Currently, secrets are copied into initrds for every generation on every rebuild. This means that if you rotate initrd SSH host keys or change the layout of your initrd secrets directory, rollbacks are effectively broken.

I think that secrets should be copied into /var/lib/initrd-secrets/<generation-id> (where <generation-id> is some stable identifier for the system; generation number might be good enough here) on the nixos-rebuild of that generation, and the bootloader modules would copy from the corresponding secrets generation. This would also let us handle remapping the paths to the initrd form, adjusting permissions, etc. in one place, reducing code duplication and making it easier to fix #85000.

cc @lopsided98; what do you think of this design? If people agree that this is a good direction to take then I might look into drafting an implementation.