Why does a container failure prevent sops-nix from working?

[Nairou]

I’ve found a case which I don’t understand. I’ve got sops-nix setup and working with a minimal NixOS configuration. I do a nixos-rebuild switch, and the secrets are visible in /run/secrets/ as expected.

However, I then add some oci-containers to my configuration, using podman. Another nixos-rebuild switch, I get podman errors due to the containers not starting, which I fully expect as they’re not fully configured yet. I try a nixos-rebuild boot instead, it finishes without error.

But the weird part is, when the containers fail to start, there are no secrets visible in /run/secrets. It’s almost like sops-nix only gets activated on nixos-rebuild switch and not nixos-rebuild boot, and the container failure is cutting the rebuild short before it gets around to letting sops-nix run.

But, given that some of the containers specify environmentFiles values that reference sops-nix secrets, I would expect the secrets to already be processed and available before the containers try to start…

What is going on here? When does sops-nix actually get activated? Why would a container failure cause sops-nix to not run?

[caguiclajmg]

This is not a sops-nix issue but rather an understanding of how nixos-rebuild commands work, I hope this clears it up:

Build and switch to the new configuration, making it the boot default: sudo nixos-rebuild switch

Build the new configuration and make it the boot default without switching to it: sudo nixos-rebuild boot

from https://www.mankier.com/8/nixos-rebuild#Synopsis