| 21 May 2025 |
|  oddlama changed their display name from Malte to oddlama. | 17:42:11 |
| 22 May 2025 |
|  @mynacol:mynacol.xyz left the room. | 20:46:14 |
| 24 May 2025 |
|  row joined the room. | 14:51:21 |
| 25 May 2025 |
|  @raijin_:matrix.org left the room. | 02:00:05 |
 tebriel | In reply to @xoredg:matrix.org
let me know what you guys usually do in these cases I use pkgs.replace-secret to put a hash in the yaml file and pre-process it. Since I use virutalisation.oci-containers which creates a systemd job I can do an execstartpre on the container start to replace the secrets in the file | 02:25:21 |
|  @nemnix:matrix.org left the room. | 22:40:13 |
| 26 May 2025 |
|  Zexin Yuan joined the room. | 07:59:49 |
| 27 May 2025 |
 Andrew Selvia | I have successfully encrypted a secret with agenix (i.e., I see the generated mysecret.age file). Now, I'm trying to integrate it into my flake.nix file. I've been struggling for a week. Is anyone able to educate me? | 02:45:04 |
| Andrew Selvia | My flake.nix file is just the stock one produced by nix-darwin. | 02:46:31 |
| Andrew Selvia | When I try to apply configuration like this:
let
configuration = { pkgs, config, lib, agenix, ... }: {
...
age.secrets.mysecret = {
file =./mysecret.age;
path = "~/demo";
};
};
in ...
the following error is produced:
The option `age' does not exist.
| 02:53:01 |
| Andrew Selvia | Aha! I needed to add this within the configuration:
imports = [ agenix.darwinModules.default ];
| 04:57:04 |
| Andrew Selvia | I'm trying to produce a minimal flake.nix file that integrates:
- agenix
- nix-darwin
- home-manager
I'm stuck on the last piece. I have successfully threaded an agenix-encrypted secret through an environment variable in the nix-darwin configuration; however, I have yet to discover how to get that same exact secret stored in a file via home-manager. My flake.nix is as follows:
{
description = "nix-darwin+home-manager+agenix";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master";
nix-darwin.url = "github:nix-darwin/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
};
outputs = inputs@{ self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
let
homeconfig = { pkgs, config, lib, ... }: {
#home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
home.stateVersion = "25.05";
programs.home-manager.enable = true;
};
configuration = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
environment = {
systemPackages = [
agenix.packages.aarch64-darwin.default
];
variables = {
MYSECRET = config.age.secrets.mysecret.path;
};
};
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.hostPlatform = "aarch64-darwin";
system = {
configurationRevision = self.rev or self.dirtyRev or null;
stateVersion = 5;
};
};
in
{
darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
modules = [
agenix.darwinModules.default
configuration
home-manager.darwinModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.andrew = homeconfig;
}
];
};
};
}
When I try to uncomment this line in the homeconfig:
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
I encounter this error message:
error: attribute 'age' missing
Please point out anything I should be doing better.
| 09:41:46 |
 K900 | The home-manager config and the nix-darwin config are different things | 09:44:28 |
| K900 | You need to define your secrets in the same config you consume them in | 09:44:44 |
| K900 | Or possibly use osConfig to refer to the nix-darwin fixpoint from home-manager | 09:44:58 |
| Andrew Selvia | K900: If I add the secret to homeconfig:
homeconfig = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
...
};
I end up with a different error:
error: The option `home-manager.users.andrew.age' does not exist.
| 09:50:14 |
| K900 | You also need to add the HM module for agenix | 09:50:30 |
| K900 | As the modules are also completely separate | 09:50:39 |
| Andrew Selvia | * K900: If I add the secret to homeconfig:
homeconfig = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
...
};
I end up with a different error:
error: The option `home-manager.users.andrew.age' does not exist.
| 09:50:47 |
| Andrew Selvia | K900: When I add the HM module:
modules = [
agenix.darwinModules.default
agenix.homeManagerModules.default
...
];
I end up with this error:
error: The option `age.identityPaths' in `/nix/store/foo.../age.nix' is already declared in `/nix/store/bar.../age.nix'.
| 09:56:51 |
| K900 | It needs to be added to the HM imports | 09:57:31 |
| K900 | Not the nix-darwin imports | 09:57:36 |
| K900 | Because those are, yet again, separate | 09:57:41 |
| Andrew Selvia | My apologies, how would I express that? | 09:58:10 |
| K900 | home-manager.users.foo.imports = [ agenix.homeManagerModules.default ] | 09:59:49 |
| Andrew Selvia | K900 You've pointed me in the right direction:
homeconfig = { pkgs, config, lib, ... }: {
imports = [agenix.homeManagerModules.default];
age.secrets.mysecret.file = ./mysecret.age;
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
...
};
By any chance, do you have a recommendation for how to handle this?
error: A definition for option `home-manager.users.andrew.home.file."mysecret.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/mysecret"
| 10:19:09 |
| K900 | I don't think it works like that | 10:20:26 |
| Andrew Selvia | https://github.com/ryantm/agenix/issues/329? | 10:21:15 |
| Andrew Selvia | Is there a preferred way of storing an agenix secret via HM? | 10:25:41 |
| Andrew Selvia | Seemingly related | 10:35:56 |
