{pkgs, ...}: { # The encrypted USB is NOT part of boot anymore # We do NOT use crypttab or systemd-cryptsetup units at all systemd.tmpfiles.rules = [ "d /mnt/ssh-keys 0755 root root -" "d /mnt/nixos-config 0755 root root -" "d /mnt/storage 0755 root root -" "d /mnt/tools 0755 root root -" "d /mnt/isos 0755 root root -" ]; environment.systemPackages = with pkgs; [ cryptsetup # 🔓 Mount + unlock + load SSH key (writeShellScriptBin "keys-mount" '' set -e DEVICE="/dev/disk/by-uuid/d5aa2823-2023-410b-a83e-a4f707db5f7c" NAME="ssh-keys" MNT="/mnt/ssh-keys" MNT_CONFIG="/mnt/nixos-config" MNT_STORAGE="/mnt/storage" MNT_TOOLS="/mnt/tools" echo "🔐 Unlocking encrypted USB..." sudo cryptsetup open "$DEVICE" "$NAME" echo "📂 Mounting partitions..." sudo mount "/dev/mapper/$NAME" "$MNT" sudo mount -L nixos-config "$MNT_CONFIG" sudo mount -L storage "$MNT_STORAGE" sudo mount -L tools "$MNT_TOOLS" echo "🔑 Adding SSH keys..." ssh-add "$MNT/poseidon" ssh-add "$MNT/apollo" echo "🔑 Importing GPG key..." gpg --import "$MNT/gpg-privkey.asc" echo "✅ Done" '') # 🔒 Clean unmount + lock (writeShellScriptBin "keys-umount" '' set -e MNT="/mnt/ssh-keys" NAME="ssh-keys" echo "🔑 Removing SSH keys..." ssh-add -d "$MNT/poseidon" 2>/dev/null || true ssh-add -d "$MNT/apollo" 2>/dev/null || true echo "🔑 Clearing GPG key..." gpgconf --kill gpg-agent echo "📤 Unmounting..." sudo umount /mnt/nixos-config || true sudo umount /mnt/storage || true sudo umount /mnt/tools || true sudo umount "$MNT" || true echo "🔒 Closing encrypted device..." sudo cryptsetup close "$NAME" || true echo "✅ Done" '') ]; }