From 2c01cf98f4abbbba495f80c5bb458f51a0025178 Mon Sep 17 00:00:00 2001
From: Matei Adriel <rafaeladriel11@gmail.com>
Date: Thu, 18 Jan 2024 06:20:07 +0100
Subject: [PATCH] Give up and manually type zfs decryption keys

---
 hosts/nixos/lapetus/filesystems/default.nix   |  6 +----
 .../nixos/lapetus/filesystems/partitions.nix  | 20 +++++++---------
 hosts/nixos/lapetus/filesystems/zfs.nix       | 23 +------------------
 3 files changed, 10 insertions(+), 39 deletions(-)

diff --git a/hosts/nixos/lapetus/filesystems/default.nix b/hosts/nixos/lapetus/filesystems/default.nix
index c809b1d..ac0025d 100644
--- a/hosts/nixos/lapetus/filesystems/default.nix
+++ b/hosts/nixos/lapetus/filesystems/default.nix
@@ -8,9 +8,5 @@
   # Mark a bunch of paths as needed for boot
   fileSystems = lib.attrsets.genAttrs
     [ "/" "/nix" "/persist/data" "/persist/state" "/persist/local/cache" "/boot" ]
-    (p: {
-      neededForBoot = true;
-      # We need the extra check to allow nix to topologically sort everything
-      depends = lib.mkIf (p != "/") [ "/hermes" ];
-    });
+    (p: { neededForBoot = true; });
 }
diff --git a/hosts/nixos/lapetus/filesystems/partitions.nix b/hosts/nixos/lapetus/filesystems/partitions.nix
index 0e6cab0..297d304 100644
--- a/hosts/nixos/lapetus/filesystems/partitions.nix
+++ b/hosts/nixos/lapetus/filesystems/partitions.nix
@@ -47,38 +47,34 @@
 
         postCreateHook = ''
           zfs snapshot zroot@blank
+          zfs set keylocation="prompt" "zroot";
         '';
 
         rootFsOptions = {
           compression = "lz4";
           "com.sun:auto-snapshot" = "false";
+          encryption = "aes-256-gcm";
+          keyformat = "passphrase";
+          keylocation = "file:///hermes/secret.key";
         };
 
         # {{{ Datasets
         datasets = {
-          "secure" = {
-            type = "zfs_fs";
-            options = {
-              encryption = "aes-256-gcm";
-              keyformat = "passphrase";
-              keylocation = "file:///hermes/secrets/lapetus/disk.key";
-            };
-          };
-          "secure/persist/data" = {
+          "root/persist/data" = {
             type = "zfs_fs";
             mountpoint = "/persist/data";
             options."com.sun:auto-snapshot" = "true";
           };
-          "secure/persist/state" = {
+          "root/persist/state" = {
             type = "zfs_fs";
             mountpoint = "/persist/state";
             options."com.sun:auto-snapshot" = "true";
           };
-          "secure/local/nix" = {
+          "root/local/nix" = {
             type = "zfs_fs";
             mountpoint = "/nix";
           };
-          "secure/local/cache" = {
+          "root/local/cache" = {
             type = "zfs_fs";
             mountpoint = "/persist/local/cache";
           };
diff --git a/hosts/nixos/lapetus/filesystems/zfs.nix b/hosts/nixos/lapetus/filesystems/zfs.nix
index 5870103..54fce85 100644
--- a/hosts/nixos/lapetus/filesystems/zfs.nix
+++ b/hosts/nixos/lapetus/filesystems/zfs.nix
@@ -3,32 +3,11 @@ let secretMountpoint = "/hermes";
 in
 {
   # Configure ZFS
-  boot.supportedFilesystems = [ "zfs" "ext4" ];
+  boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.extraPools = [ "zroot" ];
-  boot.zfs.requestEncryptionCredentials = [ "secure" ];
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   boot.kernelParams = [ "nohibernate" ];
 
-  fileSystems."/hermes" = {
-    neededForBoot = true;
-    device = "/dev/disk/by-uuid/9f795d9c-5ee0-4c53-a5bf-97767cd9a30b";
-    fsType = "ext4";
-    options = [ "x-systemd.automount" "nofail" ];
-  };
-
-  # # {{{ Mount usb for zfs secrets
-  # boot.initrd.systemd.mounts = [{
-  #   where = "/hermes";
-  #   what = "/dev/sdb";
-  #
-  #   # The usb contains sensitive data that should only be readable to root
-  #   # mountConfig.DirectoryMode = "0750";
-  #
-  #   wantedBy = [ "zfs-import.target" ];
-  #   before = [ "zfs-import.target" ];
-  # }];
-  # # }}}
-
   boot.initrd.systemd.services = {
     # # {{{ Rollback 
     # rollback = {