.symlink = false fails to generate decrypted secrets

[supermarin]

Having an existing age.secrets.secret1.file = ./foo, and adding age.secrets.secret1.symlink = false; in your configuration.nix causes the following error when running nixos-rebuild switch:

updating GRUB 2 menu...
activating the configuration...
[agenix] creating new generation in /run/agenix.d/9
[agenix] decrypting secrets...
decrypting '/nix/store/rfz17gds7i7lcbqla5s9giivlygg7vdj-nix.conf.age' to '/run/agenix/nixConf'...
[agenix] symlinking new secrets to /run/agenix (generation 9)...
[agenix] removing old secrets (generation 8)...
[agenix] chowning...
chown: cannot access '/run/agenix/nixConf': No such file or directory
Activation script snippet 'agenixChown' failed (1)

[supermarin]

Tried rebuilding without any references to age.secrets.secret1 and rebuilding with symlink = false; afterwards, got the same error.

I'm on nixos-unstable btw and using flakes. Tried with and without inputs.agenix.inputs.nixpkgs.follows = "nixpkgs"; in flake.nix so it seems broken both with my nixpkgs and the ones referenced in github:ryantm/agenix.

[nessdoor]

I am encountering the same error.

I was previously setting a custom decryption path for my non-symlinked secret through age.secrets.<name>.path, and everything worked fine. Then, I decided to keep the secret under the default agenix directory (still not symlinked, as I need direct access to the decrypted file), so I removed the path specification. After doing that, I encountered the same error that you did.

Looking at how agenix manages to keep stable references to changing generations, it seems like it is mandatory to specify a path outside of secretsDir for non-symlinked secrets (${secretsDir} is symlinked to ${secretsMountPoint}/<#generation>).