Describe the bug

After enabling systemd.sysusers.enable (ref) while enabling hashedPasswordFile, attempting to nixos-rebuild boot --flake .# fails with cat: /persist/secrets/passwdfile.gramdalf: No such file or directory

Steps To Reproduce

Steps to reproduce the behavior:

1. Enable systemd.sysusers.enable
2. Add a normalUser with a hashedPasswordFile (ref)
3. Attempt to nixos-rebuild boot --flake .#

Expected behavior

The hashedPasswordFile is used, but not added to /nix/store

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

The suggested nix log only gives a single error line, complaining that the file doesn't exist. Copy/pasting the cat command works, I assume this to be due to the nix build environment being sanitized, with limited access to the filesystem as a whole.
The source comes from this part of the file, which attempts to read the hashedPasswordFile at build time rather than activation (which was the previous behavior)
Semi related to #307159

Notify maintainers

@nikstur @NickCao

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

nix on  main [$!?]
❯ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.12, NixOS, 24.11 (Vicuña), 24.11.20240531.57610d2`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - nixpkgs: `/nix/store/5jgh89kgmrb687c254wxdac4cj5hqjw8-source`

Add a 👍 reaction to issues you find important.