The script that packs secrets into initrd is run as part of nixos-rebuild when the bootloader supporst initrd secrets, but as part of the system build when it doesn't. This means that sandboxing affects the ability to set options like boot.initrd.ssh.hostKeys = [ "/root/..." ]; that aren't accessible from within the sandbox.
The handling should probably be split up so that it runs separately to the Nix build process regardless of bootloader support, since ideally the Nix builders won't have access to serets.
I believe this is part of the cause for #84976.
The script that packs secrets into initrd is run as part of
nixos-rebuildwhen the bootloader supporst initrd secrets, but as part of the system build when it doesn't. This means that sandboxing affects the ability to set options likeboot.initrd.ssh.hostKeys = [ "/root/..." ];that aren't accessible from within the sandbox.The handling should probably be split up so that it runs separately to the Nix build process regardless of bootloader support, since ideally the Nix builders won't have access to serets.
I believe this is part of the cause for #84976.