···144144| `no matching keys` | Secret not encrypted for this key | Add key to `.sops.yaml`, run `sops updatekeys <file>` |
145145| `key not found` | Missing `~/.config/age/keys.txt` or host SSH key | Restore key or re-derive host key |
146146| `failed to decrypt` | Wrong key or corrupted file | Verify key with `age-keygen --to-public-key` |
147147-| Secret path is empty | sops-nix activation failed | Check `journalctl -b | grep sops` |
147147+| Secret path is empty | sops-nix activation failed | Check `journalctl -b \| grep sops` |
148148+| `attribute '<user>' missing` at eval time | Secret has `owner = "<user>"` but the service uses `DynamicUser` in its systemd unit, so no static entry exists in `config.users.users` | Declare the user/group explicitly (see below) |
149149+150150+### DynamicUser services and sops-nix
151151+152152+Some NixOS services (including `cloudflared`) use systemd's `DynamicUser = true`, which means they do **not** create a static entry in `config.users.users`. sops-nix tries to derive `group` from that attribute at evaluation time and fails with `attribute '<user>' missing`.
153153+154154+Fix: explicitly declare the user and group alongside the secret:
155155+156156+```nix
157157+users.users.cloudflared = {
158158+ isSystemUser = true;
159159+ group = "cloudflared";
160160+};
161161+users.groups.cloudflared = { };
162162+163163+sops.secrets."cf-tunnel.json" = {
164164+ sopsFile = ../secrets/cf-tunnel.json;
165165+ format = "binary";
166166+ owner = "cloudflared";
167167+ group = "cloudflared"; # must be set explicitly — cannot be derived from DynamicUser
168168+ mode = "0400";
169169+};
170170+```
171171+172172+This pattern is already applied in `modules/cloudflare-tunnel.nix`.