nixos on zfs with efi boot and full disk encryption

init.sh

#!/usr/bin/env bash
set -euo pipefail

# this can be your hostname
name=nixos
disk=/dev/nvme0n1

# destroy disk / remove signatures
zpool destroy -f $name ||:
wipefs -f -a "$disk"*  ||:

# partition for efiboot+zpool
sgdisk /dev/nvme0n1 -Z -o \
  -n1::+1G -t1:ef00 -c1:efi \
  -n2::    -t2:8300 -c2:$name
partprobe && sleep 1

# format efi partition
mkfs.vfat -n efi /dev/disk/by-partlabel/efi && sleep 1

# create encrypted zpool with sane defaults
zpool create -o ashift=12 \
  -O mountpoint=legacy \
  -O xattr=sa -O acltype=posixacl \
  -O normalization=formD \
  -O atime=off -O relatime=off \
  -O compression=zstd \
  -O encryption=aes-256-gcm -O keyformat=passphrase \
  $name /dev/disk/by-partlabel/$name && sleep 1

# create datasets
zfs create -o com.sun:auto-snapshot=true $name/$name # /
zfs create -o com.sun:auto-snapshot=true $name/home  # /home
zfs create -o com.sun:auto-snapshot=true $name/var   # /var
zfs create                               $name/nix   # /nix (no snapshots needed)
zfs create -o mountpoint=none            $name/vms   # prefix for vm volumes
zfs create -o refreservation=1G \
           -o mountpoint=none            $name/cow   # safety-net for cow-deadlock

# create mountpoints and mount
mount -t zfs $name/$name /mnt
mkdir -p /mnt/{home,var,nix,boot}
mount -t zfs $name/home /mnt/home
mount -t zfs $name/var /mnt/var
mount -t zfs $name/nix /mnt/nix
mount /dev/disk/by-partlabel/efi /mnt/boot

# generate nixos-config
nixos-generate-config --root /mnt

# now edit config, `nixos-install`, reboot