• agenix does not support ssh key with passphrase
• agenix might need a reboot after the ssh key is set to make sure the secrets are setup correctly
• may not securely visit some websites hosted on cloudflare because the root certificate (AAA certificate service, which is the root of certificate chain) has been removed in cacert v3.111, and rolling back to cacert v3.108 triggers an unbearable rebuild.

• Nixos-rebuild switch generation not picked upon reboot on rpi ¹

The issue is that the generation is not picked up on reboot, and it resets to the generation that flushed into the sd card. This is possibly caused by the boot option, we switch to uboot instead of using the default bootloader. This should be already resolved in bf54024 by using nixos-raspberrypi instead of the default NixOS Raspberry Pi module.