1== fleet.nix <unset> => 0.1.023Add version field::4Set it to 0.1.0; This field specifies which version of fleet do you use for cluster management, breaking changes will also break this value to make sure you read MIGRATION.adoc.56Move every secret part::7Before it was only public and private, now it can be any number of parts.89In your fleet.nix file, look at every record like this:10[source,nix]11----12gitlab-initial-root = {13 createdAt = "2024-03-01T15:54:32.983358495Z";14 public = "example";15 secret = "vp%d6wO#0#D2.../dgCA+v4Gf:YG";16};17----1819And modify it as following:20[source,nix]21----22gitlab-initial-root = {23 createdAt = "2024-03-01T15:54:32.983358495Z";24 public.raw = "<PLAINTEXT>example";25 secret.raw = ''26 <ENCRYPTED><Z85-ENCODED>27 vp%d6wO#0#D2.../dgCA+v4Gf:YG28 '';29};30----3132Thus moving all the data under the `raw` attr, and then prefixing it with `<PLAINTEXT>` for `public`, and `<ENCRYPTED><Z85-ENCODED>\n` for `private`.33The reason for this change is that public parts are not always plaintext, and sometimes there are more than two parts.34Of course, it is also possible to process all of this data on demand (I.e doing reencoding of secret in service `PreStart=`), but I decided to provide better user exprience out of the box.3536Default encoding was also changed from `Z85` to `base64`, because `Z85` was chosen a long time ago for different reasons, and no need to keep it further.37This conversion will be done by fleet by itself.3839Update references to secrets in fleet/nixos configurations::40Instead of `config.secrets.secret-name.secretPath` use `config.secrets.secret-name.secret.path`, 41instead of `config.secrets.secret-name.stableSecretPath` use `config.secrets.secret-name.secret.stablePath`, 42instead of `config.secrets.secret-name.public` use `config.secrets.secret-name.public.data` (note that this attribute will also work for parts other than named `public`, but it will throw an error43if target secret part is encrypted or not `<PLAINTEXT>`-based.4445Do not expect used directory structure to be stable, it will be reworked a bit later, for now always directly reference secrets by attribute paths.4647Update scripts using fleet::48`fleet secrets` subcommand no longer has `--plaintext` arguments where it used to have them, due to non-plaintext mode basically unusable.4950`fleet secrets read-public` is now can be replaced with `fleet secrets read ... public` (So, reading `public` part of secret).