I just ran into some unexpected behavior by not specifying inputs.nixpkgs.follows in agenix-rekey and using nixos-23.05 for my packages. When trying to deploy to an aarch64-linux machine from an x86_64-linux machine I ended up with different derivations. The tricky bit was I was convinced I was just using forceRekeyOnSystem wrong. Turns out all I needed to do was make the app use pkgs-unstable:

apps."x86_64-linux" = agenix-rekey.defineApps self (import nixpkgs-unstable { system = "x86_64-linux"; }) self.nixosConfigurations;

This seems like an easy mistake to make. It should probably be specified in the docs that the flakes input packages need to match the app's input nixpkgs.

Thanks for pointing this out. If the nixpkgs don't match the "used" and "saved" rekey derivation may differ, which will of course cause problems. I'll add this to the docs right now.