hmm need to find a NixOS zfs on root with native encryption tutorial.
don't want unencrypted, and don't want LUKS
openzfs only gives those options
https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html
ok got further but...still error using the nixos.org/wiki stuff
tootbrute Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! ⚠️
⚠️ Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole! ⚠️
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
Traceback (most recent call last):
File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 452, in <module>
main()
~~~~^^
File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 435, in main
install_bootloader(args)
~~~~~~~~~~~~~~~~~~^^^^^^
File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 329, in install_bootloader
run(
~~~^
[f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ bootctl_flags
^^^^^^^^^^^^^^^
+ ["install"]
^^^^^^^^^^^^^
)
^
File "/nix/store/jzs1byj1ss0h3y76n23q1cxggi4rv13w-systemd-boot/bin/systemd-boot", line 58, in run
return subprocess.run(cmd, check=True, text=True, stdout=stdout)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/qwb5ygz9k8gs5ql9bpxbrsrv12r1icgm-python3-3.13.12/lib/python3.13/subprocess.py", line 577, in run
raise CalledProcessError(retcode, process.args,
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/nix/store/y2rzx7s3kr3v95rsrl2141s8vaa4mkjf-systemd-258.5/bin/bootctl', '--esp-path=/boot', 'install']' returned non-zero exit status 1.
Failed to install bootloader
ok. i got the furthest using the unofficial wiki
https://nixos.wiki/wiki/ZFS
but....on reboot, it can't mount the ZFS pool which seems less than ideal.
enter passphrase for 'zpool':
1 / 1 keys succesfully loaded
mounting zpool/root cannot be mounted using mount
use zfs set mountpoint=legacy or zfs mount zpool/root
see zfs(8) for more information
retrying...
ok this looks good (5 years old though...hmm)
@tootbrute
Check my Config:
https://git.kb-one.de/Serverraum-mit-Matratze/infra/src/branch/main/systems/x86_64-linux/mow0m/hardware.nix
The Mirrored Boot works, but I couldn't figure out, how to setup Remote-Unlock via SSH, before the system boots... It's something with networking I didn't get arround fixing
oooh disko is cool. i can fail faster now. i think the actual disk stuff is ok? not sure.
used example one. systemd book sort of works but then after typing in zfs password
Kaybee's toots
Markus Wamserfilesystem 'zoot/root' cannot be mounted using 'mount'
use 'zfs set mountpoint=legacy' or 'zfs mount zroot/root'
see zfs(8) for more information
etc
must be something wrong with my hardware-configuration file? or maybe i just suck at installing nixos manually.
#configuration.nix
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hmmm
hardware-configuration.nix
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/82FD-BE08";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{ device = "zroot/root/nix";
fsType = "zfs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/97487565-3faa-4ac2-9208-e585dc63502c"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
maybe something i'm missing in here.
looking at this....i'm maybe missing
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.kernelModules = [ "zfs" ];
seems adding options = [ "zfsutil" ]; to the hardware-configuration.nix is VERY important.
plus this in the configuration.nix
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.kernelModules = [ "zfs" ];
https://wiki.nixos.org/wiki/ZFS
NOW...i wonder if i made the optimal ZFS setup. i probably should investigate this more.
right now i only have 3 datasets.
zroot pool
zroot/root for /
zroot/root/nix for /nix
zroot/root/swap for swap??? (not sure why this is disko default)
ZFS (wikipedia:en:ZFS), also known as OpenZFS (wikipedia:en:OpenZFS), is a modern filesystem which is well supported on NixOS. Besides the zfs package (ZFS Filesystem Linux Kernel module) itself, there are many packages in the ZFS ecosystem available. ZFS integrates into NixOS via the boot.zfs and services...
ok something is weird. it feels like it remembers what i did with the install USB. it made a zfs dataset that i didn't declare in the latest disko.
so.... reformatting a new nixos usb to start again. i must be soooooo close.
if it fails again, i give up and will just run btrfs through nixos graphical install.
i guess i put the fear of god into my machine. it worked!
have /home and /nix dataset.
only took me 2 days and 6-8 times doing it. i'm a pro at installing this way now 
blog post will be forthcoming. i took extensive notes this time.
My guide on how to do this. It took me a whole weekend to learn and figure this out. Never found a suitable basic guide that was super verbose. I hope this helps some #nixos + #zfs curious people
ZFS Encrypted Root with NixOS Minimal Install
https://blog.arkadi.one/p/zfs-encrypted-root-with-nixos-minimal-install/
If NixOS masters have suggestions on how to improve this guide, let me know.
I have been looking for a simple ZFS encrypted root guide on the internet. It doesn’t seem to exist. I am putting emphasis on the word simple. I decided to sacrified my weekend and mental health to make it happen. Before attempting this, please read these links, so you have some idea about what you’re doing and are aware of the main steps needed to install NixOS manually. It looks scary, but luckily you can skip most of these steps with the tool, Disko.