From e8aafda386feb2d130d5717ee444316b312d1d09 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Fri, 17 Oct 2025 23:12:18 -0400
Subject: [PATCH] fix various agenix things

---
 services/caddy.nix    |  6 ------
 services/soulseek.nix |  6 ------
 services/wg.nix       |  2 --
 usb-secrets.nix       | 12 +++++++-----
 4 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/services/caddy.nix b/services/caddy.nix
index 9fd0f32..53126d3 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -65,12 +65,6 @@ in
     };
   };
 
-  # Add agenix dependency for caddy service
-  systemd.services.caddy = {
-    after = [ "agenix.service" ];
-    requires = [ "agenix.service" ];
-  };
-
   systemd.tmpfiles.rules = [
     "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];
diff --git a/services/soulseek.nix b/services/soulseek.nix
index 8795687..f936e58 100644
--- a/services/soulseek.nix
+++ b/services/soulseek.nix
@@ -67,12 +67,6 @@ in
   users.users.${config.services.jellyfin.user}.extraGroups = [ "music" ];
   users.users.${username}.extraGroups = [ "music" ];
 
-  # Add agenix dependencies for slskd service
-  systemd.services.slskd = {
-    after = [ "agenix.service" ];
-    requires = [ "agenix.service" ];
-  };
-
   systemd.tmpfiles.rules = [
     "Z ${service_configs.music_dir} 0750 ${username} music"
     "Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}"
diff --git a/services/wg.nix b/services/wg.nix
index 1e9d7f5..9ac529d 100644
--- a/services/wg.nix
+++ b/services/wg.nix
@@ -21,9 +21,7 @@
       "network.target"
       "jellyfin.service"
       "qbittorrent.service"
-      "agenix.service"
     ];
-    requires = [ "agenix.service" ];
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {
diff --git a/usb-secrets.nix b/usb-secrets.nix
index b3082d0..b8a8fd6 100644
--- a/usb-secrets.nix
+++ b/usb-secrets.nix
@@ -9,12 +9,14 @@
   fileSystems."/mnt/usb-secrets" = {
     device = "/dev/disk/by-label/SECRETS";
     fsType = "vfat";
-    options = [ "noauto" "user" "rw" ];
+    options = [
+      "ro"
+      "uid=root"
+      "gid=root"
+      "umask=377"
+    ];
+    neededForBoot = true;
   };
 
   age.identityPaths = [ "/mnt/usb-secrets/usb-secrets-key" ];
-
-  systemd.tmpfiles.rules = [
-    "d /mnt/usb-secrets 0755 root root -"
-  ];
 }