{ lib, ... }: { # needed for zfs pool networking.hostId = "9c85d185"; disko.devices = { disk = { main = { type = "disk"; device = "/dev/nvme0n1"; content = { type = "gpt"; partitions = { ESP = { size = "64M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; }; }; zfs = { size = "100%"; content = { type = "zfs"; pool = "zroot"; }; }; }; }; }; }; zpool = { zroot = { type = "zpool"; rootFsOptions = { compression = "zstd"; "com.sun:auto-snapshot" = "false"; }; mountpoint = null; datasets = { encrypted = { type = "zfs_fs"; options = { mountpoint = "none"; encryption = "aes-256-gcm"; keyformat = "passphrase"; }; # use this to read the key during boot postCreateHook = '' zfs set keylocation="prompt" "zroot/$name"; ''; }; "encrypted/root" = { type = "zfs_fs"; options.mountpoint = "legacy"; mountpoint = "/"; postCreateHook = "zfs snapshot zroot/encrypted/root@blank"; }; "encrypted/nix" = { type = "zfs_fs"; options.mountpoint = "legacy"; mountpoint = "/nix"; }; "encrypted/persist" = { type = "zfs_fs"; options.mountpoint = "legacy"; mountpoint = "/persist"; options."com.sun:auto-snapshot" = "true"; }; }; }; }; }; # rollback to blank boot.initrd.postDeviceCommands = lib.mkAfter '' zfs rollback -r zroot/encrypted/root@blank ''; fileSystems."/persist".neededForBoot = true; # HACK: to fix issue of agenix running before impermanence age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_rsa_key" "/persist/etc/ssh/ssh_host_ed25519_key" "/persist/etc/ssh/ssh_host_rsa_key" ]; services.zfs = { autoScrub.enable = true; trim.enable = true; autoSnapshot.enable = true; }; }