| 7 May 2025 |
 @nemnix:matrix.org | Redacted or Malformed Event | 15:22:29 |
| @nemnix:matrix.org | I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.
Here is my configuration:
authelia.nix
containers.authelia = {
autoStart = true;
privateNetwork = false;
bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;
secrets = {
jwtSecretFile = "/run/agenix/authelia_jwtSecret";
sessionSecretFile = "/run/agenix/authelia_sessionSecret";
storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
};
};
agenix.nix
authelia_jwtSecret = {
file = ../secrets/authelia_jwtSecretFile.age;
owner = "authelia-main";
group = "authelia-main";
};
authelia_sessionSecret = {
file = ../secrets/authelia_sessionSecretFile.age;
owner = "authelia-main";
group = "authelia-main";
};
authelia_storageEncryptionKey = {
file = ../secrets/authelia_storageEncryptionKeyFile.age;
owner = "authelia-main";
group = "authelia-main";
};
However, when I try to apply this configuration, I receive the following error:
[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
| 15:25:23 |
| @nemnix:matrix.org | I have been working on a setup where I can see the secrets in the containers located in /run/agenix. The issue now is that these files are only readable by root, but I need them to be readable by the authelia-main user. I have attempted to configure this in the agenix module, but I keep encountering an error.
Here is my configuration:
authelia.nix
containers.authelia = {
autoStart = true;
privateNetwork = false;
bindMounts."${config.age.secrets.authelia_jwtSecret.path}".isReadOnly = true;
bindMounts."${config.age.secrets.authelia_sessionSecret.path}".isReadOnly = true;
bindMounts."${config.age.secrets.authelia_storageEncryptionKey.path}".isReadOnly = true;
...
secrets = {
jwtSecretFile = "/run/agenix/authelia_jwtSecret";
sessionSecretFile = "/run/agenix/authelia_sessionSecret";
storageEncryptionKeyFile = "/run/agenix/authelia_storageEncryptionKey";
};
};
agenix.nix
authelia_jwtSecret = {
file = ../secrets/authelia_jwtSecretFile.age;
owner = "authelia-main";
group = "authelia-main";
};
authelia_sessionSecret = {
file = ../secrets/authelia_sessionSecretFile.age;
owner = "authelia-main";
group = "authelia-main";
};
authelia_storageEncryptionKey = {
file = ../secrets/authelia_storageEncryptionKeyFile.age;
owner = "authelia-main";
group = "authelia-main";
};
However, when I try to apply this configuration, I receive the following error:
[agenix] chowning...
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
chown: invalid user: ‘authelia-main:authelia-main’
| 15:25:50 |
| 8 May 2025 |
|  isabel changed their profile picture. | 08:58:24 |
|  98765abc changed their profile picture. | 11:35:15 |
| 10 May 2025 |
|  @r522:matrix.org changed their display name from 522 to 522 [it/its][ΘΔ]. | 18:07:13 |
|  Edward Hesketh changed their display name from Edward Hesketh to headb. | 19:44:59 |
|  @strutztm:strutztm.de left the room. | 19:53:44 |
| Edward Hesketh changed their display name from headb to Edward Hesketh. | 23:32:18 |
| 11 May 2025 |
| @nemnix:matrix.org removed their profile picture. | 01:27:19 |
|  dgrig joined the room. | 20:34:05 |
| 13 May 2025 |
|  kraem changed their profile picture. | 13:54:57 |
| 17 May 2025 |
|  oddlama changed their display name from oddlama to Malte. | 20:12:11 |
| 18 May 2025 |
 xored | i have a container that doesn't allow env vars or anything like that, is there an external tool i can run within nix that would interpolate a secret in a yaml file? | 22:31:51 |
| xored | i could also write the yaml in nix so if there are any helps other than builtin.readFile or similar (not recommended) plz let me know | 22:32:30 |
| xored | or i could do a sed on container startup | 22:33:01 |
| xored | let me know what you guys usually do | 22:33:08 |
| 19 May 2025 |
|  Andrew Selvia joined the room. | 08:25:55 |
| 21 May 2025 |
| oddlama changed their display name from Malte to oddlama. | 17:42:11 |
| 22 May 2025 |
|  @mynacol:mynacol.xyz left the room. | 20:46:14 |
| 24 May 2025 |
|  row joined the room. | 14:51:21 |
| 25 May 2025 |
|  @raijin_:matrix.org left the room. | 02:00:05 |
 tebriel | In reply to @xoredg:matrix.org
let me know what you guys usually do in these cases I use pkgs.replace-secret to put a hash in the yaml file and pre-process it. Since I use virutalisation.oci-containers which creates a systemd job I can do an execstartpre on the container start to replace the secrets in the file | 02:25:21 |
| @nemnix:matrix.org left the room. | 22:40:13 |
| 26 May 2025 |
|  Zexin Yuan joined the room. | 07:59:49 |
| 27 May 2025 |
| Andrew Selvia | I have successfully encrypted a secret with agenix (i.e., I see the generated mysecret.age file). Now, I'm trying to integrate it into my flake.nix file. I've been struggling for a week. Is anyone able to educate me? | 02:45:04 |
| Andrew Selvia | My flake.nix file is just the stock one produced by nix-darwin. | 02:46:31 |
| Andrew Selvia | When I try to apply configuration like this:
let
configuration = { pkgs, config, lib, agenix, ... }: {
...
age.secrets.mysecret = {
file =./mysecret.age;
path = "~/demo";
};
};
in ...
the following error is produced:
The option `age' does not exist.
| 02:53:01 |
| Andrew Selvia | Aha! I needed to add this within the configuration:
imports = [ agenix.darwinModules.default ];
| 04:57:04 |
| Andrew Selvia | I'm trying to produce a minimal flake.nix file that integrates:
- agenix
- nix-darwin
- home-manager
I'm stuck on the last piece. I have successfully threaded an agenix-encrypted secret through an environment variable in the nix-darwin configuration; however, I have yet to discover how to get that same exact secret stored in a file via home-manager. My flake.nix is as follows:
{
description = "nix-darwin+home-manager+agenix";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master";
nix-darwin.url = "github:nix-darwin/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
};
outputs = inputs@{ self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
let
homeconfig = { pkgs, config, lib, ... }: {
#home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
home.stateVersion = "25.05";
programs.home-manager.enable = true;
};
configuration = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
environment = {
systemPackages = [
agenix.packages.aarch64-darwin.default
];
variables = {
MYSECRET = config.age.secrets.mysecret.path;
};
};
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.hostPlatform = "aarch64-darwin";
system = {
configurationRevision = self.rev or self.dirtyRev or null;
stateVersion = 5;
};
};
in
{
darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
modules = [
agenix.darwinModules.default
configuration
home-manager.darwinModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.andrew = homeconfig;
}
];
};
};
}
When I try to uncomment this line in the homeconfig:
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
I encounter this error message:
error: attribute 'age' missing
Please point out anything I should be doing better.
| 09:41:46 |
