diff --git a/nixos/common/global/age.nix b/nixos/common/global/age.nix
index 521ff70..0a4a7c0 100644
--- a/nixos/common/global/age.nix
+++ b/nixos/common/global/age.nix
@@ -1,3 +1,5 @@
+# Agenix secret management with YubiKey rekeying
+# Handles encrypted secrets for services requiring credentials
 {
   config,
   pkgs,
@@ -6,25 +8,34 @@
 }: let
   hostname = config.networking.hostName;
 in {
+  # Module imports
   imports = [
     inputs.agenix.nixosModules.default
     inputs.agenix-rekey.nixosModules.default
   ];
 
+  # Overlay provides agenix-rekey package and extensions
   nixpkgs.overlays = [
     inputs.agenix-rekey.overlays.default
   ];
 
+  # CLI tool for manual secret rekeying operations
   environment.systemPackages = with pkgs; [
     agenix-rekey
   ];
 
+  # Secret decryption configuration
+  # Use persistent paths to ensure SSH keys are available during early boot
+  # activation, before impermanence bind mounts /etc/ssh/
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+  # YubiKey-based secret rekeying
   age.rekey = {
-    # Pubkey for rekeying
     hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
-    # Master identity used for decryption
     masterIdentities = [../users/sajenim/agenix-rekey.pub];
-    # Where we store the rekeyed secrets
     storageMode = "local";
     localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
   };