server-config/secrets.nix

let
  # USB secrets key - for encrypting/decrypting all secrets
  usbSecretsKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8+eSX2LH5wEHVG9sSv97ceD5zdTarV0lRvoUso4A7p USB secrets decryption key";
in
{
  # ZFS encryption key
  "zfs-key.age".publicKeys = [ usbSecretsKey ];

  # Secureboot keys archive
  "secureboot.tar.age".publicKeys = [ usbSecretsKey ];

  # System passwords and auth
  "hashedPass.age".publicKeys = [ usbSecretsKey ];

  # Service authentication
  "caddy_auth.age".publicKeys = [ usbSecretsKey ];
  "jellyfin-api-key.age".publicKeys = [ usbSecretsKey ];
  "slskd_env.age".publicKeys = [ usbSecretsKey ];

  # Network configuration
  "wg0.conf.age".publicKeys = [ usbSecretsKey ];
}