Providing Runtime Secrets to NixOS Services with Agenix

In my last post, I shared how to get a working instance of Nitter deployed on NixOS, but requested advice on how to best automatically provision the guest_accounts.json runtime secret file on the target server. A number of folks reached out to me on Mastodon (thanks @vt52@ioc.exchange, @aynish@merveilles.town, @linus@schreibt.jetzt and @uep@octodon.social!) to suggest that I use agenix to copy encrypted files to the server and decrypt them in non-world readable directories, and then use systemd’s LoadCredentials option to make them available to the nitter service.