Is agenix appropriate for storing something like a spotify token?

[codygman]

I'm pretty sure I misunderstand how this is supposed to be used. It's probably better to just post what I tried first:

  home-manager.users.cody.services.spotifyd={
    enable = true;
    settings = {
      global = {
        username = "Alex";
        password = builtins.readFile "${self}/secrets/mysecret.age}";
        device_name = "nix";
      };
    };
  };

This gave me the error:

error: getting status of '/nix/store/zwpqk6hnllif9z81yxi838q13adyhz4x-source/secrets/mysecret.age}': No such file or directory

My question is pretty similar to this one:

ryantm/agenix#29

There it seems the conclusion is to just use a file outside of your devos repo? That's not really the type of solution I'm looking for 😄

Revisiting the original thread about agenix I'm led to a solution which seems like it would do what I want in Encrypted Secrets with NixOS.

Note however, I cannot find how to actually use the secret there or I'm missing something.

EDIT: Ah, I think I understand that module from the block post now. In this example:

within.secrets.example = {
  source = ./secrets/example.env;
  dest = "/var/lib/example/.env";
  owner = "example";
  group = "nogroup";
  permissions = "0400";
};

I think from your nix code you would just do a readFile /var/lib/example/.env?

[blaggacao]

I'm not sure if there is a solution to this. The way you attempt to work around this won't be possible.

The target application needs a way to read your secrets at runtime from /run/secrets/mysecrets.

Maybe the best approach is to teach that application (spotifyd) to read a secret from a file. E.g. via a wrapper?

The way secrets are only decrypted at runtime is via a system.activationScript, see: https://www.github.com/ryantm/agenix/tree/master/modules%2Fage.nix

[Pacman99]

I ran into this myself and I've been too lazy to actually fix it and setup spotifyd. As @blaggacao mentioned the secrets have to be read on runtime with agenix. But luckily this is solveable with agenix and spotifyd.

If you look at spotifyd's configuration options theres a password_cmd setting and you could set that too cat /run/secrets/spotifyPassword.

To clarify, the reason readFile doesn't work is because readFile is a nix command that is called during your nix evaluation, but agenix only unencrypts secrets during activation which is a step after evaluation.

This does raise one concern of that fact that your agenix secret for spotify is set in your nixos configuration while spotify is in your home-manager configuration. It should work, but something about that feels wrong to me. Maybe agenix needs a home-manager module.

[blaggacao]

Maybe agenix needs a home-manager module.

Good idea, does hm have something equivalent to activationScript?

[codygman]

This does raise one concern of that fact that your agenix secret for spotify is set in your nixos configuration while spotify is in your home-manager configuration. It should work, but something about that feels wrong to me. Maybe agenix needs a home-manager module.

I didn't mean to raise this concern, but I'm certainly glad I did!

[codygman]

I think I might have run into a bug, but more likely I'm doing something wrong.

I have:

  age.secrets.mysecret.file = "${self}/secrets/mysecret.age" ;
  home-manager.users.cody.services.spotifyd={
    enable = true;
    settings = {
      global = {
        username = "myuser";
        password_cmd = "cat /run/secrets/myage";
        device_name = "nix-work";
      };
    };
  };

secrets.nix

let
  # set ssh public keys here for your system and user
  system = "snip root@nixos";
  user = "snip cody@tower";
  allKeys = [ system user ];
in
{
  "secret.age".publicKeys = allKeys;
}

The file is there:

devos2/secrets  try-upgrading-devos 「↪ 𝚫 📁 」  ⎔ 
❯ ls -larth
total 20K
-rw-r--r--  1 cody users  113 Jun 12 12:27 .gitattributes
-rw-r--r--  1 cody users  341 Jun 12 23:56 secrets.nix
-rw-r--r--  1 cody users  414 Jun 13 00:00 secret.age
drwxr-xr-x  2 cody users 4.0K Jun 13 00:00 .
drwxr-xr-x 16 cody users 4.0K Jun 13 17:31 ..

But when switching I get this error:

devos2  try-upgrading-devos 「↪ 𝚫 📁 」  ⎔ 
✖1 ❯ flk tower switch
[sudo] password for cody: 
warning: Git tree '/home/cody/devos2' is dirty
building the system configuration...
warning: Git tree '/home/cody/devos2' is dirty
trace: warning: The option `services.gnome3.gnome-keyring.enable' defined in `/nix/store/l7yfy4j4pgxvb27gjqm66fz1z1rpkmws-source/profiles/graphical' has been renamed to `services.gnome.gnome-keyring.enable'.
updating GRUB 2 menu...
It's output will be used to detect bootable binaries on them and create new boot entries.
lsblk: /dev/mapper/no*[0-9]: not a block device
lsblk: /dev/mapper/no*[0-9]: not a block device
lsblk: /dev/mapper/disks*[0-9]: not a block device
lsblk: /dev/mapper/disks*[0-9]: not a block device
Found Windows Boot Manager on /dev/sdb2@/efi/Microsoft/Boot/bootmgfw.efi
activating the configuration...
[agenix] decrypting root secrets...
decrypting /nix/store/l7yfy4j4pgxvb27gjqm66fz1z1rpkmws-source/secrets/mysecret.age to /run/secrets/mysecret...
Error: No such file or directory (os error 2)

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]
chmod: cannot access '/run/secrets/mysecret.tmp': No such file or directory
chown: cannot access '/run/secrets/mysecret.tmp': No such file or directory
mv: cannot stat '/run/secrets/mysecret.tmp': No such file or directory
Activation script snippet 'agenixRoot' failed (1)
[agenix] decrypting non-root secrets...
setting up /etc...
reloading user units for cody...
setting up tmpfiles
starting the following units: home-manager-cody.service
warning: error(s) occurred while switching to the new configuration

[codygman]

Ok I think I had a few things wrong above but the big one was that I did not do:

git add secret.age

[codygman]

Then I got around the permissions error with:

  age.secrets.secret = {
    file = "${self}/secrets/secret.age" ;
    owner = "1000";
    group = "100";
  };

Edit: In case I wasn't obvious enough, IT'S WORKING! 😄

[nrdxp]

I've been wanting to put together an HM module for agenix as well, but I've been backlogged 😢

[Xe]

Please use agenix.