Secrets inside nixos-containers

Is there a way to access secrets from tools like sops-nix or agenix inside nixos-containers, considering these tools expose secrets in the host filesystem which isn’t available after the container chroot? Or, what is the recommended way of storing secrets for nixos-containers?

what are you trying to achieve and your use case, if you give me the why, i’ll give you the the

I define my secrets on the host and then bind mount them inside the container like so:"${config.sops.secrets.fooSecret.path}".isReadOnly = true;

This works just fine, thanks a lot. Am i missing some obvious security implications when mounting the path not read-only in the container for allow changing ownership with tmpfiles.d from within the container to make the secrets accessible to other users?

In my case I didn’t need any special access because I had uid values lined up inside and out of the container so it was all good. But yeah, if you want to do that it is fine too.

1 Like

I found a solution to the user-id problem. The key is to import agenix into the container. Here is a explaining example with radicale in a container:

{ agenix, ... }: {

  containers."calendar" = {
    autoStart = true;

    # pass the private key to the container for agenix to decrypt the secret
    bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;

    config = { config, lib, pkgs, ... }: {

      imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container

      age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically for some reason
      # import the secret
      age.secrets."calendar-users" = {
        file = ../secrets/calendar-users.age;
        owner = "radicale";

      services.radicale = {
        enable = true;
        settings = {
          auth = {
            type = "htpasswd";
            htpasswd_filename = config.age.secrets."calendar-users".path; # use the secret
            htpasswd_encryption = "plain";

       # ...