Exportarr api key

I’m trying to set up grafana with exportarr for sonarr. Exportarr requires an api key for sonarr/radarr and the nix service provides this with systemd LoadCredential. I have set this up with agenix to provide it as a secret. However, I keep getting the error regex: api-key must be a 20-32 character alphanumeric string. When I read the secret file as the exportarr user I can read it just fine, but it seems like something is going wrong in the service itself(maybe the LoadCredential) part. I am providing the secret as such:

  age.secrets.sonarr = {
    file = ../../secrets/sonarrApiKey.age;
    owner = "exportarr";
    group = "exportarr";
    mode = "770";

And setting up exportarr for sonarr as follows:

  services.prometheus = {
    enable = true;
    package = pkgs.unstable.prometheus;
    exporters = {
      exportarr-sonarr = {
        enable = true;
        package = pkgs.unstable.exportarr;
        user = "exportarr";
        group = "exportarr";
        apiKeyFile = "/run/agenix/sonarr";

I have tried making a plain text file with the secret in it and setting apiKeyFile to this path, but this gave the exact same error.

Are you sure the API key in question actually conforms to that regex? Also, just an idea (Exportatr could trim it), but did you make sure that you’re saving the age secret with no newline?

I have tested it on regex 101 and it matches just fine, the file doesn’t seem to have newlines

I can’t find anything obvious at a glance. Try stracing to see if it successfully reads the file?

An aside: I wonder if this is just due to the service racing the creation of the file, coupled with a horrible error message… could you try making sure the file is in place, and readable by the exportarr user, then restarting the service?

This is what I was wondering as well, but even making a regular file that is readable by the exportarr user and setting apiKeyFile to this gives the exact same error. When the file doesn’t exist it gives a different error, about the path for the credential not existing within the services run/credentials folder. I’ll try stracing it tonight.