using agenix to provide password hashes to userborn does not work

[marienz]

A configuration like

  users.users.marienz.hashedPasswordFile = config.age.secrets.marienz-password-hash.path;
  services.userborn.enable = true;

does not work: nixpkgs makes systemd-sysusers.service an alias for userborn.service, and agenix runs agenix-install-secrets.service after systemd-sysusers.service, but userborn tries to read the password hash from /run/agenix so it can create /etc/shadow. This results in boot logging:

Starting Manage Users and Groups...
...
Failed to update user marienz: Failed to read hashedPasswordFile "/run/agenix/marienz-password-hash": No such file or directory (os error 2)
...
Finished Manage Users and Groups.
...
Starting agenix-install-secrets.service...

If I change the ordering from "after" to "before" by doing

  systemd.services.agenix-install-secrets.before = ["userborn.service"];
  systemd.services.agenix-install-secrets.after = lib.mkForce [];

things seem to work (no errors logged)... but I see there's a chown to the "keys" group called by agenix-install-secrets that probably only works because the previous boot's /etc/groups is still there, and if I was using age.secrets.<name>.owner / .group that'd also be broken (so that's not the right fix).

If I understand how agenix integrates with system.activationScripts correctly, that had the chown broken out in a separate activation script to avoid this problem. Would it make sense to do something similar with two systemd services (moving the chown from agenix-install-secrets to a new agenix-chown.service, with the former before systemd-sysusers and the latter after)?

I can probably cook up a PR if that approach sounds reasonable.

[parnmatt]

I'm having the same issue, I was wondering if you made any progress with it?
#353 seemed to last be updated at the end of October.

[marienz]

#353 fixes it (I've been assuming it's just taking a while for anyone to get around to reviewing it).