I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:

age.secrets."userSecret" = {
  file = ./. + "/../../secrets/userSecret.age";
  path = "${config.age.secretsDir}/.user-secrets/userSecret";
  mode = "0600";
  owner = "1000";
  group = "100";
};

Here is the home-manager configuration for symlinking the agenix-decrypted secret:

# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];

Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation>. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of ${age.secretsDir}, everything now seems to work as expected.

In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?

I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:

age.secrets."userSecret" = {
  file = ./. + "/../../secrets/userSecret.age";
  path = "${config.age.secretsDir}/.user-secrets/userSecret";
  mode = "0600";
  owner = "1000";
  group = "100";
};

Here is the home-manager configuration for symlinking the agenix-decrypted secret:

# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];

Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation>. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected.

In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?

By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected.

...except that now the secret with the custom path exists both in /run/agenix (because it's just a symlink to /run/agenix.d/1) as well as at the custom path. It isn't a problem but potentially misleading.

hi, i can't seem to provision keys to a new system. getting this while switching to a new generation:

cp: cannot stat '/run/agenix/ssh_lb1_initrd_ed25519': No such file or directory
failed to create initrd secrets: No such file or directory

/run/agenix is empty as the generation hasn't been switched to, but it's needed to create the initrd secrets (if i understand correctly). is this a known issue? can't find it being discussed in the issues of the repo

sudo mkdir -p /run/agenix && sudo touch /run/agenix/ssh_lb1_initrd_ed25519 && switch_generation
# /run/agenix/1 and /run/agenix.d/1/ssh_lb1_initrd_ed25519 gets created
# but /run/agenix/ssh_lb1_initrd_ed25519 is still my empty file and i get the same error if switching generation after deleting it

note that i have no idea what i'm doing at this point 🙃