On-demand, declarative-first secret management by CertainLach · Pull Request #14 · deltarocks/fleet

CertainLach · 2026-01-22T21:58:40Z

Secret management commands replaced with interactive generators, secret generation is now nix-driven

CertainLach · 2026-02-02T17:06:15Z

cmds/pusher/src/main.rs

+}
+
+#[tokio::main]
+async fn main() -> Result<()> {


FIXME: Split, I would think about splitting my own deno implementation from things intended for my infra instead

rust-toolchain.toml

JarvisCraft · 2026-02-02T17:19:16Z

Cargo.toml

 package.version = "0.1.0"
 package.edition = "2024"
-package.rust-version = "1.86.0"
+package.rust-version = "1.89.0"


Is there a reason not to use the same version as in rust-toolchain.toml?

Even release-25.11 is currently at 1.91.1

It was pinned for 25.05

JarvisCraft · 2026-02-02T17:25:00Z

crates/nixlike/src/lib.rs

+	import: String,
+	// Magic values should have exactly two values to avoid pretty-printing
+	// as nix inline object value
+	__magic_marker: PhantomData<()>,


Suggested change

__magic_marker: PhantomData<()>,

#[serde(rename = "__magic_import")]

_marker: PhantomData<()>,

If I understand the intent correctly, there is no need to use weird field names if it' just part of ser-de

Please elaborate

Yes, __magic_import name is to properly identify this name in nixlike serialization implementation

JarvisCraft · 2026-02-02T17:26:18Z

cmds/pusher/src/main.rs

This file is still full of todo!s

cmds/repl-plugin-unstable/src/lib.rs

JarvisCraft · 2026-02-08T11:26:41Z

crates/fleet-base/src/opts.rs

 			gc_now();
 		}
+		let config = Config(Arc::new(FleetConfigInternals {
+			// TODO: Load from somewhere


Is this to be addressed in this or the following PRs?

It is not addressed anywhere. Feel free to add a CLI argument/ENV var for this, either way it should be handled using clap

JarvisCraft · 2026-02-08T11:26:58Z

crates/fleet-base/src/primops.rs

+				.await
+				.context("failed to copy generator to target host")?;
+
+			// TODO: Remove destdir after everything is done


JarvisCraft · 2026-02-08T11:27:33Z

crates/fleet-base/src/secret_storage.rs

+	})
+	.unwrap();
+	dbg!(&data);
+	// for v in 0..1000 {


Guess this can be dropped

crates/nix-eval/src/macros.rs

JarvisCraft · 2026-02-08T11:33:16Z

lib/default.nix

+          mkImpureSecretGenerator,
+        }:
+        mkImpureSecretGenerator {
+          # TODO: Escape prompt/part (preferrably just use env) to prevent shell injection


Too hard/idk if worth it considering that the only attack vector is the rogue fleet module which can do anything it wants anyway

CertainLach added 24 commits January 22, 2026 22:54

secret management

b00d46d

build: update dependencies

b10bfb8

feat: reference pusher server

8228548

feat: use systemd-run for activation

3bdc221

feat: (de)serialize nix imports

9b70922

ci: drop libsecret to reduce closure 7x

20a41a3

Ref: oxalica/rust-overlay#211

feat: unify shared and host secret handling

5a5b360

chore: update nix

c810e3a

feat: use builtin for getting secret

f31248f

refactor: drop nix config compat

98314cf

fix: primop registration

d706686

feat: mkAskPass generator

e89ca39

feat: ensure shared generators

d97c9fe

feat: downgrade tracing-subscriber for log formatting for now

ad5819a

Ref: tokio-rs/tracing#3369

feat: use nixos module-list directly

5973a7a

feat: set modulesPath specialArg

f8886e1

feat: set nixpkgs.hostPlatform

fca1ee1

refactor: drop long deprecated configs

c653e89

feat: introduce toplevel-fleet build attribute

45c49ea

fix: shared generator condition

33f3601

refactor: drop unnecessary async/await

faec707

feat: on-demand secret generation

69498f5

feat: sign in remote_derivation

fcbbd81

fix: do not exit after first built system

1e20ff1

CertainLach marked this pull request as ready for review February 2, 2026 17:02

CertainLach commented Feb 2, 2026

View reviewed changes

CertainLach added 3 commits February 4, 2026 00:22

refactor: pending new secret commands

43c1403

fix: mkAskPass should create out

d0ea8ea

fix: baseModules arg

6fa49bc

CertainLach force-pushed the push-xzkurnmtrspn branch from 89f2152 to e987c6c Compare February 4, 2026 21:12

fix: unbiased stdout/process join race condition

f7d7283

CertainLach force-pushed the push-xzkurnmtrspn branch from e987c6c to f7d7283 Compare February 4, 2026 21:13

JarvisCraft requested changes Feb 8, 2026

View reviewed changes

CertainLach added 4 commits March 12, 2026 06:10

build: update flake

cb030ab

refactor: make all dependencies defined in workspace

493bea4

refactor: nix-eval macro-support

d5b0f6a

feat: derivation graph to spans

f0286d7

	__magic_marker: PhantomData<()>,
	#[serde(rename = "__magic_import")]
	_marker: PhantomData<()>,

Conversation

CertainLach commented Jan 22, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants