From 44a5d019603ad4e26b1f51990cfbb8db8f78a009 Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Mon, 27 Apr 2026 17:42:40 -0400 Subject: [PATCH] yarn: mount /var/lib/agenix in initrd agenix activation runs from initrd-nixos-activation-start, which fires right after /sysroot/persistent is mounted but before impermanence's stage-2 bind mounts. The TPM identity at /var/lib/agenix/tpm-identity was therefore unreadable at activation time, and every secret silently failed to decrypt: 'no readable identities found'. Visible downstream fallout was pull-update-apply hitting HTTP 401 against the binary cache because nix-cache-netrc was never written to /run/agenix. Mark /var/lib/agenix as neededForBoot via a bare fileSystems entry, mirroring the existing /home/${username} bind. Drop the now-redundant environment.persistence directory entry to avoid two competing units. --- hosts/yarn/impermanence.nix | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/hosts/yarn/impermanence.nix b/hosts/yarn/impermanence.nix index 557c05a..ebcd20f 100644 --- a/hosts/yarn/impermanence.nix +++ b/hosts/yarn/impermanence.nix @@ -12,14 +12,6 @@ "/var/lib/systemd/coredump" "/var/lib/nixos" "/var/lib/systemd/timers" - # agenix identity sealed by the TPM. Must survive the tmpfs root - # wipe so decryption at activation finds the right handle. - { - directory = "/var/lib/agenix"; - mode = "0700"; - user = "root"; - group = "root"; - } ]; files = [ @@ -45,6 +37,17 @@ options = [ "bind" ]; neededForBoot = true; }; + # /var/lib/agenix holds the TPM-sealed age identity. agenix decrypts secrets + # from initrd-nixos-activation-start, which runs *before* impermanence's + # stage-2 bind mounts. Mount it explicitly with neededForBoot so the + # identity is in place when activation reads it. (NixOS auto-marks /var/log + # and /var/lib/nixos as neededForBoot; /var/lib/agenix is not in that set.) + fileSystems."/var/lib/agenix" = { + device = "/persistent/var/lib/agenix"; + fsType = "none"; + options = [ "bind" ]; + neededForBoot = true; + }; systemd.tmpfiles.rules = [ "d /etc 755 root"