Reliable Headless Raspberry Pi Provisioning on NixOS
For headless Raspberry Pi bring-up on NixOS, image-time secret injection is often more reliable than first-boot decryption on the device. Here's the provisioning flow, the brittle design we tried first, and why bootstrap state belongs under /var/lib rather than /etc.