Using `home.file.<name>.source` in pure evaluation mode

mvb · June 17, 2025, 9:23pm

I’m trying to set up agenix’ home-manager module for use with home.file.<name>.<whatever>, so that I can place my ~/.gradle/gradle.properties which contains secrets with it. This home-manager module is a bit iffy in that by default its ...path properties evaluate to $XDG_RUNTIME_DIR/agenix/<name> by default (see this), which isn’t usable with home.file.<name>.target because that path isn’t relative to the $HOME dir, and it’s also not working with home.file.<name>.source because it’s not an absolute paths.

So, I’ve tried overriding it with absolute paths. I tried ${config.home.homeDirectory}/something and /run/agenix/${config.home.username}/something. But in both cases I get something akin to

error: access to absolute path '/run' is forbidden in pure evaluation mode (use '--impure' to override)

That makes me wonder: Are there any absolute paths I am allowed to access in pure evaluation mode? Or is home.file.<name>.source simply completely unusable with flakes (without downgrading to impure eval mode)?

NobbZ · June 18, 2025, 5:32am

It’s fully usable, for things you get through nix or are part of your flake.

For agneix and sopsnix you have to use the secrets options to manipulate the secrets location if you need it at certain locations.

TLATER · June 18, 2025, 8:20am

To be clear, yes, anything in /nix/store or the directory your flake.nix is in, as well as their subdirectories.

If you want to make agenix put your gradle.properties in the path you expect, your config should say something like:

{ config, ... }: {
  age.secrets.<name>.path = "${config.home}/.gradle/gradle.properties";
}

mvb · June 19, 2025, 8:56am

Thanks @TLATER , though it should be

{ config, ... }: {
  age.secrets.<name>.path = "${config.home.homeDirectory}/.gradle/gradle.properties";
}