server-config/usb-secrets.nix

{
  config,
  lib,
  pkgs,
  ...
}:
{
  # Mount USB secrets drive via fileSystems
  fileSystems."/mnt/usb-secrets" = {
    device = "/dev/disk/by-label/SECRETS";
    fsType = "vfat";
    options = [
      "ro"
      "uid=root"
      "gid=root"
      "umask=377"
    ];
    neededForBoot = true;
  };

  age.identityPaths = [ "/mnt/usb-secrets/usb-secrets-key" ];
}