git.delta.rocks / jrsonnet / refs/commits / f5a8281dad2c

difftreelog

feat expected secret parts

tylvsszvYaroslav Bolyukin2025-10-26parent: #7120038.patch.diff
in: trunk

16 files changed

modifiedCargo.lockdiffbeforeafterboth
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1055,6 +1055,7 @@
  "shlex",
  "tabled",
  "tempfile",
+ "thiserror 2.0.17",
  "time",
  "tokio",
  "tokio-util",
@@ -1087,6 +1088,7 @@
  "serde_json",
  "tabled",
  "tempfile",
+ "thiserror 2.0.17",
  "time",
  "tokio",
  "tokio-util",
modifiedcmds/fleet/Cargo.tomldiffbeforeafterboth
--- a/cmds/fleet/Cargo.toml
+++ b/cmds/fleet/Cargo.toml
@@ -47,6 +47,7 @@
 nom = "8.0.0"
 opentelemetry = "0.30.0"
 opentelemetry_sdk = "0.30.0"
+thiserror.workspace = true
 tracing-indicatif = { version = "0.3", optional = true }
 tracing-opentelemetry = "0.31.0"
modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, Read, Write, stdin, stdout},4	path::PathBuf,5	slice,6};78use age::Recipient;9use anyhow::{Context, Result, anyhow, bail, ensure};10use chrono::{DateTime, Utc};11use clap::Parser;12use fleet_base::{13	fleetdata::{FleetSecret, FleetSecretPart, FleetSharedSecret, encrypt_secret_data},14	host::Config,15	opts::FleetOpts,16};17use fleet_shared::SecretData;18use nix_eval::{NixType, Value, nix_go, nix_go_json};19use owo_colors::OwoColorize;20use serde::Deserialize;21use tabled::{Table, Tabled};22use tokio::{fs::read, task::spawn_blocking};23use tracing::{Instrument, error, info, info_span, warn};2425#[derive(Parser)]26pub enum Secret {27	AddManager,28	/// Force load host keys for all defined hosts29	ForceKeys,30	/// Add secret, data should be provided in stdin31	AddShared {32		/// Secret name33		name: String,34		/// Secret owners35		#[clap(long, short)]36		machines: Vec<String>,37		/// Override secret if already present38		#[clap(long)]39		force: bool,40		/// Secret public part41		#[clap(long)]42		public: Option<String>,43		/// Load public part from specified file44		#[clap(long)]45		public_file: Option<PathBuf>,4647		/// Create a notification on secret expiration48		#[clap(long)]49		expires_at: Option<DateTime<Utc>>,5051		/// Secret with this name already exists, override its value while keeping the same owners.52		#[clap(long)]53		re_add: bool,5455		/// How to name public secret part56		#[clap(long, short = 'p', default_value = "public")]57		public_part: String,58		/// How to name private secret part59		#[clap(short = 's', long, default_value = "secret")]60		part: String,61	},62	/// Add secret, data should be provided in stdin63	Add {64		/// Secret name65		name: String,66		/// Secret owner67		#[clap(short = 'm', long)]68		machine: String,69		/// Replace secret if already present70		#[clap(long)]71		replace: bool,72		/// Add new parts to existing secret73		#[clap(long)]74		merge: bool,75		/// Secret public part76		#[clap(long)]77		public: Option<String>,78		/// Load public part from specified file79		#[clap(long)]80		public_file: Option<PathBuf>,8182		/// How to name public secret part83		#[clap(short = 'p', long, default_value = "public")]84		public_part: String,85		/// How to name private secret part86		#[clap(short = 's', long, default_value = "secret")]87		part: String,88	},89	/// Read secret from remote host, requires sudo on said host90	Read {91		name: String,92		#[clap(short = 'm', long)]93		machine: String,9495		/// Which private secret part to read96		#[clap(short = 'p', long, default_value = "secret")]97		part: String,98	},99	/// Read secret from remote host, requires sudo on said host100	ReadShared {101		name: String,102		/// Which private secret part to read103		#[clap(short = 'p', long, default_value = "secret")]104		part: String,105		/// Which host should we use to decrypt, in case if reencryption is required, without106		/// regeneration107		#[clap(long)]108		prefer_identities: Vec<String>,109	},110	UpdateShared {111		name: String,112113		#[clap(short = 'm', long)]114		machine: Option<Vec<String>>,115116		#[clap(long)]117		add_machine: Vec<String>,118		#[clap(long)]119		remove_machine: Vec<String>,120121		/// Which host should we use to decrypt122		#[clap(long)]123		prefer_identities: Vec<String>,124	},125	Regenerate {126		/// Which host should we use to decrypt, in case if reencryption is required, without127		/// regeneration128		#[clap(long)]129		prefer_identities: Vec<String>,130		/// Only regenerate shared secrets131		#[clap(long)]132		skip_hosts: bool,133	},134	List {},135	Edit {136		name: String,137		#[clap(short = 'm', long)]138		machine: String,139140		#[clap(long)]141		add: bool,142143		/// Which private secret part to read144		#[clap(short = 'p', long, default_value = "secret")]145		part: String,146	},147}148149fn secret_needs_regeneration(150	secret: &FleetSecret,151	expected_generation_data: &serde_json::Value,152) -> bool {153	let data_is_expected = secret.generation_data == *expected_generation_data;154	// TODO: Leeway?155	let expired = secret156		.expires_at157		.map(|expiration| expiration < Utc::now())158		.unwrap_or(false);159	expired || !data_is_expected160}161162#[allow(clippy::too_many_arguments)]163#[tracing::instrument(skip(config, secret, field, prefer_identities))]164async fn maybe_regenerate_shared_secret(165	secret_name: &str,166	config: &Config,167	mut secret: FleetSharedSecret,168	field: Value,169	expected_owners: &[String],170	expected_generation_data: serde_json::Value,171	prefer_identities: &[String],172) -> Result<FleetSharedSecret> {173	let original_set = secret.owners.clone();174175	let set = original_set.iter().collect::<BTreeSet<_>>();176	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();177178	let regeneration_required =179		secret_needs_regeneration(&secret.secret, &expected_generation_data);180181	if set == expected_set && !regeneration_required {182		info!("no need to update owner list, it is already correct");183		return Ok(secret);184	}185186	let should_regenerate = if regeneration_required {187		info!("secret has its generation data changed, regeneration is required");188		true189	} else if set.difference(&expected_set).next().is_some() {190		// TODO: Remove this warning for revokable secrets.191		warn!(192			"host was removed from secret owners, but until this host rebuild, the secret will still be stored on it."193		);194		nix_go_json!(field.regenerateOnOwnerRemoved)195	} else if expected_set.difference(&set).next().is_some() {196		nix_go_json!(field.regenerateOnOwnerAdded)197	} else {198		false199	};200201	if should_regenerate {202		info!("secret needs to be regenerated");203		let generated = generate_shared(204			config,205			secret_name,206			field,207			expected_owners.to_vec(),208			expected_generation_data,209		)210		.await?;211		Ok(generated)212	} else {213		let identity_holder = if !prefer_identities.is_empty() {214			prefer_identities215				.iter()216				.find(|i| original_set.iter().any(|s| s == *i))217		} else {218			secret.owners.first()219		};220		let Some(identity_holder) = identity_holder else {221			bail!("no available holder found");222		};223224		for (part_name, part) in secret.secret.parts.iter_mut() {225			let _span = info_span!("part reencryption", part_name);226			if !part.raw.encrypted {227				continue;228			}229			let host = config.host(identity_holder).await?;230			let encrypted = host231				.reencrypt(part.raw.clone(), expected_owners.to_vec())232				.await?;233			part.raw = encrypted;234		}235236		secret.owners = expected_owners.to_vec();237		Ok(secret)238	}239}240241#[derive(Deserialize)]242#[serde(rename_all = "camelCase")]243enum GeneratorKind {244	Impure,245	Pure,246}247248async fn generate_pure(249	_config: &Config,250	_display_name: &str,251	_secret: Value,252	_default_generator: Value,253	_owners: &[String],254) -> Result<FleetSecret> {255	bail!("pure generators are broken for now")256}257async fn generate_impure(258	config: &Config,259	_display_name: &str,260	secret: Value,261	default_generator: Value,262	expected_owners: &[String],263	expected_generation_data: serde_json::Value,264) -> Result<FleetSecret> {265	let generator = nix_go!(secret.generator);266	let on: Option<String> = nix_go_json!(default_generator.impureOn);267268	let nixpkgs = &config.nixpkgs;269270	let host = if let Some(on) = &on {271		config.host(on).await?272	} else {273		config.local_host()274	};275	let on_pkgs = host.pkgs().await?;276	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);277278	let mut recipients = Vec::new();279	for owner in expected_owners {280		let key = config.key(owner).await?;281		recipients.push(key);282	}283	let generators = nix_go!(mk_secret_generators(Obj { recipients }));284	// FIXME: Apparently, // operator is slow in nix285	let pkgs_and_generators = on_pkgs.attrs_update(generators)?;286287	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));288289	let generator = nix_go!(call_package(generator)(Obj {}));290291	let generator = spawn_blocking(move || generator.build("out"))292		.await293		.expect("nix build shouldn't fail")?;294	let generator = host.remote_derivation(&generator).await?;295296	let out_parent = host.mktemp_dir().await?;297	let out = format!("{out_parent}/out");298299	let mut r#gen = host.cmd(generator).await?;300	r#gen.env("out", &out);301	if on.is_none() {302		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.303		let project_path: String = config304			.directory305			.clone()306			.into_os_string()307			.into_string()308			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;309		r#gen.env("FLEET_PROJECT", project_path);310	}311	r#gen.run().await.context("impure generator")?;312313	{314		let marker = host.read_file_text(format!("{out}/marker")).await?;315		ensure!(marker == "SUCCESS", "generation not succeeded");316	}317318	let mut parts = BTreeMap::new();319	for part in host.read_dir(&out).await? {320		if part == "created_at" || part == "expires_at" || part == "marker" {321			continue;322		}323		let contents: SecretData = host324			.read_file_text(format!("{out}/{part}"))325			.await?326			.parse()327			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;328		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });329	}330331	let created_at = host.read_file_value(format!("{out}/created_at")).await?;332	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();333334	Ok(FleetSecret {335		created_at,336		expires_at,337		parts,338		generation_data: expected_generation_data,339	})340}341async fn generate(342	config: &Config,343	display_name: &str,344	secret: Value,345	expected_owners: &[String],346	expected_generation_data: serde_json::Value,347) -> Result<FleetSecret> {348	let generator = nix_go!(secret.generator);349	// Can't properly check on nix module system level350	{351		let gen_ty = generator.type_of();352		if matches!(gen_ty, NixType::Null) {353			bail!("secret has no generator defined, can't automatically generate it.");354		}355		if matches!(gen_ty, NixType::Attrs) {356			if !generator.has_field("__functor")? {357				bail!("generator should be functor, got {gen_ty:?}");358			}359		} else if matches!(gen_ty, NixType::Function) {360			bail!("generator should be functor, got {gen_ty:?}");361		}362	}363	let nixpkgs = &config.nixpkgs;364	let default_pkgs = &config.default_pkgs;365	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);366	// Generators provide additional information in passthru, to access367	// passthru we should call generator, but information about where this generator is supposed to build368	// is located in passthru... Thus evaluating generator on host.369	//370	// Maybe it is also possible to do some magic with __functor?371	//372	// I don't want to make modules always responsible for additional secret data anyway,373	// so it should be in derivation, and not in the secret data itself.374	let generators = nix_go!(default_mk_secret_generators(Obj {375		recipients: <Vec<String>>::new(),376	}));377	let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;378379	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));380	let default_generator = nix_go!(call_package(generator)(Obj {}));381382	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);383384	match kind {385		GeneratorKind::Impure => {386			generate_impure(387				config,388				display_name,389				secret,390				default_generator,391				expected_owners,392				expected_generation_data,393			)394			.await395		}396		GeneratorKind::Pure => {397			generate_pure(398				config,399				display_name,400				secret,401				default_generator,402				expected_owners,403			)404			.await405		}406	}407}408async fn generate_shared(409	config: &Config,410	display_name: &str,411	secret: Value,412	expected_owners: Vec<String>,413	expected_generation_data: serde_json::Value,414) -> Result<FleetSharedSecret> {415	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);416	Ok(FleetSharedSecret {417		secret: generate(418			config,419			display_name,420			secret,421			&expected_owners,422			expected_generation_data,423		)424		.await?,425		owners: expected_owners,426	})427}428429async fn parse_public(430	public: Option<String>,431	public_file: Option<PathBuf>,432) -> Result<Option<SecretData>> {433	Ok(match (public, public_file) {434		(Some(v), None) => Some(SecretData {435			data: v.into(),436			encrypted: false,437		}),438		(None, Some(v)) => Some(SecretData {439			data: read(v).await?,440			encrypted: false,441		}),442		(Some(_), Some(_)) => {443			bail!("only public or public_file should be set")444		}445		(None, None) => None,446	})447}448449async fn parse_secret() -> Result<Option<Vec<u8>>> {450	let mut input = vec![];451	stdin().read_to_end(&mut input)?;452	if input.is_empty() {453		Ok(None)454	} else {455		Ok(Some(input))456	}457}458459fn parse_machines(460	initial: Vec<String>,461	machines: Option<Vec<String>>,462	mut add_machines: Vec<String>,463	mut remove_machines: Vec<String>,464) -> Result<Vec<String>> {465	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {466		bail!("no operation");467	}468469	let initial_machines = initial.clone();470	let mut target_machines = initial;471	info!("Currently encrypted for {initial_machines:?}");472473	// ensure!(machines.is_some() || !add_machines.is_empty() || )474	if let Some(machines) = machines {475		ensure!(476			add_machines.is_empty() && remove_machines.is_empty(),477			"can't combine --machines and --add-machines/--remove-machines"478		);479		let target = initial_machines.iter().collect::<HashSet<_>>();480		let source = machines.iter().collect::<HashSet<_>>();481		for removed in target.difference(&source) {482			remove_machines.push((*removed).clone());483		}484		for added in source.difference(&target) {485			add_machines.push((*added).clone());486		}487	}488489	for machine in &remove_machines {490		let mut removed = false;491		while let Some(pos) = target_machines.iter().position(|m| m == machine) {492			target_machines.swap_remove(pos);493			removed = true;494		}495		if !removed {496			warn!("secret is not enabled for {machine}");497		}498	}499	for machine in &add_machines {500		if target_machines.iter().any(|m| m == machine) {501			warn!("secret is already added to {machine}");502		} else {503			target_machines.push(machine.to_owned());504		}505	}506	if !remove_machines.is_empty() {507		// TODO: maybe force secret regeneration?508		// Not that useful without revokation.509		warn!(510			"secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret"511		);512	}513	Ok(target_machines)514}515impl Secret {516	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {517		match self {518			Secret::AddManager => {519				todo!("part of fleet-pusher")520			}521			Secret::ForceKeys => {522				for host in config.list_hosts().await? {523					if opts.should_skip(&host).await? {524						continue;525					}526					config.key(&host.name).await?;527				}528			}529			Secret::AddShared {530				mut machines,531				name,532				force,533				public,534				public_part: public_name,535				public_file,536				expires_at,537				re_add,538				part: part_name,539			} => {540				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).541542				let exists = config.has_shared(&name);543				if exists && !force && !re_add {544					bail!("secret already defined");545				}546				if re_add {547					// Fixme: use clap to limit this usage548					ensure!(!force, "--force and --readd are not compatible");549					ensure!(exists, "secret doesn't exists");550					ensure!(551						machines.is_empty(),552						"you can't use machines argument for --readd"553					);554					let shared = config.shared_secret(&name)?;555					machines = shared.owners;556				}557558				let recipients = config.recipients(machines.clone()).await?;559560				let mut parts = BTreeMap::new();561562				let mut input = vec![];563				io::stdin().read_to_end(&mut input)?;564565				if !input.is_empty() {566					let encrypted =567						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)568							.ok_or_else(|| anyhow!("no recipients provided"))?;569					parts.insert(part_name, FleetSecretPart { raw: encrypted });570				}571572				if let Some(public) = parse_public(public, public_file).await? {573					parts.insert(public_name, FleetSecretPart { raw: public });574				}575576				config.replace_shared(577					name,578					FleetSharedSecret {579						owners: machines,580						secret: FleetSecret {581							created_at: Utc::now(),582							expires_at,583							parts,584							generation_data: serde_json::Value::Null,585						},586					},587				);588			}589			Secret::Add {590				machine,591				name,592				replace,593				merge,594				public,595				public_part: public_name,596				public_file,597				part: part_name,598			} => {599				if config.has_secret(&machine, &name) && !replace && !merge {600					bail!(601						"secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret"602					);603				}604605				let mut out = if merge && !replace {606					config607						.host_secret(&machine, &name)608						.context("failed to read existing secret for --merge")?609				} else {610					FleetSecret {611						created_at: Utc::now(),612						expires_at: None,613						parts: BTreeMap::new(),614						generation_data: serde_json::Value::Null,615					}616				};617618				if let Some(secret) = parse_secret().await? {619					let recipient = config.recipient(&machine).await?;620					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)621						.expect("recipient provided");622					if out623						.parts624						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })625						.is_some() && !replace626					{627						bail!("part {part_name:?} is already defined");628					}629				}630631				if let Some(public) = parse_public(public, public_file).await? {632					if out633						.parts634						.insert(public_name.clone(), FleetSecretPart { raw: public })635						.is_some() && !replace636					{637						bail!("part {public_name:?} is already defined");638					}639				};640641				config.insert_secret(&machine, name, out);642			}643			#[allow(clippy::await_holding_refcell_ref)]644			Secret::Read {645				name,646				machine,647				part: part_name,648			} => {649				let secret = config.host_secret(&machine, &name)?;650				let Some(secret) = secret.parts.get(&part_name) else {651					bail!("no part {part_name} in secret {name}");652				};653				let data = if secret.raw.encrypted {654					let host = config.host(&machine).await?;655					host.decrypt(secret.raw.clone()).await?656				} else {657					secret.raw.data.clone()658				};659660				stdout().write_all(&data)?;661			}662			Secret::ReadShared {663				name,664				part: part_name,665				prefer_identities,666			} => {667				let secret = config.shared_secret(&name)?;668				let Some(part) = secret.secret.parts.get(&part_name) else {669					bail!("no part {part_name} in secret {name}");670				};671				let data = if part.raw.encrypted {672					let identity_holder = if !prefer_identities.is_empty() {673						prefer_identities674							.iter()675							.find(|i| secret.owners.iter().any(|s| s == *i))676					} else {677						secret.owners.first()678					};679					let Some(identity_holder) = identity_holder else {680						bail!("no available holder found");681					};682					let host = config.host(identity_holder).await?;683					host.decrypt(part.raw.clone()).await?684				} else {685					part.raw.data.clone()686				};687				stdout().write_all(&data)?;688			}689			Secret::UpdateShared {690				name,691				machine,692				add_machine,693				remove_machine,694				prefer_identities,695			} => {696				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).697698				let secret = config.shared_secret(&name)?;699				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {700					bail!("no secret");701				}702703				let initial_machines = secret.owners.clone();704				let target_machines = parse_machines(705					initial_machines.clone(),706					machine,707					add_machine,708					remove_machine,709				)?;710711				if target_machines.is_empty() {712					info!("no machines left for secret, removing it");713					config.remove_shared(&name);714					return Ok(());715				}716717				let config_field = &config.config_field;718				let name_clone = name.clone();719				let field = nix_go!(config_field.sharedSecrets[name_clone]);720				let expected_generation_data = nix_go_json!(field.expectedGenerationData);721722				let updated = maybe_regenerate_shared_secret(723					&name,724					config,725					secret,726					field,727					&target_machines,728					expected_generation_data,729					&prefer_identities,730					// None,731				)732				.await?;733				config.replace_shared(name, updated);734			}735			Secret::Regenerate {736				prefer_identities,737				skip_hosts,738			} => {739				info!("checking for secrets to regenerate");740				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();741				{742					// Generate missing shared743					let _span = info_span!("shared").entered();744					let expected_shared_set = config745						.list_configured_shared()746						.await?747						.into_iter()748						.collect::<HashSet<_>>();749					for missing in expected_shared_set.difference(&stored_shared_set) {750						let config_field = &config.config_field;751						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);752						let expected_generation_data: serde_json::Value =753							nix_go_json!(secret.expectedGenerationData);754						let expected_owners: Option<Vec<String>> =755							nix_go_json!(secret.expectedOwners);756						let Some(expected_owners) = expected_owners else {757							// Can't generate this missing secret, as it has no defined owners.758							continue;759						};760						info!("generating secret: {missing}");761						let shared = generate_shared(762							config,763							missing,764							secret,765							expected_owners,766							expected_generation_data,767						)768						.in_current_span()769						.await?;770						config.replace_shared(missing.to_string(), shared)771					}772				}773				if !skip_hosts {774					for host in config.list_hosts().await? {775						if opts.should_skip(&host).await? {776							continue;777						}778779						let _span = info_span!("host", host = host.name).entered();780						let expected_set = host781							.list_configured_secrets()782							.in_current_span()783							.await?784							.into_iter()785							.collect::<HashSet<_>>();786						let stored_set = config787							.list_secrets(&host.name)788							.into_iter()789							.collect::<HashSet<_>>();790						for missing in expected_set.difference(&stored_set) {791							info!("generating secret: {missing}");792							let secret = host.secret_field(missing).in_current_span().await?;793							let expected_generation_data =794								nix_go_json!(secret.expectedGenerationData);795							let generated = match generate(796								config,797								missing,798								secret,799								slice::from_ref(&host.name),800								expected_generation_data,801							)802							.in_current_span()803							.await804							{805								Ok(v) => v,806								Err(e) => {807									error!("{e:?}");808									continue;809								}810							};811							config.insert_secret(&host.name, missing.to_string(), generated)812						}813						for name in stored_set {814							info!("updating secret: {name}");815							let data = config.host_secret(&host.name, &name)?;816							let secret = host.secret_field(&name).in_current_span().await?;817							let expected_generation_data =818								nix_go_json!(secret.expectedGenerationData);819							if secret_needs_regeneration(&data, &expected_generation_data) {820								let generated = match generate(821									config,822									&name,823									secret,824									slice::from_ref(&host.name),825									expected_generation_data,826								)827								.in_current_span()828								.await829								{830									Ok(v) => v,831									Err(e) => {832										error!("{e:?}");833										continue;834									}835								};836								config.insert_secret(&host.name, name.to_string(), generated)837							}838						}839					}840				}841				let mut to_remove = Vec::new();842				for name in &stored_shared_set {843					info!("updating secret: {name}");844					let data = config.shared_secret(name)?;845					let config_field = &config.config_field;846					let expected_owners: Option<Vec<String>> =847						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);848					let Some(expected_owners) = expected_owners else {849						warn!("secret was removed from fleet config: {name}, removing from data");850						to_remove.push(name.to_string());851						continue;852					};853854					let secret = nix_go!(config_field.sharedSecrets[{ name }]);855					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);856					config.replace_shared(857						name.to_owned(),858						maybe_regenerate_shared_secret(859							name,860							config,861							data,862							secret,863							&expected_owners,864							expected_generation_data,865							&prefer_identities,866							// None,867						)868						.await?,869					);870				}871				for k in to_remove {872					config.remove_shared(&k);873				}874			}875			Secret::List {} => {876				let _span = info_span!("loading secrets").entered();877				let configured = config.list_configured_shared().await?;878				#[derive(Tabled)]879				struct SecretDisplay {880					#[tabled(rename = "Name")]881					name: String,882					#[tabled(rename = "Owners")]883					owners: String,884				}885				let mut table = vec![];886				for name in configured.iter().cloned() {887					let config = config.clone();888					let expected_owners = config.shared_secret_expected_owners(&name).await?;889					let data = config.shared_secret(&name)?;890					let owners = data891						.owners892						.iter()893						.map(|o| {894							if expected_owners.contains(o) {895								o.green().to_string()896							} else {897								o.red().to_string()898							}899						})900						.collect::<Vec<_>>();901					table.push(SecretDisplay {902						owners: owners.join(", "),903						name,904					})905				}906				info!("loaded\n{}", Table::new(table).to_string())907			}908			Secret::Edit {909				name,910				machine,911				part,912				add,913			} => {914				let secret = config.host_secret(&machine, &name)?;915				if let Some(data) = secret.parts.get(&part) {916					let host = config.host(&machine).await?;917					let secret = host.decrypt(data.raw.clone()).await?;918					String::from_utf8(secret).context("secret is not utf8")?919				} else if add {920					String::new()921				} else {922					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");923				};924			}925		}926		Ok(())927	}928}929930/*931async fn edit_temp_file(932	builder: tempfile::Builder<'_, '_>,933	r: Vec<u8>,934	header: &str,935	comment: &str,936) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {937	if !stdin().is_tty() {938		// TODO: Also try to open /dev/tty directly?939		bail!("stdin is not tty, can't open editor");940	}941942	use std::fmt::Write;943	let mut file = builder.tempfile()?;944945	let mut full_header = String::new();946	let mut had = false;947	for line in header.trim_end().lines() {948		had = true;949		writeln!(&mut full_header, "{comment}{line}")?;950	}951	if had {952		writeln!(&mut full_header, "{}", comment.trim_end())?;953	}954	writeln!(955		&mut full_header,956		"{comment}Do not touch this header! It will be removed automatically"957	)?;958959	file.write_all(full_header.as_bytes())?;960	file.write_all(&r)?;961962	let abs_path = file.into_temp_path();963	let editor = std::env::var_os("VISUAL")964		.or_else(|| std::env::var_os("EDITOR"))965		.unwrap_or_else(|| "vi".into());966	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())967		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;968	let editor_args = editor_args969		.into_iter()970		.map(|v| {971			// Only ASCII subsequences are replaced972			unsafe { OsString::from_encoded_bytes_unchecked(v) }973		})974		.collect_vec();975	let Some((editor, args)) = editor_args.split_first() else {976		bail!("EDITOR env var has no command");977	};978	let mut command = Command::new(editor);979	command.args(args);980981	let path_arg = abs_path.canonicalize()?;982983	// TODO: Save full state, using tcget/_getmode/_setmode984	let was_raw = terminal::is_raw_mode_enabled()?;985	terminal::enable_raw_mode()?;986987	let status = command.arg(path_arg).status().await;988989	if !was_raw {990		terminal::disable_raw_mode()?;991	}992993	let success = match status {994		Ok(s) => s.success(),995		Err(e) if e.kind() == io::ErrorKind::NotFound => {996			bail!("editor not found")997		}998		Err(e) => bail!("editor spawn error: {e}"),999	};10001001	let mut file = std::fs::read(&abs_path).context("read editor output")?;1002	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {1003		todo!();1004	};1005	todo!();10061007	// Ok((success, abs_path))1008}1009*/
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, Read, Write, stdin, stdout},4	path::PathBuf,5};67use anyhow::{Context, Result, anyhow, bail, ensure};8use chrono::{DateTime, Utc};9use clap::Parser;10use fleet_base::{11	fleetdata::{12		FleetHostSecret, FleetSecretData, FleetSecretPart, FleetSharedSecret, encrypt_secret_data,13	},14	host::Config,15	opts::FleetOpts,16	secret::{Expectations, RegenerationReason, SharedSecretDefinition, secret_needs_regeneration},17};18use fleet_shared::SecretData;19use nix_eval::{NixType, Value, nix_go, nix_go_json};20use owo_colors::OwoColorize;21use serde::Deserialize;22use tabled::{Table, Tabled};23use tokio::{fs::read, task::spawn_blocking};24use tracing::{Instrument, error, info, info_span, warn};2526#[derive(Parser)]27pub enum Secret {28	AddManager,29	/// Force load host keys for all defined hosts30	ForceKeys,31	/// Add secret, data should be provided in stdin32	AddShared {33		/// Secret name34		name: String,35		/// Secret owners36		#[clap(long, short)]37		machines: Vec<String>,38		/// Override secret if already present39		#[clap(long)]40		force: bool,41		/// Secret public part42		#[clap(long)]43		public: Option<String>,44		/// Load public part from specified file45		#[clap(long)]46		public_file: Option<PathBuf>,4748		/// Create a notification on secret expiration49		#[clap(long)]50		expires_at: Option<DateTime<Utc>>,5152		/// Secret with this name already exists, override its value while keeping the same owners.53		#[clap(long)]54		re_add: bool,5556		/// How to name public secret part57		#[clap(long, short = 'p', default_value = "public")]58		public_part: String,59		/// How to name private secret part60		#[clap(short = 's', long, default_value = "secret")]61		part: String,62	},63	/// Add secret, data should be provided in stdin64	Add {65		/// Secret name66		name: String,67		/// Secret owner68		#[clap(short = 'm', long)]69		machine: String,70		/// Replace secret if already present71		#[clap(long)]72		replace: bool,73		/// Add new parts to existing secret74		#[clap(long)]75		merge: bool,76		/// Secret public part77		#[clap(long)]78		public: Option<String>,79		/// Load public part from specified file80		#[clap(long)]81		public_file: Option<PathBuf>,8283		/// How to name public secret part84		#[clap(short = 'p', long, default_value = "public")]85		public_part: String,86		/// How to name private secret part87		#[clap(short = 's', long, default_value = "secret")]88		part: String,89	},90	/// Read secret from remote host, requires sudo on said host91	Read {92		name: String,93		#[clap(short = 'm', long)]94		machine: String,9596		/// Which private secret part to read97		#[clap(short = 'p', long, default_value = "secret")]98		part: String,99	},100	/// Read secret from remote host, requires sudo on said host101	ReadShared {102		name: String,103		/// Which private secret part to read104		#[clap(short = 'p', long, default_value = "secret")]105		part: String,106		/// Which host should we use to decrypt, in case if reencryption is required, without107		/// regeneration108		#[clap(long)]109		prefer_identities: Vec<String>,110	},111	UpdateShared {112		name: String,113114		#[clap(short = 'm', long)]115		machine: Option<Vec<String>>,116117		#[clap(long)]118		add_machine: Vec<String>,119		#[clap(long)]120		remove_machine: Vec<String>,121122		/// Which host should we use to decrypt123		#[clap(long)]124		prefer_identities: Vec<String>,125	},126	Regenerate {127		/// Which host should we use to decrypt, in case if reencryption is required, without128		/// regeneration129		#[clap(long)]130		prefer_identities: Vec<String>,131		/// Only regenerate shared secrets132		#[clap(long)]133		skip_hosts: bool,134	},135	List {},136	Edit {137		name: String,138		#[clap(short = 'm', long)]139		machine: String,140141		#[clap(long)]142		add: bool,143144		/// Which private secret part to read145		#[clap(short = 'p', long, default_value = "secret")]146		part: String,147	},148}149150#[allow(clippy::too_many_arguments)]151#[tracing::instrument(skip(config, secret, definition, prefer_identities))]152async fn maybe_regenerate_shared_secret(153	secret_name: &str,154	config: &Config,155	mut secret: FleetSharedSecret,156	definition: SharedSecretDefinition,157	prefer_identities: &[String],158	expectations: &Expectations,159) -> Result<FleetSharedSecret> {160	let reason = secret_needs_regeneration(&secret.secret, &secret.owners, expectations);161	let value = definition.inner();162163	let (should_reencrypt, reason) = match reason {164		Some(RegenerationReason::OwnersAdded(_)) => {165			// Secret always needs to be reencrypted for new owners to be able to read it166			(167				true,168				if nix_go_json!(value.regenerateOnOwnerAdded) {169					reason170				} else {171					None172				},173			)174		}175		Some(RegenerationReason::OwnersRemoved(_)) => {176			// No need to reencrypt, we can just leave stanzas in place.177			if nix_go_json!(value.regenerateOnOwnerRemoved) {178				(true, reason)179			} else {180				(false, None)181			}182		}183		Some(_) => (true, reason),184		None => (false, None),185	};186187	if let Some(reason) = reason {188		info!("secret needs to be regenerated: {reason}");189		let generated = generate_shared(config, secret_name, definition, expectations).await?;190		Ok(generated)191	} else if should_reencrypt {192		info!("secret needs to be reencrypted");193		let identity_holder = if !prefer_identities.is_empty() {194			prefer_identities195				.iter()196				.find(|i| secret.owners.iter().any(|s| s == *i))197		} else {198			secret.owners.first()199		};200		let Some(identity_holder) = identity_holder else {201			bail!("no available holder found");202		};203204		for (part_name, part) in secret.secret.parts.iter_mut() {205			let _span = info_span!("part reencryption", part_name);206			if !part.raw.encrypted {207				continue;208			}209			let host = config.host(identity_holder).await?;210			let encrypted = host211				.reencrypt(212					part.raw.clone(),213					expectations.owners.iter().cloned().collect(),214				)215				.await?;216			part.raw = encrypted;217		}218		secret.owners = expectations.owners.clone();219		Ok(secret)220	} else {221		Ok(secret)222	}223}224225#[derive(Deserialize)]226#[serde(rename_all = "camelCase")]227enum GeneratorKind {228	Impure,229	Pure,230}231232async fn generate_pure(233	_config: &Config,234	_display_name: &str,235	_secret: Value,236	_default_generator: Value,237	_expectations: &Expectations,238) -> Result<FleetSecretData> {239	bail!("pure generators are broken for now")240}241async fn generate_impure(242	config: &Config,243	_display_name: &str,244	secret: Value,245	default_generator: Value,246	expectations: &Expectations,247) -> Result<FleetSecretData> {248	let generator = nix_go!(secret.generator);249	let on: Option<String> = nix_go_json!(default_generator.impureOn);250251	let nixpkgs = &config.nixpkgs;252253	let host = if let Some(on) = &on {254		config.host(on).await?255	} else {256		config.local_host()257	};258	let on_pkgs = host.pkgs().await?;259	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);260261	let mut recipients = Vec::new();262	for owner in &expectations.owners {263		let key = config.key(owner).await?;264		recipients.push(key);265	}266	let generators = nix_go!(mk_secret_generators(Obj { recipients }));267	let pkgs_and_generators = on_pkgs.attrs_update(generators)?;268269	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));270271	let generator = nix_go!(call_package(generator)(Obj {}));272273	let generator = spawn_blocking(move || generator.build("out"))274		.await275		.expect("nix build shouldn't fail")?;276	let generator = host.remote_derivation(&generator).await?;277278	let out_parent = host.mktemp_dir().await?;279	let out = format!("{out_parent}/out");280281	let mut r#gen = host.cmd(generator).await?;282	r#gen.env("out", &out);283	if on.is_none() {284		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.285		let project_path: String = config286			.directory287			.clone()288			.into_os_string()289			.into_string()290			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;291		r#gen.env("FLEET_PROJECT", project_path);292	}293	r#gen.run().await.context("impure generator")?;294295	{296		let marker = host.read_file_text(format!("{out}/marker")).await?;297		ensure!(marker == "SUCCESS", "generation not succeeded");298	}299300	let mut parts = BTreeMap::new();301	for part in host.read_dir(&out).await? {302		if part == "created_at" || part == "expires_at" || part == "marker" {303			continue;304		}305		let contents: SecretData = host306			.read_file_text(format!("{out}/{part}"))307			.await?308			.parse()309			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;310		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });311	}312313	let created_at = host.read_file_value(format!("{out}/created_at")).await?;314	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();315316	let new_data = FleetSecretData {317		created_at,318		expires_at,319		parts,320		generation_data: expectations.generation_data.clone(),321	};322323	if let Some(reason) = secret_needs_regeneration(&new_data, &expectations.owners, expectations) {324		bail!("newly generated secret needs to be regenerated: {reason}")325	}326327	Ok(new_data)328}329330async fn generate(331	config: &Config,332	display_name: &str,333	secret: Value,334	expectations: &Expectations,335) -> Result<FleetSecretData> {336	let generator = nix_go!(secret.generator);337	// Can't properly check on nix module system level338	{339		let gen_ty = generator.type_of();340		if matches!(gen_ty, NixType::Null) {341			bail!("secret has no generator defined, can't automatically generate it.");342		}343		if matches!(gen_ty, NixType::Attrs) {344			if !generator.has_field("__functor")? {345				bail!("generator should be functor, got {gen_ty:?}");346			}347		} else if matches!(gen_ty, NixType::Function) {348			bail!("generator should be functor, got {gen_ty:?}");349		}350	}351	let nixpkgs = &config.nixpkgs;352	let default_pkgs = &config.default_pkgs;353	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);354	// Generators provide additional information in passthru, to access355	// passthru we should call generator, but information about where this generator is supposed to build356	// is located in passthru... Thus evaluating generator on host.357	//358	// Maybe it is also possible to do some magic with __functor?359	//360	// I don't want to make modules always responsible for additional secret data anyway,361	// so it should be in derivation, and not in the secret data itself.362	let generators = nix_go!(default_mk_secret_generators(Obj {363		recipients: <Vec<String>>::new(),364	}));365	let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;366367	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));368	let default_generator = nix_go!(call_package(generator)(Obj {}));369370	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);371372	match kind {373		GeneratorKind::Impure => {374			generate_impure(375				config,376				display_name,377				secret,378				default_generator,379				expectations,380			)381			.await382		}383		GeneratorKind::Pure => {384			generate_pure(385				config,386				display_name,387				secret,388				default_generator,389				expectations,390			)391			.await392		}393	}394}395async fn generate_shared(396	config: &Config,397	display_name: &str,398	secret: SharedSecretDefinition,399	expectations: &Expectations,400) -> Result<FleetSharedSecret> {401	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);402	Ok(FleetSharedSecret {403		managed: Some(true),404		secret: generate(config, display_name, secret.inner(), expectations).await?,405		owners: expectations.owners.clone(),406	})407}408409async fn parse_public(410	public: Option<String>,411	public_file: Option<PathBuf>,412) -> Result<Option<SecretData>> {413	Ok(match (public, public_file) {414		(Some(v), None) => Some(SecretData {415			data: v.into(),416			encrypted: false,417		}),418		(None, Some(v)) => Some(SecretData {419			data: read(v).await?,420			encrypted: false,421		}),422		(Some(_), Some(_)) => {423			bail!("only public or public_file should be set")424		}425		(None, None) => None,426	})427}428429async fn parse_secret() -> Result<Option<Vec<u8>>> {430	let mut input = vec![];431	stdin().read_to_end(&mut input)?;432	if input.is_empty() {433		Ok(None)434	} else {435		Ok(Some(input))436	}437}438439fn parse_machines(440	initial: BTreeSet<String>,441	machines: Option<Vec<String>>,442	mut add_machines: Vec<String>,443	mut remove_machines: Vec<String>,444) -> Result<BTreeSet<String>> {445	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {446		bail!("no operation");447	}448449	let initial_machines = initial.clone();450	let mut target_machines = initial;451	info!("Currently encrypted for {initial_machines:?}");452453	if let Some(machines) = machines {454		ensure!(455			add_machines.is_empty() && remove_machines.is_empty(),456			"can't combine --machines and --add-machines/--remove-machines"457		);458		let target = initial_machines.iter().collect::<HashSet<_>>();459		let source = machines.iter().collect::<HashSet<_>>();460		for removed in target.difference(&source) {461			remove_machines.push((*removed).clone());462		}463		for added in source.difference(&target) {464			add_machines.push((*added).clone());465		}466	}467468	for machine in &remove_machines {469		if !target_machines.remove(machine) {470			warn!("secret is not enabled for {machine}");471		}472	}473	for machine in &add_machines {474		if !target_machines.insert(machine.to_owned()) {475			warn!("secret is already added to {machine}");476		}477	}478	if !remove_machines.is_empty() {479		// TODO: maybe force secret regeneration?480		// Not that useful without revokation.481		warn!(482			"secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret"483		);484	}485	Ok(target_machines)486}487impl Secret {488	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {489		match self {490			Secret::AddManager => {491				todo!("part of fleet-pusher")492			}493			Secret::ForceKeys => {494				for host in config.list_hosts().await? {495					if opts.should_skip(&host).await? {496						continue;497					}498					config.key(&host.name).await?;499				}500			}501			Secret::AddShared {502				machines,503				name,504				force,505				public,506				public_part: public_name,507				public_file,508				expires_at,509				re_add,510				part: part_name,511			} => {512				let mut machines: BTreeSet<String> = machines.into_iter().collect();513				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).514515				if let Some(old_shared) = config.shared_secret(&name)? {516					if !force && !re_add {517						bail!("secret already defined");518					};519					if old_shared.managed.unwrap_or(false) {520						bail!("secret is marked as managed, should not be updated manually");521					};522					if re_add {523						// Fixme: use clap to limit this usage524						ensure!(!force, "--force and --readd are not compatible");525						ensure!(526							machines.is_empty(),527							"you can't use machines argument for --readd"528						);529						machines = old_shared.owners;530					}531				} else if re_add {532					bail!("secret doesn't exists");533				};534535				let recipients = config536					.recipients(machines.iter().cloned().collect())537					.await?;538539				let mut parts = BTreeMap::new();540541				let mut input = vec![];542				io::stdin().read_to_end(&mut input)?;543544				if !input.is_empty() {545					let encrypted = encrypt_secret_data(recipients.iter(), input)546						.ok_or_else(|| anyhow!("no recipients provided"))?;547					parts.insert(part_name, FleetSecretPart { raw: encrypted });548				}549550				if let Some(public) = parse_public(public, public_file).await? {551					parts.insert(public_name, FleetSecretPart { raw: public });552				}553554				config.replace_shared(555					name,556					FleetSharedSecret {557						managed: Some(false),558						owners: machines,559						secret: FleetSecretData {560							created_at: Utc::now(),561							expires_at,562							parts,563							generation_data: serde_json::Value::Null,564						},565					},566				);567			}568			Secret::Add {569				machine,570				name,571				replace,572				merge,573				public,574				public_part: public_name,575				public_file,576				part: part_name,577			} => {578				if config.has_secret(&machine, &name) && !replace && !merge {579					bail!(580						"secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret"581					);582				}583584				let mut out = if merge && !replace {585					config586						.host_secret(&machine, &name)587						.context("failed to read existing secret for --merge")?588				} else {589					FleetHostSecret {590						managed: Some(false),591						secret: FleetSecretData {592							created_at: Utc::now(),593							expires_at: None,594							parts: BTreeMap::new(),595							generation_data: serde_json::Value::Null,596						},597					}598				};599				if out.managed.unwrap_or(false) {600					bail!("secret is managed by fleet and should not be updated manually");601				}602				out.managed = Some(false);603604				if let Some(secret) = parse_secret().await? {605					let recipient = config.recipient(&machine).await?;606					let encrypted =607						encrypt_secret_data([&recipient], secret).expect("recipient provided");608					if out609						.secret610						.parts611						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })612						.is_some() && !replace613					{614						bail!(615							"part {part_name:?} is already defined, use --replace if you wish to replace it"616						);617					}618				}619620				if let Some(public) = parse_public(public, public_file).await? {621					if out622						.secret623						.parts624						.insert(public_name.clone(), FleetSecretPart { raw: public })625						.is_some() && !replace626					{627						bail!(628							"part {public_name:?} is already defined, use --replace if you wish to replace it"629						);630					}631				};632633				config.insert_secret(&machine, name, out);634			}635			#[allow(clippy::await_holding_refcell_ref)]636			Secret::Read {637				name,638				machine,639				part: part_name,640			} => {641				let secret = config.host_secret(&machine, &name)?;642				let Some(secret) = secret.secret.parts.get(&part_name) else {643					bail!("no part {part_name} in secret {name}");644				};645				let data = if secret.raw.encrypted {646					let host = config.host(&machine).await?;647					host.decrypt(secret.raw.clone()).await?648				} else {649					secret.raw.data.clone()650				};651652				stdout().write_all(&data)?;653			}654			Secret::ReadShared {655				name,656				part: part_name,657				prefer_identities,658			} => {659				let Some(secret) = config.shared_secret(&name)? else {660					bail!("secret doesn't exists");661				};662				let Some(part) = secret.secret.parts.get(&part_name) else {663					bail!("no part {part_name} in secret {name}");664				};665				let data = if part.raw.encrypted {666					let identity_holder = if !prefer_identities.is_empty() {667						prefer_identities668							.iter()669							.find(|i| secret.owners.iter().any(|s| s == *i))670					} else {671						secret.owners.first()672					};673					let Some(identity_holder) = identity_holder else {674						bail!("no available holder found");675					};676					let host = config.host(identity_holder).await?;677					host.decrypt(part.raw.clone()).await?678				} else {679					part.raw.data.clone()680				};681				stdout().write_all(&data)?;682			}683			Secret::UpdateShared {684				name,685				machine,686				add_machine,687				remove_machine,688				prefer_identities,689			} => {690				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).691692				let Some(secret) = config.shared_secret(&name)? else {693					bail!("secret doesn't exists");694				};695				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {696					bail!("no secret");697				}698699				let initial_machines = secret.owners.clone();700				let target_machines = parse_machines(701					initial_machines.clone(),702					machine,703					add_machine,704					remove_machine,705				)?;706707				if target_machines.is_empty() {708					info!("no machines left for secret, removing it");709					config.remove_shared(&name);710					return Ok(());711				}712713				let definition = config.shared_secret_definition(&name)?;714				let expectations = definition.expectations()?;715716				let updated = maybe_regenerate_shared_secret(717					&name,718					config,719					secret,720					definition,721					&prefer_identities,722					&expectations,723				)724				.await?;725				config.replace_shared(name, updated);726			}727			Secret::Regenerate {728				prefer_identities,729				skip_hosts,730			} => {731				info!("checking for secrets to regenerate");732				let expected_shared_set = config733					.list_configured_shared()734					.await?735					.into_iter()736					.collect::<HashSet<_>>();737				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();738				{739					// Generate missing shared740					let _span = info_span!("shared").entered();741					for missing in expected_shared_set.difference(&stored_shared_set) {742						let definition = config.shared_secret_definition(missing)?;743						if !definition.is_managed()? {744							info!("skipping unmanaged secret: {missing}");745							continue;746						}747						let expectations = definition.expectations()?;748						info!("generating secret: {missing}");749						let shared = generate_shared(config, missing, definition, &expectations)750							.in_current_span()751							.await?;752						config.replace_shared(missing.to_string(), shared)753					}754				}755				if !skip_hosts {756					for host in config.list_hosts().await? {757						if opts.should_skip(&host).await? {758							continue;759						}760761						let _span = info_span!("host", host = host.name).entered();762						let expected_set = host763							.list_defined_secrets()?764							.into_iter()765							.collect::<HashSet<_>>();766						let stored_set = config767							.list_secrets(&host.name)768							.into_iter()769							.collect::<HashSet<_>>();770						for missing_secret in expected_set.difference(&stored_set) {771							info!("generating missing secret: {missing_secret}");772							let definition = host.secret_definition(missing_secret)?;773							let expectations = definition.expectations()?;774							let generated = match generate(775								config,776								missing_secret,777								definition.inner(),778								&expectations,779							)780							.in_current_span()781							.await782							{783								Ok(v) => v,784								Err(e) => {785									error!("{e:?}");786									continue;787								}788							};789							config.insert_secret(790								&host.name,791								missing_secret.to_string(),792								FleetHostSecret {793									managed: Some(true),794									secret: generated,795								},796							)797						}798						for known_secret in stored_set.intersection(&expected_set) {799							info!("updating secret: {known_secret}");800							let data = config.host_secret(&host.name, known_secret)?;801							let definition = host.secret_definition(known_secret)?;802							let expectations = definition.expectations()?;803							if let Some(regen_reason) = data.needs_regeneration(&expectations) {804								info!("needs regeneration: {regen_reason}");805								let generated = match generate(806									config,807									known_secret,808									definition.inner(),809									&expectations,810								)811								.in_current_span()812								.await813								{814									Ok(v) => v,815									Err(e) => {816										error!("{e:?}");817										continue;818									}819								};820								config.insert_secret(821									&host.name,822									known_secret.to_string(),823									FleetHostSecret {824										managed: Some(true),825										secret: generated,826									},827								)828							}829						}830						for removed_secret in stored_set.difference(&expected_set) {831							info!("removing secret: {removed_secret}");832							config.remove_secret(&host.name, removed_secret);833						}834					}835				}836				for known_secret in stored_shared_set.intersection(&expected_shared_set) {837					info!("updating shared secret: {known_secret}");838					let data = config.shared_secret(known_secret)?.expect("exists");839840					let definition = config.shared_secret_definition(known_secret)?;841					let expectations = definition.expectations()?;842					config.replace_shared(843						known_secret.to_owned(),844						maybe_regenerate_shared_secret(845							known_secret,846							config,847							data,848							definition,849							&prefer_identities,850							&expectations,851						)852						.await?,853					);854				}855				for removed_secret in stored_shared_set.difference(&expected_shared_set) {856					info!("removing shared secret: {removed_secret}");857					config.remove_shared(removed_secret);858				}859			}860			Secret::List {} => {861				let _span = info_span!("loading secrets").entered();862				let configured = config.list_configured_shared().await?;863				#[derive(Tabled)]864				struct SecretDisplay {865					#[tabled(rename = "Name")]866					name: String,867					#[tabled(rename = "Owners")]868					owners: String,869				}870				let mut table = vec![];871				for name in configured.iter().cloned() {872					let config = config.clone();873					let data = config.shared_secret(&name)?.expect("exists");874					let definition = config.shared_secret_definition(&name)?;875					let expectations = definition.expectations()?;876					let owners = data877						.owners878						.iter()879						.map(|o| {880							if expectations.owners.contains(o) {881								o.green().to_string()882							} else {883								o.red().to_string()884							}885						})886						.collect::<Vec<_>>();887					table.push(SecretDisplay {888						owners: owners.join(", "),889						name,890					})891				}892				info!("loaded\n{}", Table::new(table).to_string())893			}894			Secret::Edit {895				name,896				machine,897				part,898				add,899			} => {900				let secret = config.host_secret(&machine, &name)?;901				if let Some(data) = secret.secret.parts.get(&part) {902					let host = config.host(&machine).await?;903					let secret = host.decrypt(data.raw.clone()).await?;904					String::from_utf8(secret).context("secret is not utf8")?905				} else if add {906					String::new()907				} else {908					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");909				};910			}911		}912		Ok(())913	}914}915916/*917async fn edit_temp_file(918	builder: tempfile::Builder<'_, '_>,919	r: Vec<u8>,920	header: &str,921	comment: &str,922) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {923	if !stdin().is_tty() {924		// TODO: Also try to open /dev/tty directly?925		bail!("stdin is not tty, can't open editor");926	}927928	use std::fmt::Write;929	let mut file = builder.tempfile()?;930931	let mut full_header = String::new();932	let mut had = false;933	for line in header.trim_end().lines() {934		had = true;935		writeln!(&mut full_header, "{comment}{line}")?;936	}937	if had {938		writeln!(&mut full_header, "{}", comment.trim_end())?;939	}940	writeln!(941		&mut full_header,942		"{comment}Do not touch this header! It will be removed automatically"943	)?;944945	file.write_all(full_header.as_bytes())?;946	file.write_all(&r)?;947948	let abs_path = file.into_temp_path();949	let editor = std::env::var_os("VISUAL")950		.or_else(|| std::env::var_os("EDITOR"))951		.unwrap_or_else(|| "vi".into());952	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())953		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;954	let editor_args = editor_args955		.into_iter()956		.map(|v| {957			// Only ASCII subsequences are replaced958			unsafe { OsString::from_encoded_bytes_unchecked(v) }959		})960		.collect_vec();961	let Some((editor, args)) = editor_args.split_first() else {962		bail!("EDITOR env var has no command");963	};964	let mut command = Command::new(editor);965	command.args(args);966967	let path_arg = abs_path.canonicalize()?;968969	// TODO: Save full state, using tcget/_getmode/_setmode970	let was_raw = terminal::is_raw_mode_enabled()?;971	terminal::enable_raw_mode()?;972973	let status = command.arg(path_arg).status().await;974975	if !was_raw {976		terminal::disable_raw_mode()?;977	}978979	let success = match status {980		Ok(s) => s.success(),981		Err(e) if e.kind() == io::ErrorKind::NotFound => {982			bail!("editor not found")983		}984		Err(e) => bail!("editor spawn error: {e}"),985	};986987	let mut file = std::fs::read(&abs_path).context("read editor output")?;988	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {989		todo!();990	};991	todo!();992993	// Ok((success, abs_path))994}995*/
modifiedcmds/fleet/src/main.rsdiffbeforeafterboth
--- a/cmds/fleet/src/main.rs
+++ b/cmds/fleet/src/main.rs
@@ -27,7 +27,7 @@
 use tracing::{Instrument, error, info, info_span};
 #[cfg(feature = "indicatif")]
 use tracing_indicatif::IndicatifLayer;
-use tracing_subscriber::{EnvFilter, fmt::format::Format, prelude::*};
+use tracing_subscriber::{EnvFilter, prelude::*};
 
 #[derive(Parser)]
 struct Prefetch {}
modifiedcrates/fleet-base/Cargo.tomldiffbeforeafterboth
--- a/crates/fleet-base/Cargo.toml
+++ b/crates/fleet-base/Cargo.toml
@@ -24,6 +24,7 @@
 serde_json = "1.0.140"
 tabled = "0.20.0"
 tempfile.workspace = true
+thiserror.workspace = true
 time = { version = "0.3.41", features = ["parsing"] }
 tokio.workspace = true
 tokio-util = "0.7.15"
modifiedcrates/fleet-base/src/fleetdata.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/fleetdata.rs
+++ b/crates/fleet-base/src/fleetdata.rs
@@ -1,5 +1,5 @@
 use std::{
-	collections::BTreeMap,
+	collections::{BTreeMap, BTreeSet},
 	io::{self, Cursor},
 };
 
@@ -13,6 +13,8 @@
 use serde::{Deserialize, Serialize, de::Error};
 use serde_json::Value;
 
+use crate::secret::{Expectations, RegenerationReason, secret_needs_regeneration};
+
 #[derive(Serialize, Deserialize, Default)]
 #[serde(rename_all = "camelCase")]
 pub struct HostData {
@@ -75,30 +77,21 @@
 	pub shared_secrets: BTreeMap<String, FleetSharedSecret>,
 	#[serde(default)]
 	#[serde(skip_serializing_if = "BTreeMap::is_empty")]
-	pub host_secrets: BTreeMap<String, BTreeMap<String, FleetSecret>>,
+	pub host_secrets: BTreeMap<String, BTreeMap<String, FleetHostSecret>>,
 
 	// extra_name => anything
 	#[serde(default)]
 	#[serde(skip_serializing_if = "BTreeMap::is_empty")]
 	pub extra: BTreeMap<String, Value>,
-}
-
-#[derive(Serialize, Deserialize, Clone)]
-#[serde(rename_all = "camelCase")]
-#[must_use]
-pub struct FleetSharedSecret {
-	pub owners: Vec<String>,
-	#[serde(flatten)]
-	pub secret: FleetSecret,
 }
 
 /// Returns None if recipients.is_empty()
-pub fn encrypt_secret_data<'a>(
-	recipients: impl IntoIterator<Item = &'a dyn Recipient>,
+pub fn encrypt_secret_data<'r>(
+	recipients: impl IntoIterator<Item = &'r Box<dyn Recipient>>,
 	data: Vec<u8>,
 ) -> Option<SecretData> {
 	let mut encrypted = vec![];
-	let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter())
+	let mut encryptor = age::Encryptor::with_recipients(recipients.into_iter().map(|v| &**v))
 		.ok()?
 		.wrap_output(&mut encrypted)
 		.expect("in memory write");
@@ -118,7 +111,7 @@
 #[derive(Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
 #[must_use]
-pub struct FleetSecret {
+pub struct FleetSecretData {
 	#[serde(default = "Utc::now")]
 	pub created_at: DateTime<Utc>,
 	#[serde(default)]
@@ -132,3 +125,31 @@
 	#[serde(skip_serializing_if = "Value::is_null")]
 	pub generation_data: Value,
 }
+
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+#[must_use]
+pub struct FleetHostSecret {
+	#[serde(default)]
+	#[serde(skip_serializing_if = "Option::is_none")]
+	pub managed: Option<bool>,
+	#[serde(flatten)]
+	pub secret: FleetSecretData,
+}
+impl FleetHostSecret {
+	pub fn needs_regeneration(&self, expectations: &Expectations) -> Option<RegenerationReason> {
+		secret_needs_regeneration(&self.secret, &expectations.owners, expectations)
+	}
+}
+
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+#[must_use]
+pub struct FleetSharedSecret {
+	#[serde(default)]
+	#[serde(skip_serializing_if = "Option::is_none")]
+	pub managed: Option<bool>,
+	pub owners: BTreeSet<String>,
+	#[serde(flatten)]
+	pub secret: FleetSecretData,
+}
modifiedcrates/fleet-base/src/host.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -22,7 +22,8 @@
 
 use crate::{
 	command::MyCommand,
-	fleetdata::{FleetData, FleetSecret, FleetSharedSecret},
+	fleetdata::{FleetData, FleetHostSecret, FleetSharedSecret},
+	secret::{HostSecretDefinition, SharedSecretDefinition},
 };
 
 pub struct FleetConfigInternals {
@@ -234,7 +235,7 @@
 		let is_fleet_managed = match self.file_exists("/etc/FLEET_HOST").await {
 			Ok(v) => v,
 			Err(e) => {
-				bail!("failed to query remote system kind: {}", e);
+				bail!("failed to query remote system kind: {e}");
 			}
 		};
 		if !is_fleet_managed {
@@ -501,7 +502,7 @@
 
 		Ok(nixos_config)
 	}
-	pub async fn nixos_unchecked_config(&self) -> Result<Value> {
+	pub fn nixos_unchecked_config(&self) -> Result<Value> {
 		if let Some(v) = self.nixos_unchecked_config.get() {
 			return Ok(v.clone());
 		}
@@ -515,23 +516,17 @@
 		Ok(nixos_config)
 	}
 
-	pub async fn list_configured_secrets(&self) -> Result<Vec<String>> {
-		let nixos = self.nixos_unchecked_config().await?;
+	pub fn list_defined_secrets(&self) -> Result<Vec<String>> {
+		let nixos = self.nixos_unchecked_config()?;
 		let secrets = nix_go!(nixos.secrets);
-		let mut out = Vec::new();
-		for name in secrets.list_fields()? {
-			let secret = secrets.get_field(&name).context("getting secret")?;
-			let is_shared: bool = nix_go_json!(secret.shared);
-			if is_shared {
-				continue;
-			}
-			out.push(name);
-		}
-		Ok(out)
+		secrets.list_fields()
 	}
-	pub async fn secret_field(&self, name: &str) -> Result<Value> {
-		let nixos = self.nixos_unchecked_config().await?;
-		Ok(nix_go!(nixos.secrets[{ name }]))
+	pub fn secret_definition(&self, name: &str) -> Result<HostSecretDefinition> {
+		let nixos = self.nixos_unchecked_config()?;
+		Ok(HostSecretDefinition(
+			self.name.clone(),
+			nix_go!(nixos.secrets[{ name }]),
+		))
 	}
 
 	/// Packages for this host, resolved with nixpkgs overlays
@@ -648,10 +643,19 @@
 
 	pub fn list_secrets(&self, host: &str) -> Vec<String> {
 		let data = self.data();
-		let Some(secrets) = data.host_secrets.get(host) else {
-			return Vec::new();
-		};
-		secrets.keys().cloned().collect()
+		let mut out = data
+			.host_secrets
+			.get(host)
+			.map(|s| s.keys().cloned().collect::<Vec<String>>())
+			.unwrap_or_default();
+
+		for (name, shared) in data.shared_secrets.iter() {
+			if shared.owners.contains(host) {
+				out.push(name.clone());
+			}
+		}
+
+		out
 	}
 
 	pub fn has_secret(&self, host: &str, secret: &str) -> bool {
@@ -661,34 +665,44 @@
 		};
 		host_secrets.contains_key(secret)
 	}
-	pub fn insert_secret(&self, host: &str, secret: String, value: FleetSecret) {
+	pub fn insert_secret(&self, host: &str, secret: String, value: FleetHostSecret) {
 		let mut data = self.data_mut();
 		let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
 		host_secrets.insert(secret, value);
 	}
+	pub fn remove_secret(&self, host: &str, secret: &str) {
+		let mut data = self.data_mut();
+		let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
+		host_secrets.remove(secret);
+	}
 
-	pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetSecret> {
+	pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetHostSecret> {
 		let data = self.data();
-		let Some(host_secrets) = data.host_secrets.get(host) else {
-			bail!("no secrets for machine {host}");
+		if let Some(host_secrets) = data.host_secrets.get(host) {
+			if let Some(secret) = host_secrets.get(secret) {
+				return Ok(secret.clone());
+			}
 		};
-		let Some(secret) = host_secrets.get(secret) else {
+		let Some(shared) = data.shared_secrets.get(secret) else {
 			bail!("machine {host} has no secret {secret}");
 		};
-		Ok(secret.clone())
+		if !shared.owners.contains(host) {
+			bail!("shared secret {secret} is not owned by {host}");
+		};
+		Ok(FleetHostSecret {
+			managed: shared.managed,
+			secret: shared.secret.clone(),
+		})
 	}
-	pub fn shared_secret(&self, secret: &str) -> Result<FleetSharedSecret> {
+	pub fn shared_secret(&self, secret: &str) -> Result<Option<FleetSharedSecret>> {
 		let data = self.data();
-		let Some(secret) = data.shared_secrets.get(secret) else {
-			bail!("no shared secret {secret}");
-		};
-		Ok(secret.clone())
+		Ok(data.shared_secrets.get(secret).cloned())
 	}
-	pub async fn shared_secret_expected_owners(&self, secret: &str) -> Result<Vec<String>> {
+	pub fn shared_secret_definition(&self, secret: &str) -> Result<SharedSecretDefinition> {
 		let config_field = &self.config_field;
-		Ok(nix_go_json!(
-			config_field.sharedSecrets[{ secret }].expectedOwners
-		))
+		Ok(SharedSecretDefinition(nix_go!(
+			config_field.sharedSecrets[{ secret }]
+		)))
 	}
 
 	// TODO: Should this be something modifiable from other processes?
modifiedcrates/fleet-base/src/keys.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/keys.rs
+++ b/crates/fleet-base/src/keys.rs
@@ -39,12 +39,14 @@
 		}
 	}
 	/// Insecure, requires root
-	pub async fn recipient(&self, host: &str) -> anyhow::Result<impl Recipient + use<>> {
+	pub async fn recipient(&self, host: &str) -> anyhow::Result<Box<dyn Recipient>> {
 		let key = self.key(host).await?;
-		age::ssh::Recipient::from_str(&key).map_err(|e| anyhow!("parse recipient error: {:?}", e))
+		age::ssh::Recipient::from_str(&key)
+			.map_err(|e| anyhow!("parse recipient error: {e:?}"))
+			.map(|v| Box::new(v) as Box<dyn Recipient>)
 	}
 
-	pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<impl Recipient + use<>>> {
+	pub async fn recipients(&self, hosts: Vec<String>) -> Result<Vec<Box<dyn Recipient>>> {
 		let hosts = self.expand_owner_set(hosts).await?;
 		futures::stream::iter(hosts.iter())
 			.then(|m| self.recipient(m.as_ref()))
modifiedcrates/fleet-base/src/lib.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/lib.rs
+++ b/crates/fleet-base/src/lib.rs
@@ -4,3 +4,4 @@
 pub mod host;
 mod keys;
 pub mod opts;
+pub mod secret;
addedcrates/fleet-base/src/secret.rsdiffbeforeafterboth
--- /dev/null
+++ b/crates/fleet-base/src/secret.rs
@@ -0,0 +1,136 @@
+use std::collections::BTreeSet;
+
+use anyhow::Result;
+use chrono::{DateTime, Utc};
+use nix_eval::{Value, nix_go, nix_go_json};
+
+use crate::fleetdata::FleetSecretData;
+
+#[derive(Debug)]
+pub struct Expectations {
+	pub owners: BTreeSet<String>,
+	pub generation_data: serde_json::Value,
+	pub public_parts: BTreeSet<String>,
+	pub private_parts: BTreeSet<String>,
+}
+
+pub struct HostSecretDefinition(pub(crate) String, pub(crate) Value);
+impl HostSecretDefinition {
+	pub fn is_managed(&self) -> Result<bool> {
+		let value = &self.1;
+		Ok(!nix_go!(value.generator).is_null())
+	}
+	pub fn expectations(&self) -> Result<Expectations> {
+		let value = &self.1;
+		Ok(Expectations {
+			owners: BTreeSet::from([self.0.clone()]),
+			generation_data: nix_go_json!(value.expectedGenerationData),
+			public_parts: nix_go_json!(value.expectedPublicParts),
+			private_parts: nix_go_json!(value.expectedPrivateParts),
+		})
+	}
+	pub fn inner(&self) -> Value {
+		self.1.clone()
+	}
+}
+
+pub struct SharedSecretDefinition(pub(crate) Value);
+impl SharedSecretDefinition {
+	pub fn is_managed(&self) -> Result<bool> {
+		let value = &self.0;
+		Ok(!nix_go!(value.generator).is_null())
+	}
+	pub fn expectations(&self) -> Result<Expectations> {
+		let value = &self.0;
+		Ok(Expectations {
+			owners: nix_go_json!(value.expectedOwners),
+			generation_data: nix_go_json!(value.expectedGenerationData),
+			public_parts: nix_go_json!(value.expectedPublicParts),
+			private_parts: nix_go_json!(value.expectedPrivateParts),
+		})
+	}
+	pub fn inner(&self) -> Value {
+		self.0.clone()
+	}
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum RegenerationReason {
+	#[error("owners added: {0:?}")]
+	OwnersAdded(BTreeSet<String>),
+	#[error("owners added: {0:?}")]
+	OwnersRemoved(BTreeSet<String>),
+	#[error("unexpected generation data, expected: {expected:?}, found: {found:?}")]
+	GenerationData {
+		expected: serde_json::Value,
+		found: serde_json::Value,
+	},
+	#[error("unexpected part list, expected: {expected:?}, found: {found:?}")]
+	PartList {
+		expected: BTreeSet<String>,
+		found: BTreeSet<String>,
+	},
+	#[error("part {0} is expected to be encrypted")]
+	ExpectedPrivate(String),
+	#[error("part {0} is not expected to be encrypted")]
+	ExpectedPublic(String),
+	#[error("secret is expired at {0}")]
+	Expired(DateTime<Utc>),
+}
+
+pub fn secret_needs_regeneration(
+	secret: &FleetSecretData,
+	owners: &BTreeSet<String>,
+	expectations: &Expectations,
+) -> Option<RegenerationReason> {
+	if !owners.is_empty() {
+		let added: BTreeSet<String> = expectations.owners.difference(owners).cloned().collect();
+		if !added.is_empty() {
+			return Some(RegenerationReason::OwnersAdded(added));
+		}
+
+		let removed: BTreeSet<String> = owners.difference(&expectations.owners).cloned().collect();
+		if !removed.is_empty() {
+			return Some(RegenerationReason::OwnersRemoved(removed));
+		}
+	}
+
+	if secret.generation_data != expectations.generation_data {
+		return Some(RegenerationReason::GenerationData {
+			expected: expectations.generation_data.clone(),
+			found: secret.generation_data.clone(),
+		});
+	}
+
+	if !expectations.public_parts.is_empty() || !expectations.private_parts.is_empty() {
+		let expected: BTreeSet<String> = expectations
+			.public_parts
+			.union(&expectations.private_parts)
+			.cloned()
+			.collect();
+		let found: BTreeSet<String> = secret.parts.keys().cloned().collect();
+
+		if found != expected {
+			return Some(RegenerationReason::PartList { expected, found });
+		}
+
+		for (name, value) in secret.parts.iter() {
+			if value.raw.encrypted {
+				if !expectations.private_parts.contains(name) {
+					return Some(RegenerationReason::ExpectedPrivate(name.clone()));
+				}
+			} else if !expectations.public_parts.contains(name) {
+				return Some(RegenerationReason::ExpectedPublic(name.clone()));
+			}
+		}
+	}
+
+	if let Some(expiration) = secret.expires_at {
+		// TODO: Leeway?
+		if expiration < Utc::now() {
+			return Some(RegenerationReason::Expired(expiration));
+		}
+	}
+
+	None
+}
modifiedcrates/nix-eval/src/lib.rsdiffbeforeafterboth
--- a/crates/nix-eval/src/lib.rs
+++ b/crates/nix-eval/src/lib.rs
@@ -729,10 +729,13 @@
 
 		with_default_context(|c, es| unsafe { get_list_byidx(c, self.0, es, v as u32) }).map(Self)
 	}
-	pub fn attrs_update(self, other: Value/*, ignore_errors: bool*/) -> Result<Self> {
+	pub fn attrs_update(self, other: Value /*, ignore_errors: bool*/) -> Result<Self> {
 		let attrs_update_fn = Self::eval("a: b: a // b")?;
 
-		attrs_update_fn.call(self)?.call(other).context("attrs update")
+		attrs_update_fn
+			.call(self)?
+			.call(other)
+			.context("attrs update")
 	}
 	pub fn get_field(&self, name: impl AsFieldName) -> Result<Self> {
 		if !matches!(self.type_of(), NixType::Attrs) {
@@ -840,6 +843,9 @@
 	pub fn is_function(&self) -> bool {
 		self.functor_kind().is_some()
 	}
+	pub fn is_null(&self) -> bool {
+		matches!(self.type_of(), NixType::Null)
+	}
 }
 
 impl From<String> for Value {
modifiedflake.nixdiffbeforeafterboth
--- a/flake.nix
+++ b/flake.nix
@@ -181,7 +181,7 @@
                 inputs'.nix.packages.nix-fetchers-c
                 inputs'.nix.packages.nix-store-c
 
-                (rage.overrideAttrs {cargoFeatures = ["plugin"];})
+                (rage.overrideAttrs { cargoFeatures = [ "plugin" ]; })
               ];
               environment.PROTOC = "${pkgs.protobuf}/bin/protoc";
             };
modifiedmodules/extras/tf.nixdiffbeforeafterboth
--- a/modules/extras/tf.nix
+++ b/modules/extras/tf.nix
@@ -38,17 +38,19 @@
       # will be somehow processed by fleet tf.
       sensitive = true;
     };
-    fleetConfigurations.default = {config, ...}: {
-      options.data = mkDataOption {
-        # host => hostData
-        options.extra.terraformHosts = mkOption {
-          default = { };
-          type = attrsOf (attrsOf unspecified);
-          description = "Hosts data provided by fleet tf";
+    fleetConfigurations.default =
+      { config, ... }:
+      {
+        options.data = mkDataOption {
+          # host => hostData
+          options.extra.terraformHosts = mkOption {
+            default = { };
+            type = attrsOf (attrsOf unspecified);
+            description = "Hosts data provided by fleet tf";
+          };
         };
+        config.hosts = config.data.extra.terraformHosts;
       };
-      config.hosts = config.data.extra.terraformHosts;
-    };
 
     perSystem.imports = [ ./tf-bootstrap.nix ];
   };
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -6,11 +6,11 @@
   ...
 }:
 let
-  inherit (builtins) hashString;
+  inherit (builtins) hashString elemAt length toJSON filter;
   inherit (lib.stringsWithDeps) stringAfter;
   inherit (lib.options) mkOption literalExpression;
   inherit (lib.lists) optional;
-  inherit (lib.attrsets) mapAttrs;
+  inherit (lib.attrsets) mapAttrs mapAttrsToList;
   inherit (lib.modules) mkIf;
   inherit (lib.types)
     submodule
@@ -22,10 +22,29 @@
     uniq
     functionTo
     package
+    listOf
     ;
   inherit (fleetLib.strings) decodeRawSecret;
 
   sysConfig = config;
+  secretPartDataType = submodule {
+    options = {
+      raw = mkOption {
+        type = str;
+        internal = true;
+        description = "Encoded & Encrypted secret part data, passed from fleet.nix";
+      };
+    };
+  };
+  secretDataType = submodule {
+    freeformType = lazyAttrsOf secretPartDataType;
+    options = {
+      shared = mkOption {
+        description = "Is this secret owned by this machine, or propagated from shared secrets";
+        default = false;
+      };
+    };
+  };
   secretPartType =
     secretName:
     submodule (
@@ -35,11 +54,6 @@
       in
       {
         options = {
-          raw = mkOption {
-            type = str;
-            internal = true;
-            description = "Encoded & Encrypted secret part data, passed from fleet.nix";
-          };
           hash = mkOption {
             type = str;
             description = "Hash of secret in encoded format";
@@ -50,34 +64,50 @@
           };
           stablePath = mkOption {
             type = str;
-            description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";
+            description = "Path to secret part, stable path (users are expected to watch for file changes/re-read secret on demand)";
           };
           data = mkOption {
             type = str;
             description = "Secret public data (only available for plaintext)";
           };
         };
-        config = {
-          hash = hashString "sha1" config.raw;
-          data = decodeRawSecret config.raw;
-          path = "/run/secrets/${secretName}/${config.hash}-${partName}";
-          stablePath = "/run/secrets/${secretName}/${partName}";
-        };
+        config =
+          let
+            raw = sysConfig.data.secrets.${secretName}.${partName}.raw;
+          in
+          {
+            hash = hashString "sha1" raw;
+            data = decodeRawSecret raw;
+            path = "/run/secrets/${secretName}/${config.hash}-${partName}";
+            stablePath = "/run/secrets/${secretName}/${partName}";
+          };
       }
     );
   secretType = submodule (
-    { config, ... }:
+    {
+      config,
+      loc,
+      options,
+      ...
+    }:
     let
-      secretName = config._module.args.name;
+      secretName =
+        # Due to config definition for freeformType, we can't just use _module.args due to infinite recursion, instead
+        # extract the secret name the ugly way...
+        let
+          saLoc = options._module.specialArgs.loc;
+          comp = elemAt saLoc;
+        in
+        assert
+          (length saLoc == 2 ||
+          length saLoc == 4 &&
+          comp 0 == "secrets" && comp 2 == "_module" && comp 3 == "specialArgs") ||
+          throw "Unexpected module structure ${toJSON saLoc}";
+        if length saLoc == 2 then "documentation generator stub" else comp 1;
     in
     {
       freeformType = lazyAttrsOf (secretPartType secretName);
       options = {
-        shared = mkOption {
-          description = "Is this secret owned by this machine, or propagated from shared secrets";
-          default = false;
-        };
-
         generator = mkOption {
           type = uniq (nullOr (functionTo package));
           description = "Derivation to evaluate for secret generation";
@@ -104,18 +134,30 @@
           description = "Data that gets embedded into secret part";
           default = null;
         };
+        expectedPrivateParts = mkOption {
+          type = listOf str;
+          default = [ ];
+          description = "List of parts that are expected to be encrypted";
+        };
+        expectedPublicParts = mkOption {
+          type = listOf str;
+          default = [ ];
+          description = "List of parts that are expected to be public";
+        };
       };
+      config = mapAttrs (_: _: { }) (removeAttrs (sysConfig.data.secrets.${secretName} or {}) [ "shared" ]);
     }
   );
-  processPart = part: {
-    inherit (part) raw path stablePath;
+  processPart = secretName: partName: part: {
+    inherit (part) path stablePath;
+    raw = config.data.secrets.${secretName}.${partName}.raw;
   };
   processSecret =
-    secret:
+    secretName: secret:
     {
       inherit (secret) group mode owner;
     }
-    // (mapAttrs (_: processPart) (
+    // (mapAttrs (processPart secretName) (
       removeAttrs secret [
         "shared"
         "generator"
@@ -123,11 +165,14 @@
         "group"
         "owner"
         "expectedGenerationData"
+        "expectedPrivateParts"
+        "expectedPublicParts"
       ]
     ));
+  secretsData = (mapAttrs (processSecret) config.secrets);
   secretsFile = pkgs.writeTextFile {
     name = "secrets.json";
-    text = builtins.toJSON (mapAttrs (_: processSecret) config.secrets);
+    text = toJSON secretsData;
   };
   useSysusers =
     (config.systemd ? sysusers && config.systemd.sysusers.enable)
@@ -135,15 +180,38 @@
 in
 {
   options = {
+    data.secrets = mkOption {
+      type = attrsOf secretDataType;
+      default = { };
+      description = "Host-local secret data";
+    };
     secrets = mkOption {
       type = attrsOf secretType;
       default = { };
       description = "Host-local secrets";
     };
+    system.secretsData = mkOption {
+      type = unspecified;
+      default = {};
+      description = "secrets.json contents";
+    };
   };
   config = {
+    system = {inherit secretsData;};
     environment.systemPackages = [ pkgs.fleet-install-secrets ];
 
+    warnings = filter (v: v!=null) (mapAttrsToList (
+      name: secret:
+      if
+        secret.expectedPrivateParts == [ ]
+        && secret.expectedPublicParts == [ ]
+        && !(config.data.secrets.${name} or { shared = false; }).shared
+      then
+        "Secret ${name} has no expected parts defined, this is deprecated for better visibility"
+      else
+        null
+    ) config.secrets);
+
     systemd.services.fleet-install-secrets = mkIf useSysusers {
       wantedBy = [ "sysinit.target" ];
       after = [ "systemd-sysusers.service" ];
modifiedmodules/secrets-data.nixdiffbeforeafterboth
--- a/modules/secrets-data.nix
+++ b/modules/secrets-data.nix
@@ -151,8 +151,9 @@
           toJSON (config.data.sharedSecrets.${name} or { owners = [ ]; }).owners
         }. Run fleet secrets regenerate to fix";
       }) config.sharedSecrets)
+
       ++ (mapAttrsToList (name: secret: {
-        # TODO: Same aassertion should be in host secrets
+        # TODO: Same assertion should be in host secrets
         assertion =
           (config.data.sharedSecrets.${name} or { generationData = null; }).generationData
           == secret.expectedGenerationData;
@@ -160,6 +161,5 @@
           toJSON (config.data.sharedSecrets.${name} or { generationData = null; }).generationData
         }. Run fleet secrets regenerate to fix";
       }) config.sharedSecrets);
-    sharedSecrets = mapAttrs (_: _: { }) config.data.sharedSecrets;
   };
 }
modifiedmodules/secrets.nixdiffbeforeafterboth
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -69,6 +69,16 @@
           description = "Contextual metadata embedded within the secret part value";
           default = null;
         };
+        expectedPrivateParts = mkOption {
+          type = listOf str;
+          default = [ ];
+          description = "List of parts that are expected to be encrypted";
+        };
+        expectedPublicParts = mkOption {
+          type = listOf str;
+          default = [ ];
+          description = "List of parts that are expected to be public";
+        };
       };
     };
 in
@@ -81,16 +91,25 @@
     };
   };
   config = {
-    hosts = mapAttrs (_: secretMap: {
-      nixos.secrets = mapAttrs (
-        _: s:
-        removeAttrs s [
-          "createdAt"
-          "expiresAt"
-          "generationData"
-        ]
-      ) secretMap;
-    }) config.data.hostSecrets;
+    hosts = mapAttrs (
+      _: secretMap:
+      let
+        partsOf =
+          s:
+          removeAttrs s [
+            "createdAt"
+            "expiresAt"
+            "generationData"
+          ];
+
+      in
+      {
+        nixos.data.secrets = mapAttrs (_: s: partsOf s) secretMap;
+        # nixos.secrets = mapAttrs (
+        #   _: s: mapAttrs (_: _: {}) (partsOf s)
+        # ) secretMap;
+      }
+    ) config.data.hostSecrets;
     nixpkgs.overlays = [
       (final: prev: {
         mkSecretGenerators =