secrets overhaul: use tpm for laptop (need to migrate desktop later)

2026-04-23 14:05:43 -04:00
parent 22282691e7
commit e019f2d4fb
17 changed files with 218 additions and 25 deletions
--- a/hosts/yarn/impermanence.nix
+++ b/hosts/yarn/impermanence.nix
@@ -12,6 +12,14 @@
      "/var/lib/systemd/coredump"
      "/var/lib/nixos"
      "/var/lib/systemd/timers"
+      # agenix identity sealed by the TPM. Must survive the tmpfs root
+      # wipe so decryption at activation finds the right handle.
+      {
+        directory = "/var/lib/agenix";
+        mode = "0700";
+        user = "root";
+        group = "root";
+      }
    ];

    files = [