectedPrivateParts"
+ "expectedPublicParts"
]
));
+ secretsData = (mapAttrs (processSecret) config.secrets);
secretsFile = pkgs.writeTextFile {
name = "secrets.json";
- text = builtins.toJSON (mapAttrs (_: processSecret) config.secrets);
+ text = toJSON secretsData;
};
useSysusers =
(config.systemd ? sysusers && config.systemd.sysusers.enable)
@@ -135,15 +180,38 @@
in
{
options = {
+ data.secrets = mkOption {
+ type = attrsOf secretDataType;
+ default = { };
+ description = "Host-local secret data";
+ };
secrets = mkOption {
type = attrsOf secretType;
default = { };
description = "Host-local secrets";
};
+ system.secretsData = mkOption {
+ type = unspecified;
+ default = {};
+ description = "secrets.json contents";
+ };
};
config = {
+ system = {inherit secretsData;};
environment.systemPackages = [ pkgs.fleet-install-secrets ];
+ warnings = filter (v: v!=null) (mapAttrsToList (
+ name: secret:
+ if
+ secret.expectedPrivateParts == [ ]
+ && secret.expectedPublicParts == [ ]
+ && !(config.data.secrets.${name} or { shared = false; }).shared
+ then
+ "Secret ${name} has no expected parts defined, this is deprecated for better visibility"
+ else
+ null
+ ) config.secrets);
+
systemd.services.fleet-install-secrets = mkIf useSysusers {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
modules/secrets-data.nixdiffbeforeafterboth--- a/modules/secrets-data.nix
+++ b/modules/secrets-data.nix
@@ -151,8 +151,9 @@
toJSON (config.data.sharedSecrets.${name} or { owners = [ ]; }).owners
}. Run fleet secrets regenerate to fix";
}) config.sharedSecrets)
+
++ (mapAttrsToList (name: secret: {
- # TODO: Same aassertion should be in host secrets
+ # TODO: Same assertion should be in host secrets
assertion =
(config.data.sharedSecrets.${name} or { generationData = null; }).generationData
== secret.expectedGenerationData;
@@ -160,6 +161,5 @@
toJSON (config.data.sharedSecrets.${name} or { generationData = null; }).generationData
}. Run fleet secrets regenerate to fix";
}) config.sharedSecrets);
- sharedSecrets = mapAttrs (_: _: { }) config.data.sharedSecrets;
};
}
modules/secrets.nixdiffbeforeafterboth--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -69,6 +69,16 @@
description = "Contextual metadata embedded within the secret part value";
default = null;
};
+ expectedPrivateParts = mkOption {
+ type = listOf str;
+ default = [ ];
+ description = "List of parts that are expected to be encrypted";
+ };
+ expectedPublicParts = mkOption {
+ type = listOf str;
+ default = [ ];
+ description = "List of parts that are expected to be public";
+ };
};
};
in
@@ -81,16 +91,25 @@
};
};
config = {
- hosts = mapAttrs (_: secretMap: {
- nixos.secrets = mapAttrs (
- _: s:
- removeAttrs s [
- "createdAt"
- "expiresAt"
- "generationData"
- ]
- ) secretMap;
- }) config.data.hostSecrets;
+ hosts = mapAttrs (
+ _: secretMap:
+ let
+ partsOf =
+ s:
+ removeAttrs s [
+ "createdAt"
+ "expiresAt"
+ "generationData"
+ ];
+
+ in
+ {
+ nixos.data.secrets = mapAttrs (_: s: partsOf s) secretMap;
+ # nixos.secrets = mapAttrs (
+ # _: s: mapAttrs (_: _: {}) (partsOf s)
+ # ) secretMap;
+ }
+ ) config.data.hostSecrets;
nixpkgs.overlays = [
(final: prev: {
mkSecretGenerators =