| 27 May 2025 |
 K900 | The home-manager config and the nix-darwin config are different things | 09:44:28 |
| K900 | You need to define your secrets in the same config you consume them in | 09:44:44 |
| K900 | Or possibly use osConfig to refer to the nix-darwin fixpoint from home-manager | 09:44:58 |
 Andrew Selvia | K900: If I add the secret to homeconfig:
homeconfig = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
...
};
I end up with a different error:
error: The option `home-manager.users.andrew.age' does not exist.
| 09:50:14 |
| K900 | You also need to add the HM module for agenix | 09:50:30 |
| K900 | As the modules are also completely separate | 09:50:39 |
| Andrew Selvia | * K900: If I add the secret to homeconfig:
homeconfig = { pkgs, config, lib, ... }: {
age.secrets.mysecret.file = ./mysecret.age;
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
...
};
I end up with a different error:
error: The option `home-manager.users.andrew.age' does not exist.
| 09:50:47 |
| Andrew Selvia | K900: When I add the HM module:
modules = [
agenix.darwinModules.default
agenix.homeManagerModules.default
...
];
I end up with this error:
error: The option `age.identityPaths' in `/nix/store/foo.../age.nix' is already declared in `/nix/store/bar.../age.nix'.
| 09:56:51 |
| K900 | It needs to be added to the HM imports | 09:57:31 |
| K900 | Not the nix-darwin imports | 09:57:36 |
| K900 | Because those are, yet again, separate | 09:57:41 |
| Andrew Selvia | My apologies, how would I express that? | 09:58:10 |
| K900 | home-manager.users.foo.imports = [ agenix.homeManagerModules.default ] | 09:59:49 |
| Andrew Selvia | K900 You've pointed me in the right direction:
homeconfig = { pkgs, config, lib, ... }: {
imports = [agenix.homeManagerModules.default];
age.secrets.mysecret.file = ./mysecret.age;
home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
...
};
By any chance, do you have a recommendation for how to handle this?
error: A definition for option `home-manager.users.andrew.home.file."mysecret.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/mysecret"
| 10:19:09 |
| K900 | I don't think it works like that | 10:20:26 |
| Andrew Selvia | https://github.com/ryantm/agenix/issues/329? | 10:21:15 |
| Andrew Selvia | Is there a preferred way of storing an agenix secret via HM? | 10:25:41 |
| Andrew Selvia | Seemingly related | 10:35:56 |
| Andrew Selvia | https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net | 10:41:37 |
| Andrew Selvia | * Looks like I stumbled upon an anti-pattern: https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net | 10:42:10 |
| Andrew Selvia | Not sure exactly how to do things properly though :( | 10:42:31 |
| Andrew Selvia | ChatGPT is recommending an alternative approach:
home.activation.copyMySecret = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
cp /run${config.age.secrets.mysecret.path} ${config.home.homeDirectory}/mysecret.txt
'';
It works, though I suspect it compromises reproducibility...
Signing off for the evening. If there's a better way, I'd be keen to learn!
| 11:03:22 |
|  Lorenz joined the room. | 11:15:30 |
| 28 May 2025 |
| Andrew Selvia | Claude eventually helped me find a more pleasant solution based on extraSpecialArgs. I've tried to minimize it for clarity.
The initial goal was to create a self-contained, minimal flake.nix that integrated nix-darwin, home-manager, and agenix. The desired end state is a macOS system with an agenix-encrypted secret decrypted and stored at ~/secret1.txt (by home-manager).
The following flake.nix breaks the configuration into 2 sections:
homeconfig: to configure home-managerconfiguration: to configure nix-darwin
The secrets are defined in configuration then shuttled to homeconfig via extraSpecialArgs.darwinSecrets. The path to the secret is then leveraged by homeconfig to populate ~/secret1.txt (i.e., home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;). Importantly, this circumvents the following error that would arise if the secret path was accessed directly (i.e., home.file."secret1.txt".source = config.age.secrets.secret1.path;):
error: A definition for option `home-manager.users.andrew.home.file."secret1.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/secret1"
If any Nix experts observe any flaws in this approach, please raise them now. Otherwise, I hope it helps:
{
description = "nix-darwin & home-manager & agenix";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master";
nix-darwin.url = "github:nix-darwin/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
};
outputs = inputs @ { self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
let
homeconfig = { pkgs, config, lib, darwinSecrets, ... }: {
imports = [agenix.homeManagerModules.default];
home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;
home.stateVersion = "25.05";
home.packages = with pkgs; [agenix.packages.aarch64-darwin.default];
programs.home-manager.enable = true;
};
configuration = { pkgs, config, lib, ... }: {
age = {
secrets = {
secret1 = {
symlink = true;
file = ./secret1.age;
mode = "777";
};
};
};
environment.systemPackages = [agenix.packages.aarch64-darwin.default];
home-manager = {
useGlobalPkgs = true;
users.andrew = homeconfig;
useUserPackages = true;
extraSpecialArgs = {
darwinSecrets = {
secret1 = config.age.secrets.secret1.path;
};
};
};
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.hostPlatform = "aarch64-darwin";
system = {
configurationRevision = self.rev or self.dirtyRev or null;
stateVersion = 5;
};
};
in
{
darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
modules = [
agenix.darwinModules.default
configuration
home-manager.darwinModules.home-manager
];
};
};
}
| 03:49:26 |
|  crgre joined the room. | 15:17:31 |
| 31 May 2025 |
|  tiferrei joined the room. | 20:52:37 |
| 1 Jun 2025 |
|  Sean Thawe joined the room. | 23:38:45 |
| 7 Jun 2025 |
|  matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room. | 17:45:05 |
| matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) left the room. | 22:57:38 |
| matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room. | 23:48:03 |
