My use case and implementation is a bit niche, but it should work if sops-nix functioned as expected:
sops.defaultSopsFile = ./secrets/main.yaml;
#environment.etc."keys.txt.gpg".source = ./keys.txt.gpg;
sops.age.keyFile = "/run/keys.txt";
#sops.secrets.password.neededForUsers = true;
#fileSystems."/etc/ssh".neededForBoot = true;
sops.secrets.passwordHash.neededForUsers = true;
boot.initrd.extraFiles."/keys.txt.gpg".source = pkgs.runCommand "keys.txt.gpg" {} ''
cp ${./keys.txt.gpg} $out
'';
boot.initrd.postMountCommands = ''
echo -n "Enter decryption key: "
read -s DECRYPTION_KEY
echo ""
${pkgs.gnupg}/bin/gpg --batch --yes --passphrase "$DECRYPTION_KEY" --output /run/keys.txt --decrypt /keys.txt.gpg
'';
So for some reason, sops-nix is not using the keyfile to decrypt the secrets and use the secrets, DESPITE it being available. If you can make out that image, its looking for the host keys? why?? I specified my age key file, and the secrets file uses age, so maybe sops has a issue identifying preference? or maybe this is some fault due to the nicheness of my use case.
EDIT (solved):
Solved, I remembered that it does use ssh host keys to decrypt and age keys to encrypt.