Non-deterministic /run/agenix/secret generation

[supermarin]

I'm trying to include nix-access-tokens in a file and source it in nix.conf with include.
Ran into a couple of problems, the first one:

If /run/agenix/secret1 already exists, setting age.secrets.secret1.[group|owner|mode|symlink] doesn't change owner, permissions, etc. rm -rf-ing /run/agenix doesn't help much either. I had to completely remove all references to age.secrets.secret1 in configuration.nix, run nixos-rebuild and re-run it with the secret reference back in to regenerate /run/agenix/secret1.