docs(age): improve readability with structured comments

Add section headers and explanatory comments to clarify the purpose of each configuration block, with emphasis on the critical persistent path requirement for early boot secret decryption.

nixos/common/global/age.nix

@@ -1,3 +1,5 @@
+# Agenix secret management with YubiKey rekeying
+# Handles encrypted secrets for services requiring credentials
 {
   config,
   pkgs,
@@ -6,25 +8,34 @@
 }: let
   hostname = config.networking.hostName;
 in {
+  # Module imports
   imports = [
     inputs.agenix.nixosModules.default
     inputs.agenix-rekey.nixosModules.default
   ];
 
+  # Overlay provides agenix-rekey package and extensions
   nixpkgs.overlays = [
     inputs.agenix-rekey.overlays.default
   ];
 
+  # CLI tool for manual secret rekeying operations
   environment.systemPackages = with pkgs; [
     agenix-rekey
   ];
 
+  # Secret decryption configuration
+  # Use persistent paths to ensure SSH keys are available during early boot
+  # activation, before impermanence bind mounts /etc/ssh/
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+  # YubiKey-based secret rekeying
   age.rekey = {
-    # Pubkey for rekeying
     hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
-    # Master identity used for decryption
     masterIdentities = [../users/sajenim/agenix-rekey.pub];
-    # Where we store the rekeyed secrets
     storageMode = "local";
     localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
   };