From 4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6 Mon Sep 17 00:00:00 2001
From: Nicolas Dumazet <nicdumz.commits@gmail.com>
Date: Fri, 17 Jan 2025 08:51:10 +0100
Subject: [PATCH] docs: expand a bit on user secrets + impermanence.

See also the discussion at https://github.com/Mic92/sops-nix/issues/149
---
 README.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 1efa34a8..31bfb932 100644
--- a/README.md
+++ b/README.md
@@ -571,9 +571,18 @@ $y$j9T$WFoiErKnEnMcGq0ruQK4K.$4nJAY3LBeBsZBTYSkdTOejKU6KlDmhnfUV3Ll1K/1b.
 }
 ```
 
-**Note:** If you are using Impermanence, you must set `sops.age.keyFile` to a keyfile inside your persist directory or it will not exist at boot time. 
-For example: `/nix/persist/var/lib/sops-nix/key.txt`
-Similarly if ssh host keys are used instead, they also need to be placed inside the persisted storage.
+**Note:** If you are using Impermanence, the key used for secret decryption (`sops.age.keyFile`, or the host SSH keys) must be in a persisted directory,
+loaded early enough during boot. For example:
+
+```nix
+sops.age.keyFile = "/nix/persist/var/lib/sops-nix/key.txt";
+```
+
+or:
+
+```nix
+fileSystems."/etc/ssh".neededForBoot = true;
+```
 
 ## Different file formats