diff --git a/hosts/yarn/impermanence.nix b/hosts/yarn/impermanence.nix
index 557c05a..ebcd20f 100644
--- a/hosts/yarn/impermanence.nix
+++ b/hosts/yarn/impermanence.nix
@@ -12,14 +12,6 @@
       "/var/lib/systemd/coredump"
       "/var/lib/nixos"
       "/var/lib/systemd/timers"
-      # agenix identity sealed by the TPM. Must survive the tmpfs root
-      # wipe so decryption at activation finds the right handle.
-      {
-        directory = "/var/lib/agenix";
-        mode = "0700";
-        user = "root";
-        group = "root";
-      }
     ];
 
     files = [
@@ -45,6 +37,17 @@
     options = [ "bind" ];
     neededForBoot = true;
   };
+  # /var/lib/agenix holds the TPM-sealed age identity. agenix decrypts secrets
+  # from initrd-nixos-activation-start, which runs *before* impermanence's
+  # stage-2 bind mounts. Mount it explicitly with neededForBoot so the
+  # identity is in place when activation reads it. (NixOS auto-marks /var/log
+  # and /var/lib/nixos as neededForBoot; /var/lib/agenix is not in that set.)
+  fileSystems."/var/lib/agenix" = {
+    device = "/persistent/var/lib/agenix";
+    fsType = "none";
+    options = [ "bind" ];
+    neededForBoot = true;
+  };
 
   systemd.tmpfiles.rules = [
     "d /etc 755 root"