impermanence: fix /etc permissions after re-deploy

modules/impermanence.nix

@@ -58,7 +58,13 @@
     }
   ];
 
+  # Enforce root ownership on /persistent/etc. The impermanence activation
+  # script copies ownership from /persistent/etc to /etc via
+  # `chown --reference`. If /persistent/etc ever gets non-root ownership,
+  # sshd StrictModes rejects /etc/ssh/authorized_keys.d/root and root SSH
+  # breaks while non-root users still work.
+  # Use "z" (set ownership, non-recursive) not "d" (create only, no-op on existing).
   systemd.tmpfiles.rules = [
-    "d /etc 755 root"
+    "z /persistent/etc 0755 root root"
   ];
 }