When I’m on Fedora and want to use a sysext containing a nix store, I can’t do that with a nix store under /nix, because systemd-sysext will only extend the /usr and /opt folders.
Correct.
I wasn’t aware of that. Do you happen to have any pointers to examples on how to use dm-verity with nix? I’m especially interested in having a ephemeral system with only a readonly nix store being on disk. I want that nix store to be mounted with dm-verity and I want to supply the expected verity roothash via a measured component of the boot process (like a measured kernel cmdline parameter in a UKI).