Why does a container failure prevent sops-nix from working?

I’ve found a case which I don’t understand. I’ve got sops-nix setup and working with a minimal NixOS configuration. I do a nixos-rebuild switch, and the secrets are visible in /run/secrets/ as expected.

However, I then add some oci-containers to my configuration, using podman. Another nixos-rebuild switch, and I get podman errors, due to the containers not starting. I try a nixos-rebuild boot instead, it finishes without error.

There’s nothing wrong with the configuration, it’s just the containers that have issues, which I fully expect as they’re not fully configured yet. But the weird part is, when the containers fail to start, there are no secrets visible in /run/secrets. It’s almost like sops-nix only gets activated on nixos-rebuild switch and not nixos-rebuild boot, and the container failure is cutting the rebuild short before it gets around to letting sops-nix run.

But, given that some of the containers specify environmentFiles values that reference sops-nix secrets, I would expect the secrets to already be processed and available before the containers try to start…

What is going on here? When does sops-nix actually get activated? Why would a container failure cause sops-nix to not run?