using system agenix inside home-manager

Date: Thursday, 15 January 2026

if you’re already using home-manager as a system module, you don’t need to use home-manager agenix to manage user secrets. this might be obvious in retrospect but it took it a while to realize how to do, so sharing it here :3

the basic premise is that home-manager offers an osConfig that refers to the system configuration, which you can read from. https://nix-community.github.io/home-manager/ mentions

Home Manager will pass osConfig as a module argument to any modules you create. This contains the system’s NixOS configuration.

inside system/agenix.nix (using system age)

{
  age = {
    identityPaths = [ "/etc/agenix-secrets/key.txt" ];
    secrets = {
      listenbrainz-mpd-token = {
        file = ../secrets/listenbrainz-mpd-token.age;
        mode = "400";
        owner = "fivie";
        group = "users";
      };
    };
  };
}

be sure to set owner appropriately, otherwise your user won’t be able to read it :)

inside user/listenbrainz-mpd.nix (this is a home-manager module)

{ osConfig, ... }:
{
  services.listenbrainz-mpd = {
    enable = true;
    settings = {
      submission = {
        token_file = osConfig.age.secrets.listenbrainz-mpd-token.path;
      };
    };
  };
}

doing this means you don’t need to fuck around with agenix’s home-manager module that has paths that have environment variables in them (which work approximately nowhere), and you only need to manage one key per device, rather than having a distinction between user-level and system-level keys.