Nested keys are failing on some systems, working on others

[typedrat]

I'm using a nested structure for my yaml secrets files like:

alloy:
    api_key: ...
    remotecfg_username: ...
    remotecfg_url: ...
    metrics_username: ...
    metrics_url: ...
    logs_username: ...
    logs_url: ...
# ...

It's my sops.defaultSopsFile, and I'm defining the sops.secrets like this:

    sops.secrets = {
      "alloy/api_key" = {};
      "alloy/remotecfg_url" = {};
      "alloy/remotecfg_username" = {};
      "alloy/metrics_username" = {};
      "alloy/metrics_url" = {};
      "alloy/logs_username" = {};
      "alloy/logs_url" = {};
    };

I'm getting the following error when the activation script tries to run:

sops-install-secrets: Imported /persist/etc/ssh/ssh_host_rsa_key as GPG key with fingerprint 589240582473b3bfc12d99c8303a2e3278e0371b
sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1dys2tpyg5p3jlqx9r0z9ast4athzkna8fdety3ml7xfgu47z9c3qmcymza
/nix/store/ahilpgqflssczm90dcsfvnc63wkpmlsm-sops-install-secrets-aarch64-unknown-linux-gnu-0.0.1/bin/sops-install-secrets: secret alloy/logs_username in /nix/store/jql3ksa5mkrl7dzn8x9q4chzyvq5a6ai-backend.sops.yaml is not valid: the value of key 'alloy' is not a string

I can't link the full configuration because this is a work project, but I'm doing essentially the same thing on my personal workstation and server: typedrat/nix-config/secrets/default.yaml and it's working fine. The only differences I can think of between the two are that it's working on my x86_64 machine and failing on a remote aarch64 server.

[sedlund]

im doing nesting with alloy secrets as well, works on x86/arm64.

because it works on some, not others makes me wonder if the secrets have not been updated with the host keys with sops updatekeys - or the permissions to read them.