diff --git a/hosts/template2/bootstrap.nix b/hosts/template2/bootstrap.nix
index 8a7bcee..4cc4b83 100644
--- a/hosts/template2/bootstrap.nix
+++ b/hosts/template2/bootstrap.nix
@@ -109,8 +109,8 @@ in
       RemainAfterExit = true;
       ExecStart = "${bootstrap-script}/bin/nixos-bootstrap";
 
-      # Read environment variables from /etc/environment (set by cloud-init)
-      EnvironmentFile = "-/etc/environment";
+      # Read environment variables from /run/cloud-init-env (set by cloud-init)
+      EnvironmentFile = "-/run/cloud-init-env";
 
       # Logging to journald
       StandardOutput = "journal+console";
diff --git a/terraform/cloud-init.tf b/terraform/cloud-init.tf
index 8a26c99..22a74d1 100644
--- a/terraform/cloud-init.tf
+++ b/terraform/cloud-init.tf
@@ -17,7 +17,7 @@ resource "proxmox_cloud_init_disk" "ci" {
     - ${each.value.ssh_public_key}
   ${each.value.flake_branch != null || each.value.vault_wrapped_token != null ? <<-FILES
   write_files:
-    - path: /etc/environment
+    - path: /run/cloud-init-env
       content: |
         %{~ if each.value.flake_branch != null ~}
         NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
@@ -27,7 +27,7 @@ resource "proxmox_cloud_init_disk" "ci" {
         VAULT_WRAPPED_TOKEN=${each.value.vault_wrapped_token}
         VAULT_SKIP_VERIFY=1
         %{~ endif ~}
-      append: true
+      permissions: '0600'
   FILES
 : ""}
   EOT