When darwin-rebuild switch runs from a context that can't reach the primary user's launchd domain — e.g. an SSH session as a non-primary deploy user, sudo'd up to root — the user-LaunchAgent reload in modules/system/launchd.nix can take down the whole activation:

launchctl asuser "$(id -u -- ${user})" sudo --user=${user} -- launchctl load -w ~${user}/Library/LaunchAgents/${target}

launchctl asuser <uid> needs to reach the target user's launchd domain via mach bootstrap, which isn't always possible from a sudo'd SSH session — even when the primary user is logged in to the console. When it fails, set -e in the activate script kills everything, so none of the steps after userLaunchd run (networking, nvram, homebrew, the final /run/current-system symlink). Downstream this looks like a SIGABRT / exit 134 with the activation log truncated right after reloading user service <name>.

Local activation as the primary user works fine — the activator is already inside that user's session.

The unload two lines up is already || true-guarded; the load should be too. The plist has already been cp -f'd into place, so the new agent gets picked up on next login regardless.

Repro: any darwin host with at least one user LaunchAgent, activate over SSH as a non-primary user, change something that bumps the agent plist hash so the diff check fires. Observed on macOS 26.3 / nix-darwin master.

Happy to send a PR.