Fleet Secrets Management System

Overview

Secret management system is a built-in way to deploy secrets to remote hosts, similar to agenix and other systems.

Secrets are encrypted using system’s host ssh key (/etc/ssh/ssh_host_ed25519_key), which is not required to build the remote system/add secret to fleet configuration, fleet users are encrypting secrets using received public key instead, they don’t need the root access to receive the public encryption key.

Example

{
  secrets = {
    "my-secret" = {
      expectedOwners = [ "host1" "host2" ];
      regenerateOnOwnerAdded = true;
      generator = {mkImpureSecretGenerator}:
        mkImpureSecretGenerator {
          script = ''
            echo "secret content" | gh private -o $out/secret
          '';
        };
    };
  }
}