From 9fb72e762b56b57bfc7a26d659aa3b7d03586901 Mon Sep 17 00:00:00 2001
From: jasmine <its.jassy@pm.me>
Date: Sun, 12 Oct 2025 10:19:42 +0800
Subject: [PATCH] docs(age): improve readability with structured comments

Add section headers and explanatory comments to clarify the purpose of each configuration block, with emphasis on the critical persistent path requirement for early boot secret decryption.
---
 nixos/common/global/age.nix | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/nixos/common/global/age.nix b/nixos/common/global/age.nix
index 521ff70..0a4a7c0 100644
--- a/nixos/common/global/age.nix
+++ b/nixos/common/global/age.nix
@@ -1,3 +1,5 @@
+# Agenix secret management with YubiKey rekeying
+# Handles encrypted secrets for services requiring credentials
 {
   config,
   pkgs,
@@ -6,25 +8,34 @@
 }: let
   hostname = config.networking.hostName;
 in {
+  # Module imports
   imports = [
     inputs.agenix.nixosModules.default
     inputs.agenix-rekey.nixosModules.default
   ];
 
+  # Overlay provides agenix-rekey package and extensions
   nixpkgs.overlays = [
     inputs.agenix-rekey.overlays.default
   ];
 
+  # CLI tool for manual secret rekeying operations
   environment.systemPackages = with pkgs; [
     agenix-rekey
   ];
 
+  # Secret decryption configuration
+  # Use persistent paths to ensure SSH keys are available during early boot
+  # activation, before impermanence bind mounts /etc/ssh/
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+  # YubiKey-based secret rekeying
   age.rekey = {
-    # Pubkey for rekeying
     hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
-    # Master identity used for decryption
     masterIdentities = [../users/sajenim/agenix-rekey.pub];
-    # Where we store the rekeyed secrets
     storageMode = "local";
     localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
   };