Agenix - no identity matched any of the recipients

I want to use agenix in my configuration.nix file. I followed the tutorial on the agenix repo, but when running nixos-rebuild switch I get the age error: no identity matched any of the recipients. I do use a public key in secrets.nix that is in /etc/ssh/ though. Do the actual values for user here have to correspond to system users?

  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
  user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILI6jSq53F/3hEmSs+oq9L4TwOo1PrDMAgcA1uo1CCV/";
  users = [ user1 user2 ];

  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
  system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1";
  systems = [ system1 system2 ];
  "secret1.age".publicKeys = [ user1 system1 ];
  "secret2.age".publicKeys = users ++ systems;

Does the secret1.age file need to have certain permissions?

What else could be going wrong here?

EDIT: when running nixos-rebuild switch I get the output setting up /etc... after the decryption attempt. Is it possible that the ssh keys aren’t yet available during the decryption? If so, how can I enforce that they are?

I had to set age.identityPaths (GitHub - ryantm/agenix: age-encrypted secrets for NixOS and Home manager).