Thanks. I did get both hashedPassword & passwordFile working earlier, without agenix, and it ended up looking similar to your approach.
I’ve pruned and sanitized my example config and posted it on github. The main branch uses passwordFile without agenix and is a rough equivalent of your (much more polished) nixos-up, but with LUKS, and implemented in shell scripts instead of python.
Now I’m working on adding agenix in another branch, step-by-step. I’ve started a post in “Learn” if anyone wants to follow along or offer advice. My goal is to get to a (fairly) minimal example on how to bootstrap a new system using agenix for secret management.