Cannot decrypt agenix / sop-nix secrets with yubikey during nixos-install

When attempting to install a new system with secrets, I get the following error:

building the flake in git+file:///tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy/tmp7g8nmkt0/etc/nixos?ref=refs/heads/master&rev=3a45be2a63085b6b48dbaa8f51e0b6684359367e...
warning: unknown experimental feature 'recursive-nix'
installing the boot loader...
install: cannot create directory '/mnt/etc/static': File exists
/nix/store/ngn2v00axgbp0bj3ik88qhgy3a2l8qyl-nixos-enter/bin/nixos-enter: failed to set up resolv.conf
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/id not present!
[agenix] WARNING: config.age.identityPaths entry /root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_rsa not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_ed25519 not present!
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/hashedPassword.age' to '/run/agenix.d/1/hashedPassword'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/password.age' to '/run/agenix.d/1/password'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/sha256HashedPassword.age' to '/run/agenix.d/1/sha256HashedPassword'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy.age' to '/run/agenix.d/1/tailscaleCaddy'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy2.age' to '/run/agenix.d/1/tailscaleCaddy2'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/client.age' to '/run/agenix.d/1/tailscaleClient'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wallpaper.age' to '/run/agenix.d/1/wallpaper'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wallpaper.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wallpaper.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wireless.age' to '/run/agenix.d/1/wireless'...
age: error: yubikey plugin: couldn't start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wireless.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wireless.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 1)...
Activation script snippet 'agenixInstall' failed (1)
setting up secrets for users...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint b32a5c2a56b5285595862b7ef41e7a569db131c6
Cannot convert ssh key '/root/.ssh/id_rsa': got *rsa.PrivateKey key type but: only ed25519 keys are supported
Cannot read ssh key '/persist//root/.ssh/id_rsa': open /persist//root/.ssh/id_rsa: no such file or directory
sops-install-secrets: Imported /root/.ssh/id_ed25519 as age key with fingerprint age1nfrrxq2jgv97uaunm09rfrp78mj63u00c7twg5zpx3fwa4a3au9q4x4es6
Cannot read ssh key '/persist//root/.ssh/id_ed25519': open /persist//root/.ssh/id_ed25519: no such file or directory
/nix/store/5mwrawz7ka2wrl7d9drzhqac6ggs1mjj-sops-install-secrets-0.0.1/bin/sops-install-secrets: failed to decrypt '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/hashedPassword.sops': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/hashedPassword’ does not exist
warning: password file ‘/run/secrets-for-users/hashedPassword’ does not exist
warning: password file ‘/run/secrets-for-users/hashedPassword’ does not exist
[agenix] chowning...
chown: cannot access '/run/agenix.d/1/hashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/password': No such file or directory
chown: cannot access '/run/agenix.d/1/sha256HashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy2': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleClient': No such file or directory
chown: cannot access '/run/agenix.d/1/wallpaper': No such file or directory
chown: cannot access '/run/agenix.d/1/wireless': No such file or directory
Activation script snippet 'agenixChown' failed (1)
setting up /etc...
setting up secrets...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint b32a5c2a56b5285595862b7ef41e7a569db131c6
Cannot convert ssh key '/root/.ssh/id_rsa': got *rsa.PrivateKey key type but: only ed25519 keys are supported
Cannot read ssh key '/persist//root/.ssh/id_rsa': open /persist//root/.ssh/id_rsa: no such file or directory
sops-install-secrets: Imported /root/.ssh/id_ed25519 as age key with fingerprint age1nfrrxq2jgv97uaunm09rfrp78mj63u00c7twg5zpx3fwa4a3au9q4x4es6
Cannot read ssh key '/persist//root/.ssh/id_ed25519': open /persist//root/.ssh/id_ed25519: no such file or directory
/nix/store/5mwrawz7ka2wrl7d9drzhqac6ggs1mjj-sops-install-secrets-0.0.1/bin/sops-install-secrets: failed to decrypt '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/password.sops': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecrets' failed (1)
Not checking switch inhibitors (action = boot)
Running in a chroot, enabling --graceful.
Created directory "/boot/EFI".
Created directory "/boot/EFI/systemd".
Created directory "/boot/EFI/BOOT".
Created directory "/boot/loader".
Created directory "/boot/loader/keys".
Created directory "/boot/loader".
Created directory "/boot/loader/entries".
Created directory "/boot/EFI".
Created directory "/boot/EFI/Linux".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI".
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Updated EFI boot entry "Linux Boot Manager".
installation finished!

It seems something is going wrong with age-plugin-yubikey, as shown by age: error: yubikey plugin: couldn’t start plugin: chdir /tmp/nix-shell-05afz87yd7jynp6wqrq3rhq57k/build-top-2lgc78a1r8qar74gr0bl5kkscy: no such file or directory. Note that this is being installed from a nix-shell.

Ah. It would appear that bind mounting the host’s /tmp directory to the target’s solved the no such file or directory error, but now it can’t open my Yubikey.

Bind mounting /dev, /proc, /sys, and /run seems to have worked. However, my $PATH seems to be messed up after installing, including gnome’s application launcher and icons. Is there any way to prevent this?