!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

348 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/102 Servers

Load older messages


SenderMessageTime
7 May 2025
@nemnix:matrix.org@nemnix:matrix.orgRedacted or Malformed Event15:22:29
@nemnix:matrix.org@nemnix:matrix.org I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.

Here is my configuration:

authelia.nix


containers.authelia = {
  autoStart = true;
  privateNetwork = false;

  bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;

  secrets = {
    jwtSecretFile = "/run/agenix/authelia_jwtSecret";
    sessionSecretFile = "/run/agenix/authelia_sessionSecret";
    storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
  };
};

agenix.nix


authelia_jwtSecret = {
  file = ../secrets/authelia_jwtSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_sessionSecret = {
  file = ../secrets/authelia_sessionSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_storageEncryptionKey = {
  file = ../secrets/authelia_storageEncryptionKeyFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

However, when I try to apply this configuration, I receive the following error:

[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’

15:25:23
@nemnix:matrix.org@nemnix:matrix.org I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.

Here is my configuration:

authelia.nix


containers.authelia = {
  autoStart = true;
  privateNetwork = false;

  bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
  bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;
...
  secrets = {
    jwtSecretFile = "/run/agenix/authelia_jwtSecret";
    sessionSecretFile = "/run/agenix/authelia_sessionSecret";
    storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
  };
};

agenix.nix


authelia_jwtSecret = {
  file = ../secrets/authelia_jwtSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_sessionSecret = {
  file = ../secrets/authelia_sessionSecretFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

authelia_storageEncryptionKey = {
  file = ../secrets/authelia_storageEncryptionKeyFile.age;
  owner = "authelia-main";
  group = "authelia-main";
};

However, when I try to apply this configuration, I receive the following error:

[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
15:25:50
8 May 2025
@isabel:isabelroses.comisabel changed their profile picture.08:58:24
@98765abc:mozilla.org98765abc changed their profile picture.11:35:15
10 May 2025
@r522:matrix.org@r522:matrix.org changed their display name from 522 to 522 [it/its][ΘΔ].18:07:13
@headb:edwardh.devEdward Hesketh changed their display name from Edward Hesketh to headb.19:44:59
@strutztm:strutztm.de@strutztm:strutztm.de left the room.19:53:44
@headb:edwardh.devEdward Hesketh changed their display name from headb to Edward Hesketh.23:32:18
11 May 2025
@nemnix:matrix.org@nemnix:matrix.org removed their profile picture.01:27:19
@dgrig:erethon.comdgrig joined the room.20:34:05
13 May 2025
@kraem:ne.bul.aekraem changed their profile picture.13:54:57
17 May 2025
@oddlama:matrix.orgoddlama changed their display name from oddlama to Malte.20:12:11
18 May 2025
@xoredg:matrix.orgxoredi have a container that doesn't allow env vars or anything like that, is there an external tool i can run within nix that would interpolate a secret in a yaml file? 22:31:51
@xoredg:matrix.orgxoredi could also write the yaml in nix so if there are any helps other than builtin.readFile or similar (not recommended) plz let me know22:32:30
@xoredg:matrix.orgxoredor i could do a sed on container startup22:33:01
@xoredg:matrix.orgxoredlet me know what you guys usually do22:33:08
19 May 2025
@andrew-selvia:matrix.orgAndrew Selvia joined the room.08:25:55
21 May 2025
@oddlama:matrix.orgoddlama changed their display name from Malte to oddlama.17:42:11
22 May 2025
@mynacol:mynacol.xyz@mynacol:mynacol.xyz left the room.20:46:14
24 May 2025
@rp6667:matrix.orgrow joined the room.14:51:21
25 May 2025
@raijin_:matrix.org@raijin_:matrix.org left the room.02:00:05
@tebriel:frodux.nettebriel
In reply to @xoredg:matrix.org
let me know what you guys usually do
in these cases I use pkgs.replace-secret to put a hash in the yaml file and pre-process it. Since I use virutalisation.oci-containers which creates a systemd job I can do an execstartpre on the container start to replace the secrets in the file
02:25:21
@nemnix:matrix.org@nemnix:matrix.org left the room.22:40:13
26 May 2025
@yzx9:matrix.orgZexin Yuan joined the room.07:59:49
27 May 2025
@andrew-selvia:matrix.orgAndrew SelviaI have successfully encrypted a secret with agenix (i.e., I see the generated mysecret.age file). Now, I'm trying to integrate it into my flake.nix file. I've been struggling for a week. Is anyone able to educate me?02:45:04
@andrew-selvia:matrix.orgAndrew SelviaMy flake.nix file is just the stock one produced by nix-darwin.02:46:31
@andrew-selvia:matrix.orgAndrew Selvia

When I try to apply configuration like this:

let 
  configuration = { pkgs, config, lib, agenix, ... }: {
    ...
    age.secrets.mysecret = {
      file =./mysecret.age;
      path = "~/demo";
    };
  };
in ...

the following error is produced:

The option `age' does not exist.
02:53:01
@andrew-selvia:matrix.orgAndrew Selvia

Aha! I needed to add this within the configuration:

imports = [ agenix.darwinModules.default ];
04:57:04
@andrew-selvia:matrix.orgAndrew Selvia

I'm trying to produce a minimal flake.nix file that integrates:

  1. agenix
  2. nix-darwin
  3. home-manager

I'm stuck on the last piece. I have successfully threaded an agenix-encrypted secret through an environment variable in the nix-darwin configuration; however, I have yet to discover how to get that same exact secret stored in a file via home-manager. My flake.nix is as follows:

{
  description = "nix-darwin+home-manager+agenix";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/master";
    nix-darwin.url = "github:nix-darwin/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
  };
  outputs = inputs@{ self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
  let
    homeconfig = { pkgs, config, lib, ... }: {
      #home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
      home.stateVersion = "25.05";
      programs.home-manager.enable = true;
    };
    configuration = { pkgs, config, lib, ... }: {
      age.secrets.mysecret.file = ./mysecret.age;
      environment = {
        systemPackages = [
          agenix.packages.aarch64-darwin.default
        ];
        variables = {
          MYSECRET = config.age.secrets.mysecret.path;
        };
      };
      nix.settings.experimental-features = "nix-command flakes";
      nixpkgs.hostPlatform = "aarch64-darwin";
      system = {
        configurationRevision = self.rev or self.dirtyRev or null;
        stateVersion = 5;
      };
  };
  in
  {
    darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
      modules = [
        agenix.darwinModules.default
        configuration
        home-manager.darwinModules.home-manager
        {
          home-manager.useGlobalPkgs = true;
          home-manager.useUserPackages = true;
          home-manager.users.andrew = homeconfig;
        }
      ];
    };
  };
}

When I try to uncomment this line in the homeconfig:

home.file."mysecret.txt".source = config.age.secrets.mysecret.path;

I encounter this error message:

error: attribute 'age' missing

Please point out anything I should be doing better.

09:41:46

Show newer messages


Back to Room ListRoom Version: 6