server-config/usb-secrets.nix

{
  config,
  lib,
  pkgs,
  ...
}:
{
  # Mount USB secrets drive via fileSystems
  fileSystems."/mnt/usb-secrets" = {
    device = "/dev/disk/by-label/SECRETS";
    fsType = "vfat";
    options = [ "noauto" "user" "rw" ];
  };

  age.identityPaths = [ "/mnt/usb-secrets/usb-secrets-key" ];

  systemd.tmpfiles.rules = [
    "d /mnt/usb-secrets 0755 root root -"
  ];
}