Can't run Peertube: secretsFile not ending up in config

nolan · April 24, 2025, 11:21pm

Hey folks, has anyone gotten Peertube working using the NixOS module? I’d assume so, and that I’ve done something silly, because otherwise I don’t see how this could work. Here’s my config. I have this in secrets.nix for agenix:

"thewordnerd_peertube.age".publicKeys = [ hub ];

I’ve generated the key with openssl as per the docs. It is decrypted in /run/agenix/thewordnerd_peertube in production and appears fine. Here’s my Peertube config:

{ config, ... }:

{
  age.secrets.thewordnerd_peertube.file = ../../../secrets/thewordnerd_peertube.age;
  services = {
    peertube = {
      enable = true;
      localDomain = "peertube.example.com";
      redis.createLocally = true;
      database.createLocally = true;
      secrets.secretsFile = config.age.secrets.thewordnerd_peertube.path;
    };
    caddy.virtualHosts."peertube.example.com".extraConfig = ''
      reverse_proxy http://localhost:9000
    '';
  };
}

example.com is, of course, my own domain name. The problem is the secret, though. The config that gets generated looks like:

root@thewordnerd /v/l/p/config# cat local.yaml 
secrets:
  peertube: ''

I’m not being clever removing the string content–it’s just not there. Here’s the generated script retrieved from /etc/systemd/system/peertube.service:

root@thewordnerd /e/s/system# cat /nix/store/z8vbpmb592pwmcsjnxm0393s3fnga05f-unit-script-peertube-start/bin/peertube-start
#!/nix/store/mc4485g4apaqzjx59dsmqscls1zc3p2w-bash-5.2p37/bin/bash
set -e
umask 077
cat > /var/lib/peertube/config/local.yaml <<EOF
secrets:
  peertube: '$(cat /run/agenix/thewordnerd_peertube)'
EOF
umask 027
ln -sf /nix/store/85vdikz5z5kddryhq32qa57z938w84yc-production.json /var/lib/peertube/config/production.json
ln -sf /nix/store/n45h2p1gqa7wcrn34ccqc9lazgw6yfgx-peertube-6.3.3/config/default.yaml /var/lib/peertube/config/default.yaml
ln -sf /nix/store/n45h2p1gqa7wcrn34ccqc9lazgw6yfgx-peertube-6.3.3/client/dist -T /var/lib/peertube/www/client
ln -sf /var/lib/peertube/storage/client-overrides/ -T /var/lib/peertube/www/client-overrides
exec node dist/server

I won’t paste that output here, but if I run the escaped cat command above, I do get the correct secret I initially set. So that is doing what it should, but are there circumstances where that might fail?

In short, I’m a bit suspicious about shell escape handling at that level. Should that script work? If so, why might it be failing here?

I don’t think this should matter but I’ll add it just in case–my root user’s shell is set to fish. I’d assume packages specify their expected shell environments though, particularly since the shebang at the top of that script is rather explicit, so root’s login shell wouldn’t have an impact.

Thanks.

nolan · April 25, 2025, 12:44am

Yup, totally silly. There was a “permission denied” error higher up in the logs. I thought that’d have failed the script but it didn’t, and I stopped reading at the first error.

All good now.