For headless Raspberry Pi bring-up on NixOS, image-time secret injection is often more reliable than first-boot decryption on the device. Here's the provisioning flow, the brittle design we tried first, and why bootstrap state belongs under /var/lib rather than /etc.
Private repos return a 404, not a 401, and you're debugging the wrong thing. Here's how to configure Nix access-tokens, manage them with sops-nix on NixOS and macOS, create properly-scoped GitHub tokens, and handle the edge cases — remote builders, the daemon, and fresh hosts.
When your NixOS host needs decrypted secrets to build its own configuration but can't decrypt them until after it's built — and how nixos-rebuild's --target-host and --build-host flags solve the chicken-and-egg problem elegantly.