!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

322 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/94 Servers

Load older messages

SenderMessageTime
27 May 2025
@andrew-selvia:matrix.orgAndrew Selvia *

K900: If I add the secret to homeconfig:

homeconfig = { pkgs, config, lib, ... }: {
  age.secrets.mysecret.file = ./mysecret.age;
  home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
  ...
};

I end up with a different error:

error: The option `home-manager.users.andrew.age' does not exist.
09:50:47
@andrew-selvia:matrix.orgAndrew Selvia

K900: When I add the HM module:

modules = [
  agenix.darwinModules.default
  agenix.homeManagerModules.default
  ...
];

I end up with this error:

error: The option `age.identityPaths' in `/nix/store/foo.../age.nix' is already declared in `/nix/store/bar.../age.nix'.
09:56:51
@k900:0upti.meK900It needs to be added to the HM imports 09:57:31
@k900:0upti.meK900 Not the nix-darwin imports 09:57:36
@k900:0upti.meK900Because those are, yet again, separate 09:57:41
@andrew-selvia:matrix.orgAndrew SelviaMy apologies, how would I express that?09:58:10
@k900:0upti.meK900 home-manager.users.foo.imports = [ agenix.homeManagerModules.default ] 09:59:49
@andrew-selvia:matrix.orgAndrew Selvia

K900 You've pointed me in the right direction:

homeconfig = { pkgs, config, lib, ... }: {
  imports = [agenix.homeManagerModules.default];
  age.secrets.mysecret.file = ./mysecret.age;
  home.file."mysecret.txt".source = config.age.secrets.mysecret.path;
  ...
};

By any chance, do you have a recommendation for how to handle this?

error: A definition for option `home-manager.users.andrew.home.file."mysecret.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/mysecret"
10:19:09
@k900:0upti.meK900I don't think it works like that 10:20:26
@andrew-selvia:matrix.orgAndrew Selviahttps://github.com/ryantm/agenix/issues/329?10:21:15
@andrew-selvia:matrix.orgAndrew SelviaIs there a preferred way of storing an agenix secret via HM?10:25:41
@andrew-selvia:matrix.orgAndrew Selvia Seemingly related 10:35:56
@andrew-selvia:matrix.orgAndrew Selviahttps://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net10:41:37
@andrew-selvia:matrix.orgAndrew Selvia * Looks like I stumbled upon an anti-pattern: https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net 10:42:10
@andrew-selvia:matrix.orgAndrew SelviaNot sure exactly how to do things properly though :(10:42:31
@andrew-selvia:matrix.orgAndrew Selvia

ChatGPT is recommending an alternative approach:

home.activation.copyMySecret = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
  cp /run${config.age.secrets.mysecret.path} ${config.home.homeDirectory}/mysecret.txt
'';

It works, though I suspect it compromises reproducibility...

Signing off for the evening. If there's a better way, I'd be keen to learn!

11:03:22
@apeioo:matrix.orgLorenz joined the room.11:15:30
28 May 2025
@andrew-selvia:matrix.orgAndrew Selvia

Claude eventually helped me find a more pleasant solution based on extraSpecialArgs. I've tried to minimize it for clarity.

The initial goal was to create a self-contained, minimal flake.nix that integrated nix-darwin, home-manager, and agenix. The desired end state is a macOS system with an agenix-encrypted secret decrypted and stored at ~/secret1.txt (by home-manager).

The following flake.nix breaks the configuration into 2 sections:

  1. homeconfig: to configure home-manager
  2. configuration: to configure nix-darwin

The secrets are defined in configuration then shuttled to homeconfig via extraSpecialArgs.darwinSecrets. The path to the secret is then leveraged by homeconfig to populate ~/secret1.txt (i.e., home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;). Importantly, this circumvents the following error that would arise if the secret path was accessed directly (i.e., home.file."secret1.txt".source = config.age.secrets.secret1.path;):

error: A definition for option `home-manager.users.andrew.home.file."secret1.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/secret1"

If any Nix experts observe any flaws in this approach, please raise them now. Otherwise, I hope it helps:

{
  description = "nix-darwin & home-manager & agenix";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/master";
    nix-darwin.url = "github:nix-darwin/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
  };
  outputs = inputs @ { self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
  let
    homeconfig = { pkgs, config, lib, darwinSecrets, ... }: {
      imports = [agenix.homeManagerModules.default];
      home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;
      home.stateVersion = "25.05";
      home.packages = with pkgs; [agenix.packages.aarch64-darwin.default];
      programs.home-manager.enable = true;
    };
    configuration = { pkgs, config, lib, ... }: {
      age = {
        secrets = {
          secret1 = {
            symlink = true;
            file = ./secret1.age;
            mode = "777";
          };
        };
      };
      environment.systemPackages = [agenix.packages.aarch64-darwin.default];
      home-manager = {
        useGlobalPkgs = true;
        users.andrew = homeconfig;
        useUserPackages = true;
        extraSpecialArgs = {
          darwinSecrets = {
            secret1 = config.age.secrets.secret1.path;
          };
        };
      };
      nix.settings.experimental-features = "nix-command flakes";
      nixpkgs.hostPlatform = "aarch64-darwin";
      system = {
        configurationRevision = self.rev or self.dirtyRev or null;
        stateVersion = 5;
      };
    };
  in
  {
    darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
      modules = [
        agenix.darwinModules.default
        configuration
        home-manager.darwinModules.home-manager
      ];
    };
  };
}
03:49:26
@crgre:matrix.orgcrgre joined the room.15:17:31
31 May 2025
@tiferrei:matrix.orgtiferrei joined the room.20:52:37
1 Jun 2025
@seanthw:matrix.orgSean Thawe joined the room.23:38:45
7 Jun 2025
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.17:45:05
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) left the room.22:57:38
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.23:48:03
9 Jun 2025
@sigmasquadron:matrix.orgSigmaSquadron joined the room.13:05:05
@yurigba:matrix.orgMagus joined the room.20:55:03
11 Jun 2025
@stackptr:matrix.orgstackptr set a profile picture.02:02:44
12 Jun 2025
@lorev:matrix.orglorev joined the room.11:58:20
15 Jun 2025
@andrew-selvia:matrix.orgAndrew Selvia set a profile picture.04:29:11
@t4ccer:matrix.org@t4ccer:matrix.org left the room.19:07:07

Show newer messages

Back to Room ListRoom Version: 6