{
  config,
  lib,
  pkgs,
  ...
}:
{
  # Extract USB secrets key in main system before agenix
  systemd.services.usb-secrets = {
    description = "Extract USB secrets key";
    wantedBy = [ "sysinit.target" ];
    before = [ "agenix.service" ];
    wants = [ "local-fs.target" ];
    after = [ "local-fs.target" ];
    unitConfig.DefaultDependencies = false;
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      mkdir -p /run/secrets /mnt/usb

      # Check if key already exists
      if [ -f /run/secrets/usb-secrets-key ]; then
        echo "USB secrets key already loaded"
        exit 0
      fi

      # Wait for USB devices
      for i in {1..30}; do
        [ -e /dev/disk/by-label/SECRETS ] && break
        sleep 1
      done

      # Mount USB and copy key
      if mount /dev/disk/by-label/SECRETS /mnt/usb 2>/dev/null; then
        if [ -f /mnt/usb/usb-secrets-key ]; then
          install -m 600 /mnt/usb/usb-secrets-key /run/secrets/usb-secrets-key
          umount /mnt/usb
          echo "USB secrets key loaded"
        else
          umount /mnt/usb
          echo "Key file not found"
          exit 1
        fi
      else
        echo "USB not found"
        exit 1
      fi
    '';
  };

  age.identityPaths = [ "/run/secrets/usb-secrets-key" ];

  systemd.tmpfiles.rules = [
    "d /run/secrets 0700 root root -"
  ];
}