use filesystems logic

2025-10-17 22:55:02 -04:00 · 2025-10-17 22:55:02 -04:00 · 1ddcccd1c2
commit 1ddcccd1c2
parent dd18bd1e6d
1 changed files with 7 additions and 66 deletions
--- a/usb-secrets.nix
+++ b/usb-secrets.nix
@ -5,75 +5,16 @@
  ...
 }:
 {
-  # Extract USB secrets key in main system before agenix
+  # Mount USB secrets drive via fileSystems
-  systemd.services.usb-secrets = {
+  fileSystems."/mnt/usb-secrets" = {
-    description = "Extract USB secrets key";
+    device = "/dev/disk/by-label/SECRETS";
-    wantedBy = [ "sysinit.target" ];
+    fsType = "vfat";
-    before = [ "sysinit.target" ];
+    options = [ "noauto" "user" "rw" ];
    wants = [ "local-fs.target" ];
    after = [
      "local-fs.target"
      "systemd-udev-settle.service"
    ];
    unitConfig.DefaultDependencies = false;
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      mkdir -p /run/secrets /mnt/usb
      # Check if key already exists
      if [ -f /run/secrets/usb-secrets-key ]; then
        echo "USB secrets key already loaded"
        exit 0
      fi
      # Wait for USB devices
      echo "Waiting for USB device /dev/disk/by-label/SECRETS..."
      for i in {1..30}; do
        if [ -e /dev/disk/by-label/SECRETS ]; then
          echo "USB device found after $i seconds"
          break
        fi
        echo "Attempt $i: USB device not found, waiting..."
        sleep 1
      done
      if [ ! -e /dev/disk/by-label/SECRETS ]; then
        echo "ERROR: USB device /dev/disk/by-label/SECRETS not found after 30 seconds"
        echo "Available devices:"
        ls -la /dev/disk/by-label/ || true
        exit 1
      fi
      # Give device a moment to be fully ready for mounting
      echo "Device found, waiting 2 seconds for device to be ready..."
      sleep 2
      # Mount USB and copy key
      echo "Attempting to mount /dev/disk/by-label/SECRETS to /mnt/usb..."
      if ${pkgs.util-linux}/bin/mount /dev/disk/by-label/SECRETS /mnt/usb; then
        echo "Mount successful"
        if [ -f /mnt/usb/usb-secrets-key ]; then
          ${pkgs.coreutils}/bin/install -m 600 /mnt/usb/usb-secrets-key /run/secrets/usb-secrets-key
          ${pkgs.util-linux}/bin/umount /mnt/usb
          echo "USB secrets key loaded"
        else
          ${pkgs.util-linux}/bin/umount /mnt/usb
          echo "Key file not found"
          exit 1
        fi
      else
        echo "USB not found"
        exit 1
      fi
    '';
  };
-  age.identityPaths = [ "/run/secrets/usb-secrets-key" ];
+  age.identityPaths = [ "/mnt/usb-secrets/usb-secrets-key" ];
  systemd.tmpfiles.rules = [
-    "d /run/secrets 0700 root root -"
+    "d /mnt/usb-secrets 0755 root root -"
  ];
 }