use filesystems logic

2025-10-17 22:55:02 -04:00 · 2025-10-17 22:55:02 -04:00 · 1ddcccd1c2
commit 1ddcccd1c2
parent dd18bd1e6d
1 changed files with 7 additions and 66 deletions
--- a/usb-secrets.nix
+++ b/usb-secrets.nix
@ -5,75 +5,16 @@
  ...
 }:
 {
-  # Extract USB secrets key in main system before agenix
-  systemd.services.usb-secrets = {
-    description = "Extract USB secrets key";
-    wantedBy = [ "sysinit.target" ];
-    before = [ "sysinit.target" ];
-    wants = [ "local-fs.target" ];
-    after = [
-      "local-fs.target"
-      "systemd-udev-settle.service"
-    ];
-    unitConfig.DefaultDependencies = false;
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir -p /run/secrets /mnt/usb
-
-      # Check if key already exists
-      if [ -f /run/secrets/usb-secrets-key ]; then
-        echo "USB secrets key already loaded"
-        exit 0
-      fi
-
-      # Wait for USB devices
-      echo "Waiting for USB device /dev/disk/by-label/SECRETS..."
-      for i in {1..30}; do
-        if [ -e /dev/disk/by-label/SECRETS ]; then
-          echo "USB device found after $i seconds"
-          break
-        fi
-        echo "Attempt $i: USB device not found, waiting..."
-        sleep 1
-      done
-
-      if [ ! -e /dev/disk/by-label/SECRETS ]; then
-        echo "ERROR: USB device /dev/disk/by-label/SECRETS not found after 30 seconds"
-        echo "Available devices:"
-        ls -la /dev/disk/by-label/ || true
-        exit 1
-      fi
-
-      # Give device a moment to be fully ready for mounting
-      echo "Device found, waiting 2 seconds for device to be ready..."
-      sleep 2
-
-      # Mount USB and copy key
-      echo "Attempting to mount /dev/disk/by-label/SECRETS to /mnt/usb..."
-      if ${pkgs.util-linux}/bin/mount /dev/disk/by-label/SECRETS /mnt/usb; then
-        echo "Mount successful"
-        if [ -f /mnt/usb/usb-secrets-key ]; then
-          ${pkgs.coreutils}/bin/install -m 600 /mnt/usb/usb-secrets-key /run/secrets/usb-secrets-key
-          ${pkgs.util-linux}/bin/umount /mnt/usb
-          echo "USB secrets key loaded"
-        else
-          ${pkgs.util-linux}/bin/umount /mnt/usb
-          echo "Key file not found"
-          exit 1
-        fi
-      else
-        echo "USB not found"
-        exit 1
-      fi
-    '';
+  # Mount USB secrets drive via fileSystems
+  fileSystems."/mnt/usb-secrets" = {
+    device = "/dev/disk/by-label/SECRETS";
+    fsType = "vfat";
+    options = [ "noauto" "user" "rw" ];
  };

-  age.identityPaths = [ "/run/secrets/usb-secrets-key" ];
+  age.identityPaths = [ "/mnt/usb-secrets/usb-secrets-key" ];

  systemd.tmpfiles.rules = [
-    "d /run/secrets 0700 root root -"
+    "d /mnt/usb-secrets 0755 root root -"
  ];
 }