impermanence: fix /etc permissions after re-deploy

2026-02-11 15:41:30 -05:00
parent 35f0c08ee2
commit 9cc63fcfb8
1 changed files with 7 additions and 1 deletions
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -58,7 +58,13 @@
    }
  ];

+  # Enforce root ownership on /persistent/etc. The impermanence activation
+  # script copies ownership from /persistent/etc to /etc via
+  # `chown --reference`. If /persistent/etc ever gets non-root ownership,
+  # sshd StrictModes rejects /etc/ssh/authorized_keys.d/root and root SSH
+  # breaks while non-root users still work.
+  # Use "z" (set ownership, non-recursive) not "d" (create only, no-op on existing).
  systemd.tmpfiles.rules = [
-    "d /etc 755 root"
+    "z /persistent/etc 0755 root root"
  ];
 }