git.delta.rocks / jrsonnet / refs/commits / ffbc7e982cb4

difftreelog

fix do not require wildcard with callPackage

Yaroslav Bolyukin2024-12-08parent: #3b8059d.patch.diff
in: trunk

6 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	/// Read secret from remote host, requires sudo on said host98	ReadShared {99		name: String,100		/// Which private secret part to read101		#[clap(short = 'p', long, default_value = "secret")]102		part: String,103		/// Which host should we use to decrypt, in case if reencryption is required, without104		/// regeneration105		#[clap(long)]106		prefer_identities: Vec<String>,107	},108	UpdateShared {109		name: String,110111		#[clap(short = 'm', long)]112		machine: Option<Vec<String>>,113114		#[clap(long)]115		add_machine: Vec<String>,116		#[clap(long)]117		remove_machine: Vec<String>,118119		/// Which host should we use to decrypt120		#[clap(long)]121		prefer_identities: Vec<String>,122	},123	Regenerate {124		/// Which host should we use to decrypt, in case if reencryption is required, without125		/// regeneration126		#[clap(long)]127		prefer_identities: Vec<String>,128		/// Only regenerate shared secrets129		#[clap(long)]130		skip_hosts: bool,131	},132	List {},133	Edit {134		name: String,135		#[clap(short = 'm', long)]136		machine: String,137138		#[clap(long)]139		add: bool,140141		/// Which private secret part to read142		#[clap(short = 'p', long, default_value = "secret")]143		part: String,144	},145}146147fn secret_needs_regeneration(148	secret: &FleetSecret,149	expected_generation_data: &serde_json::Value,150) -> bool {151	let data_is_expected = secret.generation_data == *expected_generation_data;152	// TODO: Leeway?153	let expired = secret154		.expires_at155		.map(|expiration| expiration < Utc::now())156		.unwrap_or(false);157	expired || !data_is_expected158}159160#[allow(clippy::too_many_arguments)]161#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]162async fn maybe_regenerate_shared_secret(163	secret_name: &str,164	config: &Config,165	mut secret: FleetSharedSecret,166	field: Value,167	expected_owners: &[String],168	expected_generation_data: serde_json::Value,169	prefer_identities: &[String],170	batch: Option<NixBuildBatch>,171) -> Result<FleetSharedSecret> {172	let original_set = secret.owners.clone();173174	let set = original_set.iter().collect::<BTreeSet<_>>();175	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();176177	let regeneration_required =178		secret_needs_regeneration(&secret.secret, &expected_generation_data);179180	if set == expected_set && !regeneration_required {181		info!("no need to update owner list, it is already correct");182		return Ok(secret);183	}184185	let should_regenerate = if regeneration_required {186		info!("secret has its generation data changed, regeneration is required");187		true188	} else if set.difference(&expected_set).next().is_some() {189		// TODO: Remove this warning for revokable secrets.190		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");191		nix_go_json!(field.regenerateOnOwnerRemoved)192	} else if expected_set.difference(&set).next().is_some() {193		nix_go_json!(field.regenerateOnOwnerAdded)194	} else {195		false196	};197198	if should_regenerate {199		info!("secret needs to be regenerated");200		let generated = generate_shared(201			config,202			secret_name,203			field,204			expected_owners.to_vec(),205			expected_generation_data,206			batch,207		)208		.await?;209		Ok(generated)210	} else {211		drop(batch);212		let identity_holder = if !prefer_identities.is_empty() {213			prefer_identities214				.iter()215				.find(|i| original_set.iter().any(|s| s == *i))216		} else {217			secret.owners.first()218		};219		let Some(identity_holder) = identity_holder else {220			bail!("no available holder found");221		};222223		for (part_name, part) in secret.secret.parts.iter_mut() {224			let _span = info_span!("part reencryption", part_name);225			if !part.raw.encrypted {226				continue;227			}228			let host = config.host(identity_holder).await?;229			let encrypted = host230				.reencrypt(part.raw.clone(), expected_owners.to_vec())231				.await?;232			part.raw = encrypted;233		}234235		secret.owners = expected_owners.to_vec();236		Ok(secret)237	}238}239240#[derive(Deserialize)]241#[serde(rename_all = "camelCase")]242enum GeneratorKind {243	Impure,244	Pure,245}246247async fn generate_pure(248	_config: &Config,249	_display_name: &str,250	_secret: Value,251	_default_generator: Value,252	_owners: &[String],253) -> Result<FleetSecret> {254	bail!("pure generators are broken for now")255}256async fn generate_impure(257	config: &Config,258	_display_name: &str,259	secret: Value,260	default_generator: Value,261	expected_owners: &[String],262	expected_generation_data: serde_json::Value,263	batch: Option<NixBuildBatch>,264) -> Result<FleetSecret> {265	let generator = nix_go!(secret.generator);266	let on: Option<String> = nix_go_json!(default_generator.impureOn);267268	let host = if let Some(on) = &on {269		config.host(on).await?270	} else {271		config.local_host()272	};273	let on_pkgs = host.pkgs().await?;274	let call_package = nix_go!(on_pkgs.callPackage);275	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);276277	let mut recipients = Vec::new();278	for owner in expected_owners {279		let key = config.key(owner).await?;280		recipients.push(key);281	}282	let generators = nix_go!(mk_secret_generators(Obj { recipients }));283284	let generator = nix_go!(call_package(generator)(generators));285286	let generator = generator.build_maybe_batch(batch).await?;287	let generator = generator288		.get("out")289		.ok_or_else(|| anyhow!("missing generateImpure out"))?;290	let generator = host.remote_derivation(generator).await?;291292	let out_parent = host.mktemp_dir().await?;293	let out = format!("{out_parent}/out");294295	let mut gen = host.cmd(generator).await?;296	gen.env("out", &out);297	if on.is_none() {298		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.299		let project_path: String = config300			.directory301			.clone()302			.into_os_string()303			.into_string()304			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;305		gen.env("FLEET_PROJECT", project_path);306	}307	gen.run().await.context("impure generator")?;308309	{310		let marker = host.read_file_text(format!("{out}/marker")).await?;311		ensure!(marker == "SUCCESS", "generation not succeeded");312	}313314	let mut parts = BTreeMap::new();315	for part in host.read_dir(&out).await? {316		if part == "created_at" || part == "expired_at" || part == "marker" {317			continue;318		}319		let contents: SecretData = host320			.read_file_text(format!("{out}/{part}"))321			.await?322			.parse()323			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;324		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });325	}326327	let created_at = host.read_file_value(format!("{out}/created_at")).await?;328	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();329330	Ok(FleetSecret {331		created_at,332		expires_at,333		parts,334		generation_data: expected_generation_data,335	})336}337async fn generate(338	config: &Config,339	display_name: &str,340	secret: Value,341	expected_owners: &[String],342	expected_generation_data: serde_json::Value,343	batch: Option<NixBuildBatch>,344) -> Result<FleetSecret> {345	let generator = nix_go!(secret.generator);346	// Can't properly check on nix module system level347	{348		let gen_ty = generator.type_of().await?;349		if gen_ty == "null" {350			bail!("secret has no generator defined, can't automatically generate it.");351		}352		if gen_ty != "lambda" {353			bail!("generator should be lambda, got {gen_ty}");354		}355	}356	let default_pkgs = &config.default_pkgs;357	let default_call_package = nix_go!(default_pkgs.callPackage);358	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);359	// Generators provide additional information in passthru, to access360	// passthru we should call generator, but information about where this generator is supposed to build361	// is located in passthru... Thus evaluating generator on host.362	//363	// Maybe it is also possible to do some magic with __functor?364	//365	// I don't want to make modules always responsible for additional secret data anyway,366	// so it should be in derivation, and not in the secret data itself.367	let generators = nix_go!(default_mk_secret_generators(Obj {368		recipients: <Vec<String>>::new(),369	}));370	let default_generator = nix_go!(default_call_package(generator)(generators));371372	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);373374	match kind {375		GeneratorKind::Impure => {376			generate_impure(377				config,378				display_name,379				secret,380				default_generator,381				expected_owners,382				expected_generation_data,383				batch,384			)385			.await386		}387		GeneratorKind::Pure => {388			generate_pure(389				config,390				display_name,391				secret,392				default_generator,393				expected_owners,394			)395			.await396		}397	}398}399async fn generate_shared(400	config: &Config,401	display_name: &str,402	secret: Value,403	expected_owners: Vec<String>,404	expected_generation_data: serde_json::Value,405	batch: Option<NixBuildBatch>,406) -> Result<FleetSharedSecret> {407	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);408	Ok(FleetSharedSecret {409		secret: generate(410			config,411			display_name,412			secret,413			&expected_owners,414			expected_generation_data,415			batch,416		)417		.await?,418		owners: expected_owners,419	})420}421422async fn parse_public(423	public: Option<String>,424	public_file: Option<PathBuf>,425) -> Result<Option<SecretData>> {426	Ok(match (public, public_file) {427		(Some(v), None) => Some(SecretData {428			data: v.into(),429			encrypted: false,430		}),431		(None, Some(v)) => Some(SecretData {432			data: read(v).await?,433			encrypted: false,434		}),435		(Some(_), Some(_)) => {436			bail!("only public or public_file should be set")437		}438		(None, None) => None,439	})440}441442async fn parse_secret() -> Result<Option<Vec<u8>>> {443	let mut input = vec![];444	stdin().read_to_end(&mut input)?;445	if input.is_empty() {446		Ok(None)447	} else {448		Ok(Some(input))449	}450}451452fn parse_machines(453	initial: Vec<String>,454	machines: Option<Vec<String>>,455	mut add_machines: Vec<String>,456	mut remove_machines: Vec<String>,457) -> Result<Vec<String>> {458	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {459		bail!("no operation");460	}461462	let initial_machines = initial.clone();463	let mut target_machines = initial;464	info!("Currently encrypted for {initial_machines:?}");465466	// ensure!(machines.is_some() || !add_machines.is_empty() || )467	if let Some(machines) = machines {468		ensure!(469			add_machines.is_empty() && remove_machines.is_empty(),470			"can't combine --machines and --add-machines/--remove-machines"471		);472		let target = initial_machines.iter().collect::<HashSet<_>>();473		let source = machines.iter().collect::<HashSet<_>>();474		for removed in target.difference(&source) {475			remove_machines.push((*removed).clone());476		}477		for added in source.difference(&target) {478			add_machines.push((*added).clone());479		}480	}481482	for machine in &remove_machines {483		let mut removed = false;484		while let Some(pos) = target_machines.iter().position(|m| m == machine) {485			target_machines.swap_remove(pos);486			removed = true;487		}488		if !removed {489			warn!("secret is not enabled for {machine}");490		}491	}492	for machine in &add_machines {493		if target_machines.iter().any(|m| m == machine) {494			warn!("secret is already added to {machine}");495		} else {496			target_machines.push(machine.to_owned());497		}498	}499	if !remove_machines.is_empty() {500		// TODO: maybe force secret regeneration?501		// Not that useful without revokation.502		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");503	}504	Ok(target_machines)505}506impl Secret {507	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {508		match self {509			Secret::ForceKeys => {510				for host in config.list_hosts().await? {511					if opts.should_skip(&host).await? {512						continue;513					}514					config.key(&host.name).await?;515				}516			}517			Secret::AddShared {518				mut machines,519				name,520				force,521				public,522				public_part: public_name,523				public_file,524				expires_at,525				re_add,526				part: part_name,527			} => {528				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).529530				let exists = config.has_shared(&name);531				if exists && !force && !re_add {532					bail!("secret already defined");533				}534				if re_add {535					// Fixme: use clap to limit this usage536					ensure!(!force, "--force and --readd are not compatible");537					ensure!(exists, "secret doesn't exists");538					ensure!(539						machines.is_empty(),540						"you can't use machines argument for --readd"541					);542					let shared = config.shared_secret(&name)?;543					machines = shared.owners;544				}545546				let recipients = config.recipients(machines.clone()).await?;547548				let mut parts = BTreeMap::new();549550				let mut input = vec![];551				io::stdin().read_to_end(&mut input)?;552553				if !input.is_empty() {554					let encrypted =555						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)556							.ok_or_else(|| anyhow!("no recipients provided"))?;557					parts.insert(part_name, FleetSecretPart { raw: encrypted });558				}559560				if let Some(public) = parse_public(public, public_file).await? {561					parts.insert(public_name, FleetSecretPart { raw: public });562				}563564				config.replace_shared(565					name,566					FleetSharedSecret {567						owners: machines,568						secret: FleetSecret {569							created_at: Utc::now(),570							expires_at,571							parts,572							generation_data: serde_json::Value::Null,573						},574					},575				);576			}577			Secret::Add {578				machine,579				name,580				replace,581				merge,582				public,583				public_part: public_name,584				public_file,585				part: part_name,586			} => {587				if config.has_secret(&machine, &name) && !replace && !merge {588					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");589				}590591				let mut out = if merge && !replace {592					config593						.host_secret(&machine, &name)594						.context("failed to read existing secret for --merge")?595				} else {596					FleetSecret {597						created_at: Utc::now(),598						expires_at: None,599						parts: BTreeMap::new(),600						generation_data: serde_json::Value::Null,601					}602				};603604				if let Some(secret) = parse_secret().await? {605					let recipient = config.recipient(&machine).await?;606					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)607						.expect("recipient provided");608					if out609						.parts610						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })611						.is_some() && !replace612					{613						bail!("part {part_name:?} is already defined");614					}615				}616617				if let Some(public) = parse_public(public, public_file).await? {618					if out619						.parts620						.insert(public_name.clone(), FleetSecretPart { raw: public })621						.is_some() && !replace622					{623						bail!("part {public_name:?} is already defined");624					}625				};626627				config.insert_secret(&machine, name, out);628			}629			#[allow(clippy::await_holding_refcell_ref)]630			Secret::Read {631				name,632				machine,633				part: part_name,634			} => {635				let secret = config.host_secret(&machine, &name)?;636				let Some(secret) = secret.parts.get(&part_name) else {637					bail!("no part {part_name} in secret {name}");638				};639				let data = if secret.raw.encrypted {640					let host = config.host(&machine).await?;641					host.decrypt(secret.raw.clone()).await?642				} else {643					secret.raw.data.clone()644				};645646				stdout().write_all(&data)?;647			}648			Secret::ReadShared {649				name,650				part: part_name,651				prefer_identities,652			} => {653				let secret = config.shared_secret(&name)?;654				let Some(part) = secret.secret.parts.get(&part_name) else {655					bail!("no part {part_name} in secret {name}");656				};657				let data = if part.raw.encrypted {658					let identity_holder = if !prefer_identities.is_empty() {659						prefer_identities660							.iter()661							.find(|i| secret.owners.iter().any(|s| s == *i))662					} else {663						secret.owners.first()664					};665					let Some(identity_holder) = identity_holder else {666						bail!("no available holder found");667					};668					let host = config.host(identity_holder).await?;669					host.decrypt(part.raw.clone()).await?670				} else {671					part.raw.data.clone()672				};673				stdout().write_all(&data)?;674			}675			Secret::UpdateShared {676				name,677				machine,678				add_machine,679				remove_machine,680				prefer_identities,681			} => {682				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).683684				let secret = config.shared_secret(&name)?;685				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {686					bail!("no secret");687				}688689				let initial_machines = secret.owners.clone();690				let target_machines = parse_machines(691					initial_machines.clone(),692					machine,693					add_machine,694					remove_machine,695				)?;696697				if target_machines.is_empty() {698					info!("no machines left for secret, removing it");699					config.remove_shared(&name);700					return Ok(());701				}702703				let config_field = &config.config_field;704				let field = nix_go!(config_field.sharedSecrets[{ name }]);705				let expected_generation_data = nix_go_json!(field.expectedGenerationData);706707				let updated = maybe_regenerate_shared_secret(708					&name,709					config,710					secret,711					field,712					&target_machines,713					expected_generation_data,714					&prefer_identities,715					None,716				)717				.await?;718				config.replace_shared(name, updated);719			}720			Secret::Regenerate {721				prefer_identities,722				skip_hosts,723			} => {724				info!("checking for secrets to regenerate");725				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();726				{727					// Generate missing shared728					let shared_batch = None;729					let _span = info_span!("shared").entered();730					let expected_shared_set = config731						.list_configured_shared()732						.await?733						.into_iter()734						.collect::<HashSet<_>>();735					for missing in expected_shared_set.difference(&stored_shared_set) {736						let config_field = &config.config_field;737						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);738						let expected_generation_data: serde_json::Value =739							nix_go_json!(secret.expectedGenerationData);740						let expected_owners: Option<Vec<String>> =741							nix_go_json!(secret.expectedOwners);742						let Some(expected_owners) = expected_owners else {743							// Can't generate this missing secret, as it has no defined owners.744							continue;745						};746						info!("generating secret: {missing}");747						let shared = generate_shared(748							config,749							missing,750							secret,751							expected_owners,752							expected_generation_data,753							shared_batch.clone(),754						)755						.in_current_span()756						.await?;757						config.replace_shared(missing.to_string(), shared)758					}759				}760				if !skip_hosts {761					let hosts_batch = None;762					for host in config.list_hosts().await? {763						if opts.should_skip(&host).await? {764							continue;765						}766767						let _span = info_span!("host", host = host.name).entered();768						let expected_set = host769							.list_configured_secrets()770							.in_current_span()771							.await?772							.into_iter()773							.collect::<HashSet<_>>();774						let stored_set = config775							.list_secrets(&host.name)776							.into_iter()777							.collect::<HashSet<_>>();778						for missing in expected_set.difference(&stored_set) {779							info!("generating secret: {missing}");780							let secret = host.secret_field(missing).in_current_span().await?;781							let expected_generation_data =782								nix_go_json!(secret.expectedGenerationData);783							let generated = match generate(784								config,785								missing,786								secret,787								&[host.name.clone()],788								expected_generation_data,789								hosts_batch.clone(),790							)791							.in_current_span()792							.await793							{794								Ok(v) => v,795								Err(e) => {796									error!("{e:?}");797									continue;798								}799							};800							config.insert_secret(&host.name, missing.to_string(), generated)801						}802						for name in stored_set {803							info!("updating secret: {name}");804							let data = config.host_secret(&host.name, &name)?;805							let secret = host.secret_field(&name).in_current_span().await?;806							let expected_generation_data =807								nix_go_json!(secret.expectedGenerationData);808							if secret_needs_regeneration(&data, &expected_generation_data) {809								let generated = match generate(810									config,811									&name,812									secret,813									&[host.name.clone()],814									expected_generation_data,815									hosts_batch.clone(),816								)817								.in_current_span()818								.await819								{820									Ok(v) => v,821									Err(e) => {822										error!("{e:?}");823										continue;824									}825								};826								config.insert_secret(&host.name, name.to_string(), generated)827							}828						}829					}830				}831				let mut to_remove = Vec::new();832				for name in &stored_shared_set {833					info!("updating secret: {name}");834					let data = config.shared_secret(name)?;835					let config_field = &config.config_field;836					let expected_owners: Vec<String> =837						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);838					if expected_owners.is_empty() {839						warn!("secret was removed from fleet config: {name}, removing from data");840						to_remove.push(name.to_string());841						continue;842					}843844					let secret = nix_go!(config_field.sharedSecrets[{ name }]);845					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);846					config.replace_shared(847						name.to_owned(),848						maybe_regenerate_shared_secret(849							name,850							config,851							data,852							secret,853							&expected_owners,854							expected_generation_data,855							&prefer_identities,856							None,857						)858						.await?,859					);860				}861				for k in to_remove {862					config.remove_shared(&k);863				}864			}865			Secret::List {} => {866				let _span = info_span!("loading secrets").entered();867				let configured = config.list_configured_shared().await?;868				#[derive(Tabled)]869				struct SecretDisplay {870					#[tabled(rename = "Name")]871					name: String,872					#[tabled(rename = "Owners")]873					owners: String,874				}875				let mut table = vec![];876				for name in configured.iter().cloned() {877					let config = config.clone();878					let expected_owners = config.shared_secret_expected_owners(&name).await?;879					let data = config.shared_secret(&name)?;880					let owners = data881						.owners882						.iter()883						.map(|o| {884							if expected_owners.contains(o) {885								o.green().to_string()886							} else {887								o.red().to_string()888							}889						})890						.collect::<Vec<_>>();891					table.push(SecretDisplay {892						owners: owners.join(", "),893						name,894					})895				}896				info!("loaded\n{}", Table::new(table).to_string())897			}898			Secret::Edit {899				name,900				machine,901				part,902				add,903			} => {904				let secret = config.host_secret(&machine, &name)?;905				if let Some(data) = secret.parts.get(&part) {906					let host = config.host(&machine).await?;907					let secret = host.decrypt(data.raw.clone()).await?;908					String::from_utf8(secret).context("secret is not utf8")?909				} else if add {910					String::new()911				} else {912					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");913				};914			}915		}916		Ok(())917	}918}919920/*921async fn edit_temp_file(922	builder: tempfile::Builder<'_, '_>,923	r: Vec<u8>,924	header: &str,925	comment: &str,926) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {927	if !stdin().is_tty() {928		// TODO: Also try to open /dev/tty directly?929		bail!("stdin is not tty, can't open editor");930	}931932	use std::fmt::Write;933	let mut file = builder.tempfile()?;934935	let mut full_header = String::new();936	let mut had = false;937	for line in header.trim_end().lines() {938		had = true;939		writeln!(&mut full_header, "{comment}{line}")?;940	}941	if had {942		writeln!(&mut full_header, "{}", comment.trim_end())?;943	}944	writeln!(945		&mut full_header,946		"{comment}Do not touch this header! It will be removed automatically"947	)?;948949	file.write_all(full_header.as_bytes())?;950	file.write_all(&r)?;951952	let abs_path = file.into_temp_path();953	let editor = std::env::var_os("VISUAL")954		.or_else(|| std::env::var_os("EDITOR"))955		.unwrap_or_else(|| "vi".into());956	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())957		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;958	let editor_args = editor_args959		.into_iter()960		.map(|v| {961			// Only ASCII subsequences are replaced962			unsafe { OsString::from_encoded_bytes_unchecked(v) }963		})964		.collect_vec();965	let Some((editor, args)) = editor_args.split_first() else {966		bail!("EDITOR env var has no command");967	};968	let mut command = Command::new(editor);969	command.args(args);970971	let path_arg = abs_path.canonicalize()?;972973	// TODO: Save full state, using tcget/_getmode/_setmode974	let was_raw = terminal::is_raw_mode_enabled()?;975	terminal::enable_raw_mode()?;976977	let status = command.arg(path_arg).status().await;978979	if !was_raw {980		terminal::disable_raw_mode()?;981	}982983	let success = match status {984		Ok(s) => s.success(),985		Err(e) if e.kind() == io::ErrorKind::NotFound => {986			bail!("editor not found")987		}988		Err(e) => bail!("editor spawn error: {e}"),989	};990991	let mut file = std::fs::read(&abs_path).context("read editor output")?;992	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {993		todo!();994	};995	todo!();996997	// Ok((success, abs_path))998}999*/
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	/// Read secret from remote host, requires sudo on said host98	ReadShared {99		name: String,100		/// Which private secret part to read101		#[clap(short = 'p', long, default_value = "secret")]102		part: String,103		/// Which host should we use to decrypt, in case if reencryption is required, without104		/// regeneration105		#[clap(long)]106		prefer_identities: Vec<String>,107	},108	UpdateShared {109		name: String,110111		#[clap(short = 'm', long)]112		machine: Option<Vec<String>>,113114		#[clap(long)]115		add_machine: Vec<String>,116		#[clap(long)]117		remove_machine: Vec<String>,118119		/// Which host should we use to decrypt120		#[clap(long)]121		prefer_identities: Vec<String>,122	},123	Regenerate {124		/// Which host should we use to decrypt, in case if reencryption is required, without125		/// regeneration126		#[clap(long)]127		prefer_identities: Vec<String>,128		/// Only regenerate shared secrets129		#[clap(long)]130		skip_hosts: bool,131	},132	List {},133	Edit {134		name: String,135		#[clap(short = 'm', long)]136		machine: String,137138		#[clap(long)]139		add: bool,140141		/// Which private secret part to read142		#[clap(short = 'p', long, default_value = "secret")]143		part: String,144	},145}146147fn secret_needs_regeneration(148	secret: &FleetSecret,149	expected_generation_data: &serde_json::Value,150) -> bool {151	let data_is_expected = secret.generation_data == *expected_generation_data;152	// TODO: Leeway?153	let expired = secret154		.expires_at155		.map(|expiration| expiration < Utc::now())156		.unwrap_or(false);157	expired || !data_is_expected158}159160#[allow(clippy::too_many_arguments)]161#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]162async fn maybe_regenerate_shared_secret(163	secret_name: &str,164	config: &Config,165	mut secret: FleetSharedSecret,166	field: Value,167	expected_owners: &[String],168	expected_generation_data: serde_json::Value,169	prefer_identities: &[String],170	batch: Option<NixBuildBatch>,171) -> Result<FleetSharedSecret> {172	let original_set = secret.owners.clone();173174	let set = original_set.iter().collect::<BTreeSet<_>>();175	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();176177	let regeneration_required =178		secret_needs_regeneration(&secret.secret, &expected_generation_data);179180	if set == expected_set && !regeneration_required {181		info!("no need to update owner list, it is already correct");182		return Ok(secret);183	}184185	let should_regenerate = if regeneration_required {186		info!("secret has its generation data changed, regeneration is required");187		true188	} else if set.difference(&expected_set).next().is_some() {189		// TODO: Remove this warning for revokable secrets.190		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");191		nix_go_json!(field.regenerateOnOwnerRemoved)192	} else if expected_set.difference(&set).next().is_some() {193		nix_go_json!(field.regenerateOnOwnerAdded)194	} else {195		false196	};197198	if should_regenerate {199		info!("secret needs to be regenerated");200		let generated = generate_shared(201			config,202			secret_name,203			field,204			expected_owners.to_vec(),205			expected_generation_data,206			batch,207		)208		.await?;209		Ok(generated)210	} else {211		drop(batch);212		let identity_holder = if !prefer_identities.is_empty() {213			prefer_identities214				.iter()215				.find(|i| original_set.iter().any(|s| s == *i))216		} else {217			secret.owners.first()218		};219		let Some(identity_holder) = identity_holder else {220			bail!("no available holder found");221		};222223		for (part_name, part) in secret.secret.parts.iter_mut() {224			let _span = info_span!("part reencryption", part_name);225			if !part.raw.encrypted {226				continue;227			}228			let host = config.host(identity_holder).await?;229			let encrypted = host230				.reencrypt(part.raw.clone(), expected_owners.to_vec())231				.await?;232			part.raw = encrypted;233		}234235		secret.owners = expected_owners.to_vec();236		Ok(secret)237	}238}239240#[derive(Deserialize)]241#[serde(rename_all = "camelCase")]242enum GeneratorKind {243	Impure,244	Pure,245}246247async fn generate_pure(248	_config: &Config,249	_display_name: &str,250	_secret: Value,251	_default_generator: Value,252	_owners: &[String],253) -> Result<FleetSecret> {254	bail!("pure generators are broken for now")255}256async fn generate_impure(257	config: &Config,258	_display_name: &str,259	secret: Value,260	default_generator: Value,261	expected_owners: &[String],262	expected_generation_data: serde_json::Value,263	batch: Option<NixBuildBatch>,264) -> Result<FleetSecret> {265	let generator = nix_go!(secret.generator);266	let on: Option<String> = nix_go_json!(default_generator.impureOn);267268	let nixpkgs = &config.nixpkgs;269270	let host = if let Some(on) = &on {271		config.host(on).await?272	} else {273		config.local_host()274	};275	let on_pkgs = host.pkgs().await?;276	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);277278	let mut recipients = Vec::new();279	for owner in expected_owners {280		let key = config.key(owner).await?;281		recipients.push(key);282	}283	let generators = nix_go!(mk_secret_generators(Obj { recipients }));284	let pkgs_and_generators = nix_go!(on_pkgs + generators);285286	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));287288	let generator = nix_go!(call_package(generator)(Obj {}));289290	let generator = generator.build_maybe_batch(batch).await?;291	let generator = generator292		.get("out")293		.ok_or_else(|| anyhow!("missing generateImpure out"))?;294	let generator = host.remote_derivation(generator).await?;295296	let out_parent = host.mktemp_dir().await?;297	let out = format!("{out_parent}/out");298299	let mut gen = host.cmd(generator).await?;300	gen.env("out", &out);301	if on.is_none() {302		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.303		let project_path: String = config304			.directory305			.clone()306			.into_os_string()307			.into_string()308			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;309		gen.env("FLEET_PROJECT", project_path);310	}311	gen.run().await.context("impure generator")?;312313	{314		let marker = host.read_file_text(format!("{out}/marker")).await?;315		ensure!(marker == "SUCCESS", "generation not succeeded");316	}317318	let mut parts = BTreeMap::new();319	for part in host.read_dir(&out).await? {320		if part == "created_at" || part == "expired_at" || part == "marker" {321			continue;322		}323		let contents: SecretData = host324			.read_file_text(format!("{out}/{part}"))325			.await?326			.parse()327			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;328		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });329	}330331	let created_at = host.read_file_value(format!("{out}/created_at")).await?;332	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();333334	Ok(FleetSecret {335		created_at,336		expires_at,337		parts,338		generation_data: expected_generation_data,339	})340}341async fn generate(342	config: &Config,343	display_name: &str,344	secret: Value,345	expected_owners: &[String],346	expected_generation_data: serde_json::Value,347	batch: Option<NixBuildBatch>,348) -> Result<FleetSecret> {349	let generator = nix_go!(secret.generator);350	// Can't properly check on nix module system level351	{352		let gen_ty = generator.type_of().await?;353		if gen_ty == "null" {354			bail!("secret has no generator defined, can't automatically generate it.");355		}356		if gen_ty != "lambda" {357			bail!("generator should be lambda, got {gen_ty}");358		}359	}360	let nixpkgs = &config.nixpkgs;361	let default_pkgs = &config.default_pkgs;362	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);363	// Generators provide additional information in passthru, to access364	// passthru we should call generator, but information about where this generator is supposed to build365	// is located in passthru... Thus evaluating generator on host.366	//367	// Maybe it is also possible to do some magic with __functor?368	//369	// I don't want to make modules always responsible for additional secret data anyway,370	// so it should be in derivation, and not in the secret data itself.371	let generators = nix_go!(default_mk_secret_generators(Obj {372		recipients: <Vec<String>>::new(),373	}));374	let pkgs_and_generators = nix_go!(default_pkgs + generators);375376	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));377	let default_generator = nix_go!(call_package(generator)(Obj {}));378379	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);380381	match kind {382		GeneratorKind::Impure => {383			generate_impure(384				config,385				display_name,386				secret,387				default_generator,388				expected_owners,389				expected_generation_data,390				batch,391			)392			.await393		}394		GeneratorKind::Pure => {395			generate_pure(396				config,397				display_name,398				secret,399				default_generator,400				expected_owners,401			)402			.await403		}404	}405}406async fn generate_shared(407	config: &Config,408	display_name: &str,409	secret: Value,410	expected_owners: Vec<String>,411	expected_generation_data: serde_json::Value,412	batch: Option<NixBuildBatch>,413) -> Result<FleetSharedSecret> {414	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);415	Ok(FleetSharedSecret {416		secret: generate(417			config,418			display_name,419			secret,420			&expected_owners,421			expected_generation_data,422			batch,423		)424		.await?,425		owners: expected_owners,426	})427}428429async fn parse_public(430	public: Option<String>,431	public_file: Option<PathBuf>,432) -> Result<Option<SecretData>> {433	Ok(match (public, public_file) {434		(Some(v), None) => Some(SecretData {435			data: v.into(),436			encrypted: false,437		}),438		(None, Some(v)) => Some(SecretData {439			data: read(v).await?,440			encrypted: false,441		}),442		(Some(_), Some(_)) => {443			bail!("only public or public_file should be set")444		}445		(None, None) => None,446	})447}448449async fn parse_secret() -> Result<Option<Vec<u8>>> {450	let mut input = vec![];451	stdin().read_to_end(&mut input)?;452	if input.is_empty() {453		Ok(None)454	} else {455		Ok(Some(input))456	}457}458459fn parse_machines(460	initial: Vec<String>,461	machines: Option<Vec<String>>,462	mut add_machines: Vec<String>,463	mut remove_machines: Vec<String>,464) -> Result<Vec<String>> {465	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {466		bail!("no operation");467	}468469	let initial_machines = initial.clone();470	let mut target_machines = initial;471	info!("Currently encrypted for {initial_machines:?}");472473	// ensure!(machines.is_some() || !add_machines.is_empty() || )474	if let Some(machines) = machines {475		ensure!(476			add_machines.is_empty() && remove_machines.is_empty(),477			"can't combine --machines and --add-machines/--remove-machines"478		);479		let target = initial_machines.iter().collect::<HashSet<_>>();480		let source = machines.iter().collect::<HashSet<_>>();481		for removed in target.difference(&source) {482			remove_machines.push((*removed).clone());483		}484		for added in source.difference(&target) {485			add_machines.push((*added).clone());486		}487	}488489	for machine in &remove_machines {490		let mut removed = false;491		while let Some(pos) = target_machines.iter().position(|m| m == machine) {492			target_machines.swap_remove(pos);493			removed = true;494		}495		if !removed {496			warn!("secret is not enabled for {machine}");497		}498	}499	for machine in &add_machines {500		if target_machines.iter().any(|m| m == machine) {501			warn!("secret is already added to {machine}");502		} else {503			target_machines.push(machine.to_owned());504		}505	}506	if !remove_machines.is_empty() {507		// TODO: maybe force secret regeneration?508		// Not that useful without revokation.509		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");510	}511	Ok(target_machines)512}513impl Secret {514	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {515		match self {516			Secret::ForceKeys => {517				for host in config.list_hosts().await? {518					if opts.should_skip(&host).await? {519						continue;520					}521					config.key(&host.name).await?;522				}523			}524			Secret::AddShared {525				mut machines,526				name,527				force,528				public,529				public_part: public_name,530				public_file,531				expires_at,532				re_add,533				part: part_name,534			} => {535				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).536537				let exists = config.has_shared(&name);538				if exists && !force && !re_add {539					bail!("secret already defined");540				}541				if re_add {542					// Fixme: use clap to limit this usage543					ensure!(!force, "--force and --readd are not compatible");544					ensure!(exists, "secret doesn't exists");545					ensure!(546						machines.is_empty(),547						"you can't use machines argument for --readd"548					);549					let shared = config.shared_secret(&name)?;550					machines = shared.owners;551				}552553				let recipients = config.recipients(machines.clone()).await?;554555				let mut parts = BTreeMap::new();556557				let mut input = vec![];558				io::stdin().read_to_end(&mut input)?;559560				if !input.is_empty() {561					let encrypted =562						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)563							.ok_or_else(|| anyhow!("no recipients provided"))?;564					parts.insert(part_name, FleetSecretPart { raw: encrypted });565				}566567				if let Some(public) = parse_public(public, public_file).await? {568					parts.insert(public_name, FleetSecretPart { raw: public });569				}570571				config.replace_shared(572					name,573					FleetSharedSecret {574						owners: machines,575						secret: FleetSecret {576							created_at: Utc::now(),577							expires_at,578							parts,579							generation_data: serde_json::Value::Null,580						},581					},582				);583			}584			Secret::Add {585				machine,586				name,587				replace,588				merge,589				public,590				public_part: public_name,591				public_file,592				part: part_name,593			} => {594				if config.has_secret(&machine, &name) && !replace && !merge {595					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");596				}597598				let mut out = if merge && !replace {599					config600						.host_secret(&machine, &name)601						.context("failed to read existing secret for --merge")?602				} else {603					FleetSecret {604						created_at: Utc::now(),605						expires_at: None,606						parts: BTreeMap::new(),607						generation_data: serde_json::Value::Null,608					}609				};610611				if let Some(secret) = parse_secret().await? {612					let recipient = config.recipient(&machine).await?;613					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)614						.expect("recipient provided");615					if out616						.parts617						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })618						.is_some() && !replace619					{620						bail!("part {part_name:?} is already defined");621					}622				}623624				if let Some(public) = parse_public(public, public_file).await? {625					if out626						.parts627						.insert(public_name.clone(), FleetSecretPart { raw: public })628						.is_some() && !replace629					{630						bail!("part {public_name:?} is already defined");631					}632				};633634				config.insert_secret(&machine, name, out);635			}636			#[allow(clippy::await_holding_refcell_ref)]637			Secret::Read {638				name,639				machine,640				part: part_name,641			} => {642				let secret = config.host_secret(&machine, &name)?;643				let Some(secret) = secret.parts.get(&part_name) else {644					bail!("no part {part_name} in secret {name}");645				};646				let data = if secret.raw.encrypted {647					let host = config.host(&machine).await?;648					host.decrypt(secret.raw.clone()).await?649				} else {650					secret.raw.data.clone()651				};652653				stdout().write_all(&data)?;654			}655			Secret::ReadShared {656				name,657				part: part_name,658				prefer_identities,659			} => {660				let secret = config.shared_secret(&name)?;661				let Some(part) = secret.secret.parts.get(&part_name) else {662					bail!("no part {part_name} in secret {name}");663				};664				let data = if part.raw.encrypted {665					let identity_holder = if !prefer_identities.is_empty() {666						prefer_identities667							.iter()668							.find(|i| secret.owners.iter().any(|s| s == *i))669					} else {670						secret.owners.first()671					};672					let Some(identity_holder) = identity_holder else {673						bail!("no available holder found");674					};675					let host = config.host(identity_holder).await?;676					host.decrypt(part.raw.clone()).await?677				} else {678					part.raw.data.clone()679				};680				stdout().write_all(&data)?;681			}682			Secret::UpdateShared {683				name,684				machine,685				add_machine,686				remove_machine,687				prefer_identities,688			} => {689				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).690691				let secret = config.shared_secret(&name)?;692				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {693					bail!("no secret");694				}695696				let initial_machines = secret.owners.clone();697				let target_machines = parse_machines(698					initial_machines.clone(),699					machine,700					add_machine,701					remove_machine,702				)?;703704				if target_machines.is_empty() {705					info!("no machines left for secret, removing it");706					config.remove_shared(&name);707					return Ok(());708				}709710				let config_field = &config.config_field;711				let field = nix_go!(config_field.sharedSecrets[{ name }]);712				let expected_generation_data = nix_go_json!(field.expectedGenerationData);713714				let updated = maybe_regenerate_shared_secret(715					&name,716					config,717					secret,718					field,719					&target_machines,720					expected_generation_data,721					&prefer_identities,722					None,723				)724				.await?;725				config.replace_shared(name, updated);726			}727			Secret::Regenerate {728				prefer_identities,729				skip_hosts,730			} => {731				info!("checking for secrets to regenerate");732				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();733				{734					// Generate missing shared735					let shared_batch = None;736					let _span = info_span!("shared").entered();737					let expected_shared_set = config738						.list_configured_shared()739						.await?740						.into_iter()741						.collect::<HashSet<_>>();742					for missing in expected_shared_set.difference(&stored_shared_set) {743						let config_field = &config.config_field;744						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);745						let expected_generation_data: serde_json::Value =746							nix_go_json!(secret.expectedGenerationData);747						let expected_owners: Option<Vec<String>> =748							nix_go_json!(secret.expectedOwners);749						let Some(expected_owners) = expected_owners else {750							// Can't generate this missing secret, as it has no defined owners.751							continue;752						};753						info!("generating secret: {missing}");754						let shared = generate_shared(755							config,756							missing,757							secret,758							expected_owners,759							expected_generation_data,760							shared_batch.clone(),761						)762						.in_current_span()763						.await?;764						config.replace_shared(missing.to_string(), shared)765					}766				}767				if !skip_hosts {768					let hosts_batch = None;769					for host in config.list_hosts().await? {770						if opts.should_skip(&host).await? {771							continue;772						}773774						let _span = info_span!("host", host = host.name).entered();775						let expected_set = host776							.list_configured_secrets()777							.in_current_span()778							.await?779							.into_iter()780							.collect::<HashSet<_>>();781						let stored_set = config782							.list_secrets(&host.name)783							.into_iter()784							.collect::<HashSet<_>>();785						for missing in expected_set.difference(&stored_set) {786							info!("generating secret: {missing}");787							let secret = host.secret_field(missing).in_current_span().await?;788							let expected_generation_data =789								nix_go_json!(secret.expectedGenerationData);790							let generated = match generate(791								config,792								missing,793								secret,794								&[host.name.clone()],795								expected_generation_data,796								hosts_batch.clone(),797							)798							.in_current_span()799							.await800							{801								Ok(v) => v,802								Err(e) => {803									error!("{e:?}");804									continue;805								}806							};807							config.insert_secret(&host.name, missing.to_string(), generated)808						}809						for name in stored_set {810							info!("updating secret: {name}");811							let data = config.host_secret(&host.name, &name)?;812							let secret = host.secret_field(&name).in_current_span().await?;813							let expected_generation_data =814								nix_go_json!(secret.expectedGenerationData);815							if secret_needs_regeneration(&data, &expected_generation_data) {816								let generated = match generate(817									config,818									&name,819									secret,820									&[host.name.clone()],821									expected_generation_data,822									hosts_batch.clone(),823								)824								.in_current_span()825								.await826								{827									Ok(v) => v,828									Err(e) => {829										error!("{e:?}");830										continue;831									}832								};833								config.insert_secret(&host.name, name.to_string(), generated)834							}835						}836					}837				}838				let mut to_remove = Vec::new();839				for name in &stored_shared_set {840					info!("updating secret: {name}");841					let data = config.shared_secret(name)?;842					let config_field = &config.config_field;843					let expected_owners: Vec<String> =844						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);845					if expected_owners.is_empty() {846						warn!("secret was removed from fleet config: {name}, removing from data");847						to_remove.push(name.to_string());848						continue;849					}850851					let secret = nix_go!(config_field.sharedSecrets[{ name }]);852					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);853					config.replace_shared(854						name.to_owned(),855						maybe_regenerate_shared_secret(856							name,857							config,858							data,859							secret,860							&expected_owners,861							expected_generation_data,862							&prefer_identities,863							None,864						)865						.await?,866					);867				}868				for k in to_remove {869					config.remove_shared(&k);870				}871			}872			Secret::List {} => {873				let _span = info_span!("loading secrets").entered();874				let configured = config.list_configured_shared().await?;875				#[derive(Tabled)]876				struct SecretDisplay {877					#[tabled(rename = "Name")]878					name: String,879					#[tabled(rename = "Owners")]880					owners: String,881				}882				let mut table = vec![];883				for name in configured.iter().cloned() {884					let config = config.clone();885					let expected_owners = config.shared_secret_expected_owners(&name).await?;886					let data = config.shared_secret(&name)?;887					let owners = data888						.owners889						.iter()890						.map(|o| {891							if expected_owners.contains(o) {892								o.green().to_string()893							} else {894								o.red().to_string()895							}896						})897						.collect::<Vec<_>>();898					table.push(SecretDisplay {899						owners: owners.join(", "),900						name,901					})902				}903				info!("loaded\n{}", Table::new(table).to_string())904			}905			Secret::Edit {906				name,907				machine,908				part,909				add,910			} => {911				let secret = config.host_secret(&machine, &name)?;912				if let Some(data) = secret.parts.get(&part) {913					let host = config.host(&machine).await?;914					let secret = host.decrypt(data.raw.clone()).await?;915					String::from_utf8(secret).context("secret is not utf8")?916				} else if add {917					String::new()918				} else {919					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");920				};921			}922		}923		Ok(())924	}925}926927/*928async fn edit_temp_file(929	builder: tempfile::Builder<'_, '_>,930	r: Vec<u8>,931	header: &str,932	comment: &str,933) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {934	if !stdin().is_tty() {935		// TODO: Also try to open /dev/tty directly?936		bail!("stdin is not tty, can't open editor");937	}938939	use std::fmt::Write;940	let mut file = builder.tempfile()?;941942	let mut full_header = String::new();943	let mut had = false;944	for line in header.trim_end().lines() {945		had = true;946		writeln!(&mut full_header, "{comment}{line}")?;947	}948	if had {949		writeln!(&mut full_header, "{}", comment.trim_end())?;950	}951	writeln!(952		&mut full_header,953		"{comment}Do not touch this header! It will be removed automatically"954	)?;955956	file.write_all(full_header.as_bytes())?;957	file.write_all(&r)?;958959	let abs_path = file.into_temp_path();960	let editor = std::env::var_os("VISUAL")961		.or_else(|| std::env::var_os("EDITOR"))962		.unwrap_or_else(|| "vi".into());963	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())964		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;965	let editor_args = editor_args966		.into_iter()967		.map(|v| {968			// Only ASCII subsequences are replaced969			unsafe { OsString::from_encoded_bytes_unchecked(v) }970		})971		.collect_vec();972	let Some((editor, args)) = editor_args.split_first() else {973		bail!("EDITOR env var has no command");974	};975	let mut command = Command::new(editor);976	command.args(args);977978	let path_arg = abs_path.canonicalize()?;979980	// TODO: Save full state, using tcget/_getmode/_setmode981	let was_raw = terminal::is_raw_mode_enabled()?;982	terminal::enable_raw_mode()?;983984	let status = command.arg(path_arg).status().await;985986	if !was_raw {987		terminal::disable_raw_mode()?;988	}989990	let success = match status {991		Ok(s) => s.success(),992		Err(e) if e.kind() == io::ErrorKind::NotFound => {993			bail!("editor not found")994		}995		Err(e) => bail!("editor spawn error: {e}"),996	};997998	let mut file = std::fs::read(&abs_path).context("read editor output")?;999	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {1000		todo!();1001	};1002	todo!();10031004	// Ok((success, abs_path))1005}1006*/
modifiedcrates/fleet-base/src/host.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -34,6 +34,7 @@
 
 	/// import nixpkgs {system = local};
 	pub default_pkgs: Value,
+	pub nixpkgs: Value,
 
 	pub nix_session: NixSession,
 }
modifiedcrates/fleet-base/src/opts.rsdiffbeforeafterboth
--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -225,6 +225,7 @@
 			nix_args,
 			config_field,
 			default_pkgs,
+			nixpkgs,
 			localhost: self.localhost.to_owned(),
 		})))
 	}
modifiedcrates/nix-eval/src/macros.rsdiffbeforeafterboth
--- a/crates/nix-eval/src/macros.rs
+++ b/crates/nix-eval/src/macros.rs
@@ -231,6 +231,9 @@
 	(@o($o:ident) | $($var:tt)*) => {
 		$o.push(Index::Pipe($crate::nix_expr_inner!($($var)+)));
 	};
+	(@o($o:ident) + $($var:tt)*) => {
+		$o.push(Index::Merge($crate::nix_expr_inner!($($var)+)));
+	};
 	(@o($o:ident)) => {};
 	($field:ident $($tt:tt)+) => {{
 		use $crate::{nix_go, Index};
modifiedcrates/nix-eval/src/value.rsdiffbeforeafterboth
--- a/crates/nix-eval/src/value.rs
+++ b/crates/nix-eval/src/value.rs
@@ -15,6 +15,7 @@
 	Expr(NixExprBuilder),
 	ExprApply(NixExprBuilder),
 	Pipe(NixExprBuilder),
+	Merge(NixExprBuilder),
 }
 impl Index {
 	pub fn var(v: impl AsRef<str>) -> Self {
@@ -56,6 +57,9 @@
 			Index::Pipe(e) => {
 				write!(f, "<map>({})", e.out)
 			}
+			Index::Merge(e) => {
+				write!(f, "//({})", e.out)
+			}
 		}
 	}
 }
@@ -157,6 +161,12 @@
 					let index = format!("sess_field_{}", index.0.value.expect("value"));
 					query = format!("({index} {query})");
 				}
+				Index::Merge(v) => {
+					let index = Value::new(self.0.session.clone(), &v.out).await?;
+					used_fields.push(index.clone());
+					let index = format!("sess_field_{}", index.0.value.expect("value"));
+					query = format!("({query} // {index})");
+				}
 			}
 		}
modifiedlib/default.nixdiffbeforeafterboth
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -46,7 +46,6 @@
     mkPassword = {size ? 32}: {
       coreutils,
       mkSecretGenerator,
-      ...
     }:
       mkSecretGenerator {
         script = ''
@@ -58,7 +57,7 @@
     mkEd25519 = {
       noEmbedPublic ? false,
       encoding ? null,
-    }: {mkSecretGenerator, ...}:
+    }: {mkSecretGenerator}:
       mkSecretGenerator {
         script = ''
           mkdir $out
@@ -68,7 +67,7 @@
         '';
       };
 
-    mkX25519 = {encoding ? null}: {mkSecretGenerator, ...}:
+    mkX25519 = {encoding ? null}: {mkSecretGenerator}:
       mkSecretGenerator {
         script = ''
           mkdir $out
@@ -80,7 +79,6 @@
     mkRsa = {size ? 4096}: {
       openssl,
       mkSecretGenerator,
-      ...
     }:
       mkSecretGenerator {
         script = ''
@@ -98,7 +96,7 @@
       count ? 32,
       encoding,
       noNuls ? false,
-    }: {mkSecretGenerator, ...}:
+    }: {mkSecretGenerator}:
       mkSecretGenerator {
         script = ''
           mkdir $out