nix

modules/zfs-root.nix

@@ -0,0 +1,28 @@
+{ ... }:
+{
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.devNodes = "/dev/disk/by-id";
+  boot.initrd.systemd.enable = true;
+  boot.initrd.luks.devices.cryptroot = {
+    device = "/dev/disk/by-partlabel/cryptroot";
+    allowDiscards = true;
+    crypttabExtraOpts = [
+      "tpm2-device=auto"
+      "tpm2-pcrs=7"
+    ];
+  };
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+
+  services.zfs = {
+    autoScrub.enable = true;
+    trim.enable = true;
+    autoSnapshot.enable = true;
+  };
+
+  services.fstrim.enable = false;
+}