That doesn’t work, since it doesn’t apply the cat command, but just points to the binary in the nix store for cat. How can I get the content of the file that the agenix secret points to in this context? And would doing this be secure?
If you absolutely want to use the standard environment approach, you could pass config.age.secrets.secret.path as EnvironmentFile, provided the secret material is formatted as an environment file (FOO=bar)
The environmentfile is probably among the better options, but best would be seeing if the binary can be made to read from the file directly upstream. If you control the source (as it looks like…) that should be pretty easy, can even throw in clever memory management that discards the password when it’s no longer used.
According to man systemd.exec whatever is inside your EnvironmentFile should override whatever is defined in Environment directives:
Settings from these files override settings made with Environment=.
If the same variable is set twice from these files, the files will
be read in the order they are specified and the later setting will
override the earlier setting.
So, this should not be an issue that the service still generates the default.