yarn: mount /var/lib/agenix in initrd

agenix activation runs from initrd-nixos-activation-start, which fires
right after /sysroot/persistent is mounted but before impermanence's
stage-2 bind mounts. The TPM identity at /var/lib/agenix/tpm-identity
was therefore unreadable at activation time, and every secret silently
failed to decrypt: 'no readable identities found'. Visible downstream
fallout was pull-update-apply hitting HTTP 401 against the binary cache
because nix-cache-netrc was never written to /run/agenix.

Mark /var/lib/agenix as neededForBoot via a bare fileSystems entry,
mirroring the existing /home/${username} bind. Drop the now-redundant
environment.persistence directory entry to avoid two competing units.

hosts/yarn/impermanence.nix

@@ -12,14 +12,6 @@
       "/var/lib/systemd/coredump"
       "/var/lib/nixos"
       "/var/lib/systemd/timers"
-      # agenix identity sealed by the TPM. Must survive the tmpfs root
-      # wipe so decryption at activation finds the right handle.
-      {
-        directory = "/var/lib/agenix";
-        mode = "0700";
-        user = "root";
-        group = "root";
-      }
     ];
 
     files = [
@@ -45,6 +37,17 @@
     options = [ "bind" ];
     neededForBoot = true;
   };
+  # /var/lib/agenix holds the TPM-sealed age identity. agenix decrypts secrets
+  # from initrd-nixos-activation-start, which runs *before* impermanence's
+  # stage-2 bind mounts. Mount it explicitly with neededForBoot so the
+  # identity is in place when activation reads it. (NixOS auto-marks /var/log
+  # and /var/lib/nixos as neededForBoot; /var/lib/agenix is not in that set.)
+  fileSystems."/var/lib/agenix" = {
+    device = "/persistent/var/lib/agenix";
+    fsType = "none";
+    options = [ "bind" ];
+    neededForBoot = true;
+  };
 
   systemd.tmpfiles.rules = [
     "d /etc 755 root"