!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

328 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

Load older messages


SenderMessageTime
27 May 2025
@andrew-selvia:matrix.orgAndrew Selvia

ChatGPT is recommending an alternative approach:

home.activation.copyMySecret = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
  cp /run${config.age.secrets.mysecret.path} ${config.home.homeDirectory}/mysecret.txt
'';

It works, though I suspect it compromises reproducibility...

Signing off for the evening. If there's a better way, I'd be keen to learn!

11:03:22
@apeioo:matrix.orgLorenz joined the room.11:15:30
28 May 2025
@andrew-selvia:matrix.orgAndrew Selvia

Claude eventually helped me find a more pleasant solution based on extraSpecialArgs. I've tried to minimize it for clarity.

The initial goal was to create a self-contained, minimal flake.nix that integrated nix-darwin, home-manager, and agenix. The desired end state is a macOS system with an agenix-encrypted secret decrypted and stored at ~/secret1.txt (by home-manager).

The following flake.nix breaks the configuration into 2 sections:

  1. homeconfig: to configure home-manager
  2. configuration: to configure nix-darwin

The secrets are defined in configuration then shuttled to homeconfig via extraSpecialArgs.darwinSecrets. The path to the secret is then leveraged by homeconfig to populate ~/secret1.txt (i.e., home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;). Importantly, this circumvents the following error that would arise if the secret path was accessed directly (i.e., home.file."secret1.txt".source = config.age.secrets.secret1.path;):

error: A definition for option `home-manager.users.andrew.home.file."secret1.txt".source' is not of type `absolute path'. Definition values:
- In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/secret1"

If any Nix experts observe any flaws in this approach, please raise them now. Otherwise, I hope it helps:

{
  description = "nix-darwin & home-manager & agenix";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/master";
    nix-darwin.url = "github:nix-darwin/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
  };
  outputs = inputs @ { self, nix-darwin, nixpkgs, home-manager, agenix, ... }:
  let
    homeconfig = { pkgs, config, lib, darwinSecrets, ... }: {
      imports = [agenix.homeManagerModules.default];
      home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;
      home.stateVersion = "25.05";
      home.packages = with pkgs; [agenix.packages.aarch64-darwin.default];
      programs.home-manager.enable = true;
    };
    configuration = { pkgs, config, lib, ... }: {
      age = {
        secrets = {
          secret1 = {
            symlink = true;
            file = ./secret1.age;
            mode = "777";
          };
        };
      };
      environment.systemPackages = [agenix.packages.aarch64-darwin.default];
      home-manager = {
        useGlobalPkgs = true;
        users.andrew = homeconfig;
        useUserPackages = true;
        extraSpecialArgs = {
          darwinSecrets = {
            secret1 = config.age.secrets.secret1.path;
          };
        };
      };
      nix.settings.experimental-features = "nix-command flakes";
      nixpkgs.hostPlatform = "aarch64-darwin";
      system = {
        configurationRevision = self.rev or self.dirtyRev or null;
        stateVersion = 5;
      };
    };
  in
  {
    darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem {
      modules = [
        agenix.darwinModules.default
        configuration
        home-manager.darwinModules.home-manager
      ];
    };
  };
}
03:49:26
@crgre:matrix.orgcrgre joined the room.15:17:31
31 May 2025
@tiferrei:matrix.orgtiferrei joined the room.20:52:37
1 Jun 2025
@seanthw:matrix.orgSean Thawe joined the room.23:38:45
7 Jun 2025
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.17:45:05
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) left the room.22:57:38
@deeok:matrix.orgmatrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.23:48:03
9 Jun 2025
@sigmasquadron:matrix.orgSigmaSquadron joined the room.13:05:05
@yurigba:matrix.orgMagus joined the room.20:55:03
11 Jun 2025
@stackptr:matrix.orgstackptr set a profile picture.02:02:44
12 Jun 2025
@lorev:matrix.orglorev joined the room.11:58:20
15 Jun 2025
@andrew-selvia:matrix.orgAndrew Selvia set a profile picture.04:29:11
@t4ccer:matrix.org@t4ccer:matrix.org left the room.19:07:07
16 Jun 2025
@ygt:matrix.org@ygt:matrix.org left the room.21:51:48
17 Jun 2025
@r522:matrix.org@r522:matrix.org changed their display name from 522 [it/its][ΘΔ] to 522 (moved to @522_:catgirl.cloud ).16:27:06
@522_:catgirl.cloud522 [it/its][ΘΔ] joined the room.18:28:34
@r522:matrix.org@r522:matrix.org left the room.19:07:17
@522_:catgirl.cloud522 [it/its][ΘΔ] changed their display name from 522_ to 522 [it/its][ΘΔ].19:51:30
@522_:catgirl.cloud522 [it/its][ΘΔ] set a profile picture.20:18:11
19 Jun 2025
@lgcl:lgcl.delgcl (she/they) changed their display name from lgcl (they/them) to lgcl (she/they).18:06:57
20 Jun 2025
@d:bugpara.dedebugloop joined the room.17:30:20
@genericnerdyusername:matrix.org@genericnerdyusername:matrix.org left the room.23:32:29
23 Jun 2025
@isabel:isabelroses.comisabel changed their profile picture.15:36:53
24 Jun 2025
@sielicki:matrix.orgsielicki joined the room.22:10:22
27 Jun 2025
@redstone-menace:matrix.orgR̴̨͕͇͍̞̮̐̅͆̌̀̉̐͋̈́̃̀͒́̎̅̚̚̚͠͝Ĕ̵̡̛͖͖̟̙̫̱͈̘̞̭͍͍͑̌̄͑̓̋̓̀̈̏̈́͊̇͊͆̉͂̏̀̃̚͘͝͝ͅͅD̶̡̢͔̱̖̮͙͉̘̺͓͍̩̮͈͍͗̃̀̏͌͘͜ͅŚ̸̬̭̯̬͙͇͓̬̩̳̤͚͓̤̩̺͉͖̉͛̓̿̎͊̿̆́̐͂̇͌̄̇̓͘ͅͅT̴̞̫̘̝͇͔̟̪̪̦͂̔̎̀̎ͅŎ̷̡̬̹̪͈̭̣͈̭̭͉̦̖̝̘̪͖͔̥̦̘̻̳Ṋ̶̛̫͈̳̘͚̜̔̋͆̅̈́͊̑͊̉̌̈́̾͑̈́̚ͅË̸̡̨̨̛͇̜̖͔͖̻̟̗̠̙͓̘̗̥͉͇̜͑͆͊͑͑̀̓͒͜͝͝ changed their display name from Redstone to R̴̨͕͇͍̞̮̐̅͆̌̀̉̐͋̈́̃̀͒́̎̅̚̚̚͠͝Ĕ̵̡̛͖͖̟̙̫̱͈̘̞̭͍͍͑̌̄͑̓̋̓̀̈̏̈́͊̇͊͆̉͂̏̀̃̚͘͝͝ͅͅD̶̡̢͔̱̖̮͙͉̘̺͓͍̩̮͈͍͗̃̀̏͌͘͜ͅŚ̸̬̭̯̬͙͇͓̬̩̳̤͚͓̤̩̺͉͖̉͛̓̿̎͊̿̆́̐͂̇͌̄̇̓͘ͅͅT̴̞̫̘̝͇͔̟̪̪̦͂̔̎̀̎ͅŎ̷̡̬̹̪͈̭̣͈̭̭͉̦̖̝̘̪͖͔̥̦̘̻̳Ṋ̶̛̫͈̳̘͚̜̔̋͆̅̈́͊̑͊̉̌̈́̾͑̈́̚ͅË̸̡̨̨̛͇̜̖͔͖̻̟̗̠̙͓̘̗̥͉͇̜͑͆͊͑͑̀̓͒͜͝͝.00:56:03
30 Jun 2025
@atagen:imagisphe.reatagen joined the room.03:04:10
1 Jul 2025
@zororg:matrix.orgzororg joined the room.14:52:48
@zororg:matrix.orgzororghello. I was reading about getting gnupg in declarative and stumbled upon plethora of information. Sops-nix, agenix, age tool and was reading more about it. But still my conclusion draws that gpg might be widely adopted and work for most cases.14:56:54

Show newer messages


Back to Room ListRoom Version: 6