| 10 May 2025 |
|  Edward Hesketh changed their display name from Edward Hesketh to headb. | 19:44:59 |
|  @strutztm:strutztm.de left the room. | 19:53:44 |
| Edward Hesketh changed their display name from headb to Edward Hesketh. | 23:32:18 |
| 11 May 2025 |
|  @nemnix:matrix.org removed their profile picture. | 01:27:19 |
|  dgrig joined the room. | 20:34:05 |
| 13 May 2025 |
|  kraem changed their profile picture. | 13:54:57 |
| 17 May 2025 |
|  oddlama changed their display name from oddlama to Malte. | 20:12:11 |
| 18 May 2025 |
 xored | i have a container that doesn't allow env vars or anything like that, is there an external tool i can run within nix that would interpolate a secret in a yaml file? | 22:31:51 |
| xored | i could also write the yaml in nix so if there are any helps other than builtin.readFile or similar (not recommended) plz let me know | 22:32:30 |
| xored | or i could do a sed on container startup | 22:33:01 |
| xored | let me know what you guys usually do | 22:33:08 |
| 19 May 2025 |
|  Andrew Selvia joined the room. | 08:25:55 |
| 21 May 2025 |
| oddlama changed their display name from Malte to oddlama. | 17:42:11 |
| 22 May 2025 |
|  @mynacol:mynacol.xyz left the room. | 20:46:14 |
| 24 May 2025 |
|  row joined the room. | 14:51:21 |
| 25 May 2025 |
|  @raijin_:matrix.org left the room. | 02:00:05 |
 tebriel | In reply to @xoredg:matrix.org
let me know what you guys usually do in these cases I use pkgs.replace-secret to put a hash in the yaml file and pre-process it. Since I use virutalisation.oci-containers which creates a systemd job I can do an execstartpre on the container start to replace the secrets in the file | 02:25:21 |
| @nemnix:matrix.org left the room. | 22:40:13 |
| 26 May 2025 |
|  Zexin Yuan joined the room. | 07:59:49 |
| 27 May 2025 |
| Andrew Selvia | I have successfully encrypted a secret with agenix (i.e., I see the generated mysecret.age file). Now, I'm trying to integrate it into my flake.nix file. I've been struggling for a week. Is anyone able to educate me? | 02:45:04 |
| Andrew Selvia | My flake.nix file is just the stock one produced by nix-darwin. | 02:46:31 |
| Andrew Selvia | When I try to apply configuration like this:
let
configuration = { pkgs, config, lib, agenix, ... }: {
...
age.secrets.mysecret = {
file =./mysecret.age;
path = "~/demo";
};
};
in ...
the following error is produced:
The option `age' does not exist.
| 02:53:01 |
| Andrew Selvia | Aha! I needed to add this within the configuration:
imports = [ agenix.darwinModules.default ];
| 04:57:04 |
| Andrew Selvia | I'm trying to produce a minimal flake.nix file that integrates:
- agenix
- nix-darwin
- home-manager
I'm stuck on the last piece. I have successfully threaded an agenix-encrypted secret through an environment variable in the nix-darwin configuration; however, I have yet to discover how to get that same exact secret stored in a file via home-manager. My flake.nix is as follows:
{
description = "nix-darwin+home-manager+agenix";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master";
nix-darwin.url = "github:nix-darwin/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
};
outputs = inputs@{ self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
let
homeconfig = { pkgs, config, lib, ... }: {
#home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
home.stateVersion = "25.05";
programs.home-manager.enable = true;
};
configuration = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
environment = {
systemPackages = [
agenix.packages.aarch64-darwin.default
];
variables = {
MYSECRET = config.age.secrets.mysecret.path;
};
};
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.hostPlatform = "aarch64-darwin";
system = {
configurationRevision = self.rev or self.dirtyRev or null;
stateVersion = 5;
};
};
in
{
darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
modules = [
agenix.darwinModules.default
configuration
home-manager.darwinModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.andrew = homeconfig;
}
];
};
};
}
When I try to uncomment this line in the homeconfig:
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
I encounter this error message:
error: attribute 'age' missing
Please point out anything I should be doing better.
| 09:41:46 |
 K900 | The home-manager config and the nix-darwin config are different things | 09:44:28 |
| K900 | You need to define your secrets in the same config you consume them in | 09:44:44 |
| K900 | Or possibly use osConfig to refer to the nix-darwin fixpoint from home-manager | 09:44:58 |
| Andrew Selvia | K900: If I add the secret to homeconfig:
homeconfig = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
...
};
I end up with a different error:
error: The option `home-manager.users.andrew.age' does not exist.
| 09:50:14 |
| K900 | You also need to add the HM module for agenix | 09:50:30 |
| K900 | As the modules are also completely separate | 09:50:39 |
