!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

326 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/96 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
26 Apr 2025
@k900:0upti.meK900You don't07:13:12
@k900:0upti.meK900You need the application to read that file at runtime07:13:20
@k900:0upti.meK900Somehow07:13:26
@k900:0upti.meK900How exactly depends on the application07:13:34
@mmkaram:matrix.orgmmkaraminteresting07:14:31
@ruby:isincredibly.gayruby joined the room.14:41:13
@r522:matrix.org@r522:matrix.org

generally speaking, services that handle secrets will let you pass them as a file (as in, you enter the filename)
like my listenbrainz-mpd config

services.listenbrainz-mpd = {
  enable = true;
  settings = {
    submission = {
      token_file = config.age.secrets.listenbrainz-mpd-token.path;
    };
  };
};
20:21:58
@tebriel:frodux.nettebriel

and sometimes they don't and you have to bend over backwards to find a way to inject them in another manner! (I feel icky about this script I wrote)

    xdg.configFile."mcphub/servers.json" = {
      source = jsonFormat.generate "servers.json" {
        mcpServers = {
          github-mcp = {
            command = lib.getExe (
              pkgs.writeShellApplication {
                name = "github-mcp-server";
                runtimeInputs = [pkgs-unstable.github-mcp-server];
                text = ''
                  GITHUB_PERSONAL_ACCESS_TOKEN=$(cat ${osConfig.age.secrets."github-mcp-token".path})
                  export GITHUB_PERSONAL_ACCESS_TOKEN
                  ${lib.getExe pkgs-unstable.github-mcp-server} "$@"
                '';
              }
            );
            args = ["stdio"];
            env = {};
          };
        };
      };
    };
20:41:54
27 Apr 2025
@luzifer2222:matrix.orgbitfoo changed their display name from luzifer2222 to bitfoo.17:17:52
30 Apr 2025
@headb:edwardh.devEdward Hesketh joined the room.20:05:01
1 May 2025
@rosariopulella:matrix.orgRosuavio changed their display name from Rosario Pulella to Rosuavio.20:08:35
3 May 2025
@harm94:matrix.orgharm94 joined the room.09:34:17
@harm94:matrix.orgharm94

I have this error and I don't understand it.
Is there anybody who can help me?

[harm@aio:~/projects/nixos/secrets]$ cat secrets.nix 
let
  aio = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0/2T/L1gv2z0pNG7qZqmYxkHN8vMI77NVjvXUM/jFk";
  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBEV2FKHC4sP0brw8xqSHY5A6HXrwYGysYjCX4A9y2/";
  systems = [ aio laptop ];
in
{
  "openai_api_key.age".publicKeys = systems;
}

[harm@aio:~/projects/nixos/secrets]$ agenix -v -e openai_api_key.age
Error: 
   0: Failed to find config root

Location:
   src/cli.rs:216
09:37:41
@harm94:matrix.orgharm94

It was because I had installed agenix from unstable.
Now it works.

# unstable.agenix-cli
    (pkgs.callPackage <agenix/pkgs/agenix.nix> {})
09:56:59
4 May 2025
@fwam:femdom.solutionsfwam changed their profile picture.14:16:16
@oneeyed:matrix.orgSam changed their display name from Sam (away → 5/5) to Sam.15:42:04
5 May 2025
@titaniumtown:envs.nettitaniumtown changed their display name from titaniumtown (they/them) to titaniumtown.20:42:47
6 May 2025
@birdadmirer:matrix.orgbirdadmirer joined the room.18:48:44
@pinkybrain:matrix.orgpinkybrain joined the room.22:55:21
7 May 2025
@nemnix:matrix.org@nemnix:matrix.org joined the room.14:51:41
@nemnix:matrix.org@nemnix:matrix.orgRedacted or Malformed Event14:53:19
@nemnix:matrix.org@nemnix:matrix.orgRedacted or Malformed Event15:22:29
@nemnix:matrix.org@nemnix:matrix.org I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.

Here is my configuration:

authelia.nix


containers.authelia = {
  autoStart = true;
  privateNetwork = false;

  bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;

  secrets = {
    jwtSecretFile = "/run/agenix/authelia_jwtSecret";
    sessionSecretFile = "/run/agenix/authelia_sessionSecret";
    storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
  };
};

agenix.nix


authelia_jwtSecret = {
  file = ../secrets/authelia_jwtSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_sessionSecret = {
  file = ../secrets/authelia_sessionSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_storageEncryptionKey = {
  file = ../secrets/authelia_storageEncryptionKeyFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

However, when I try to apply this configuration, I receive the following error:

[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’

15:25:23
@nemnix:matrix.org@nemnix:matrix.org I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.

Here is my configuration:

authelia.nix


containers.authelia = {
  autoStart = true;
  privateNetwork = false;

  bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;
...
  secrets = {
    jwtSecretFile = "/run/agenix/authelia_jwtSecret";
    sessionSecretFile = "/run/agenix/authelia_sessionSecret";
    storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
  };
};

agenix.nix


authelia_jwtSecret = {
  file = ../secrets/authelia_jwtSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_sessionSecret = {
  file = ../secrets/authelia_sessionSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_storageEncryptionKey = {
  file = ../secrets/authelia_storageEncryptionKeyFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

However, when I try to apply this configuration, I receive the following error:

[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
15:25:50
8 May 2025
@isabel:isabelroses.comisabel changed their profile picture.08:58:24
@98765abc:mozilla.org98765abc changed their profile picture.11:35:15
10 May 2025
@r522:matrix.org@r522:matrix.org changed their display name from 522 to 522 [it/its][ΘΔ].18:07:13
@headb:edwardh.devEdward Hesketh changed their display name from Edward Hesketh to headb.19:44:59
@strutztm:strutztm.de@strutztm:strutztm.de left the room.19:53:44
@headb:edwardh.devEdward Hesketh changed their display name from headb to Edward Hesketh.23:32:18

Show newer messages

Back to Room ListRoom Version: 6