Minimal example how to pass a sops-nix secret into a systemd-nspawn container via systemd's credential system.

configuration.nix

{ config, lib, pkgs, ... }:

{
  imports = [
    ${builtins.fetchTarball
      "https://github.com/Mic92/sops-nix/archive/master.tar.gz"
    }/modules/sops"
  ];

  users = {
    mutableUsers = true;
    users."nixos" = {
      isNormalUser = true;
      home = "/home/nixos";
      password = "nixos";
      extraGroups = [ "wheel" ];
    };
  };

  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.keyFile = ./key.txt;
  sops.age.generateKey = false;

  sops.secrets.example_key = { };

  containers.test = {
    autoStart = true;

    extraFlags = [
      "--load-credential=examplekey:${config.sops.secrets.example_key.path}"
    ];

    config = {
      system.stateVersion = "23.11";
      systemd.services.foobar = {
        enable = true;
        script = ''
          echo $CREDENTIALS_DIRECTORY
          cat $CREDENTIALS_DIRECTORY/examplekeypropageted
          # will fail, no access
          cat $CREDENTIALS_DIRECTORY/examplekey
        '';
        serviceConfig = { LoadCredential = "examplekeypropageted:examplekey"; };
        wantedBy = [ "multi-user.target" ];
      };
    };
  };

  system.stateVersion = "23.11";
}

setup.sh

age-keygen -o key.txt
# setup .sops.yaml
env SOPS_AGE_KEY_FILE=key.txt sops secrets.yaml
# add `example_key: mysecret`
nixos-rebuild -I nixos-config=configuration.nix build-vm