Fix activation script to always regenerate age keys

sw/secrets.nix

@@ -193,15 +193,16 @@ in
 
     # Generate age identity files from SSH host keys at boot
     # This is needed because age can't reliably use OpenSSH private keys directly
+    # Must run before agenix tries to decrypt secrets
     system.activationScripts.convertSshToAge = {
-      deps = [ ];
+      deps = [ "users" "groups" ];
       text = ''
         mkdir -p /etc/age
-        if [ -f /etc/ssh/ssh_host_ed25519_key ] && ! [ -f /etc/age/ssh_host_ed25519.age ]; then
+        if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
-          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age || true
-          chmod 600 /etc/age/ssh_host_ed25519.age
+          chmod 600 /etc/age/ssh_host_ed25519.age 2>/dev/null || true
         fi
-        if [ -f /etc/ssh/ssh_host_rsa_key ] && ! [ -f /etc/age/ssh_host_rsa.age ]; then
+        if [ -f /etc/ssh/ssh_host_rsa_key ]; then
           ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
           chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
         fi