I actually got it diskio+nix-anywhere installing everything!
I forked the example and put it here to fine tune on a vm.
I’m not sure that I can automate the TPM as I think i have to be booted up for the PCRs to be set as they are in the end state. Though I think I could get the secureboot going.
The final zpool export hangs unless I ssh in and cryptsetup luksClose /dev/mapper/credstore which I think is not the correct command and is supposed to happen on the postCreateHook.
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/disk/by-id/ata-512GB_SSD_MQ08B81904931";
type = "disk";
content = {
type = "gpt";
partitions = {
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "rpool";
};
};
};
};
};
zpool = {
rpool = {
type = "zpool";
rootFsOptions = {
mountpoint = "none";
compression = "zstd";
acltype = "posixacl";
xattr = "sa";
"com.sun:auto-snapshot" = "true";
};
options.ashift = "12";
datasets = {
credstore = {
type = "zfs_volume";
size = "100M";
content = {
type = "luks";
name = "credstore";
content = {
type = "filesystem";
format = "ext4";
};
};
};
crypt = {
type = "zfs_fs";
options.mountpoint = "none";
options.encryption = "aes-256-gcm";
options.keyformat = "raw";
options.keylocation = "file:///etc/credstore/zfs-sysroot.mount";
preCreateHook = "mount -o X-mount.mkdir /dev/mapper/credstore /etc/credstore && head -c 32 /dev/urandom > /etc/credstore/zfs-sysroot.mount";
postCreateHook = "umount /etc/credstore && cryptsetup luksClose /dev/mapper/credstore";
};
"crypt/system" = {
type = "zfs_fs";
mountpoint = "/";
};
"crypt/system/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
"crypt/system/var" = {
type = "zfs_fs";
mountpoint = "/var";
};
};
};
};
};
}