Can we combine managing secrets with agenix, and systemd’s feature DynamicUser without much hassle?

Yes. Yes we can!

In this case I’m experimenting with vmauth and would like to keep the users file (with raw passwords in it…) a bit more safe, while still being able to have my system configuration in git.

{ config, pkgs, ...}:
{
  age.secrets.vmauth-users.file = ./secrets/vmauth-users.age;
  systemd.services.vmauth = {
	wantedBy = [ "multi-user.target" ];
	after = [ "network.target" ];
	serviceConfig = {
	  Type = "simple";
	  DynamicUser = true;
	  LoadCredential = "users.yaml:${config.age.secrets.vmauth-users.path}";
	  ExecStart = "${pkgs.victoriametrics}/bin/vmauth -envflag.enable -auth.config=$\{CREDENTIALS_DIRECTORY\}/users.yaml";

	  # blah blah blah
	};
  };
}

The important bits are LoadCredential and refering to the right file in ExecStart, but it should be pretty straight forward to understand. Aside from agenix this is just standard systemd functionality so you can use it with any distro using systemd v247 or later.

Thank you Bert for the inspiration, this blog entry was a great inspiration and I highly recommend reading it!