{ config, lib, pkgs, ... }: { # Extract USB secrets key in main system before agenix systemd.services.usb-secrets = { description = "Extract USB secrets key"; wantedBy = [ "sysinit.target" ]; before = [ "sysinit.target" ]; wants = [ "local-fs.target" ]; after = [ "local-fs.target" "systemd-udev-settle.service" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' mkdir -p /run/secrets /mnt/usb # Check if key already exists if [ -f /run/secrets/usb-secrets-key ]; then echo "USB secrets key already loaded" exit 0 fi # Wait for USB devices echo "Waiting for USB device /dev/disk/by-label/SECRETS..." for i in {1..30}; do if [ -e /dev/disk/by-label/SECRETS ]; then echo "USB device found after $i seconds" break fi echo "Attempt $i: USB device not found, waiting..." sleep 1 done if [ ! -e /dev/disk/by-label/SECRETS ]; then echo "ERROR: USB device /dev/disk/by-label/SECRETS not found after 30 seconds" echo "Available devices:" ls -la /dev/disk/by-label/ || true exit 1 fi # Give device a moment to be fully ready for mounting echo "Device found, waiting 2 seconds for device to be ready..." sleep 2 # Mount USB and copy key echo "Attempting to mount /dev/disk/by-label/SECRETS to /mnt/usb..." if ${pkgs.util-linux}/bin/mount /dev/disk/by-label/SECRETS /mnt/usb; then echo "Mount successful" if [ -f /mnt/usb/usb-secrets-key ]; then ${pkgs.coreutils}/bin/install -m 600 /mnt/usb/usb-secrets-key /run/secrets/usb-secrets-key ${pkgs.util-linux}/bin/umount /mnt/usb echo "USB secrets key loaded" else ${pkgs.util-linux}/bin/umount /mnt/usb echo "Key file not found" exit 1 fi else echo "USB not found" exit 1 fi ''; }; age.identityPaths = [ "/run/secrets/usb-secrets-key" ]; systemd.tmpfiles.rules = [ "d /run/secrets 0700 root root -" ]; }