VictoriaMetrics Secrets

WelcomeHome · June 11, 2025, 6:29am

Hi!

I’m new to NixOS and i’m loving it. I setup a bunch of software in NixOs (forgejo, forgrejo runner, caddy as a reverse proxy and webserver, custom applications as podman containers) and it’s working great! I’ve been using agenix to manage secrets and that worked great but i’ve run into my first problem that i’ve not been able to figure out.

I want to run VictoriaMetrics to scrape prometheus metrics. The metrics are protected with a HTTP Basic Auth Username/Password. I want to store the password encrypted with agenix and pass it to victoriametrics.
Things i’ve tried:

In a job in services.victoriametrics.prometheusConfig.scrape_configs one can set basic_auth.password_file. But victoriametrics is running as a systemD DynamicUser so i cannot set the permissions on the agenix file to allow victoriametrics to read it.
I think victoriametrics supports using env vars in the config but i did not find a way to set an env var for victoriametrics. but there does not appear to be a EnvironmentFile option for vicoriametrics in nixos. For other services i was able to use that before.

So my questions would be:

How do I set the ownership of an agenix secret so a DynamicUser service can access it?
How do i pass environment variables to a service as a file that does not have an EnvironmentFile option?
Is there a better/different way to do what i want?

Thanks for any hints!

TLATER · June 11, 2025, 8:18am

You create a group, make the file readable by that group, and then set:

systemd.services.victoriametrics.serviceConfig.SupplementaryGroups = [ "<somegroup>" ];

This works even with DynamicUser; though in addition you may need to add your secrets dir to ReadOnlyPaths.

adamcstephens · June 11, 2025, 12:53pm

Another alternative would be to use Credentials.

Add systemd.services.victoriametrics.serviceConfig.LoadCredential = [ "BASICAUTH:${config.age.secrets.basic-auth.path}" ]
Then basic_auth.password_file = "/run/credentials/BASICAUTH" (or if the service supports env variables in the config $CREDENTIALS_DIRECTORY/BASICAUTH

systemd will set up the credential at runtime, granting access to the dynamic user, regardless of the original permissions.