This is really not correct. First of all, in one file, multiple “sections” is just syntactic sugar for literally (I mean, actually, literally) the exact same thing as one “section”. It’s just attrset syntax. Across files, you’re relying on the NixOS module system to merge the definitions, which it very much does do. So what you had really should have worked. Based on the log you posted originally, it looks like it did reuse the passphrase for one disk, and then it didn’t for the third.
I think trying to manually set preLVM is actually what went wrong. I just looked at luksroot.nix, and it looks like the postCommands code unmounts the ramfs that the password to reuse gets saved in, and that gets run on both the preLVM devices and the regular devices, meaning passphrases are lost across the preLVM boundary. That should probably be considered a NixOS bug. We actually have an issue open about using the kernel keyring instead of a ramfs, which, yea, would have avoided this.
@thoth This actually isn’t really a matter of derivations. Really, it comes down to the NixOS module system. This is just an eval-time thing, and doesn’t inherently involve derivations. Basically, the module system looks at all your modules (i.e. imports = [ /* ... */ ];) and merges the definitions in them into a final config value. This is the single source of truth of your configuration. So all your boot.initrd.luks.devices definitions get merged together into a single config.boot.initrd.luks.devices attribute set. Then the luksroot.nix module sets some different definitions based on that single source of truth.