Give up and manually type zfs decryption keys

hosts/nixos/lapetus/filesystems/default.nix

@@ -8,9 +8,5 @@
   # Mark a bunch of paths as needed for boot
   fileSystems = lib.attrsets.genAttrs
     [ "/" "/nix" "/persist/data" "/persist/state" "/persist/local/cache" "/boot" ]
-    (p: {
-      neededForBoot = true;
-      # We need the extra check to allow nix to topologically sort everything
-      depends = lib.mkIf (p != "/") [ "/hermes" ];
-    });
+    (p: { neededForBoot = true; });
 }

hosts/nixos/lapetus/filesystems/partitions.nix

@@ -47,38 +47,34 @@
 
         postCreateHook = ''
           zfs snapshot zroot@blank
+          zfs set keylocation="prompt" "zroot";
         '';
 
         rootFsOptions = {
           compression = "lz4";
           "com.sun:auto-snapshot" = "false";
+          encryption = "aes-256-gcm";
+          keyformat = "passphrase";
+          keylocation = "file:///hermes/secret.key";
         };
 
         # {{{ Datasets
         datasets = {
-          "secure" = {
-            type = "zfs_fs";
-            options = {
-              encryption = "aes-256-gcm";
-              keyformat = "passphrase";
-              keylocation = "file:///hermes/secrets/lapetus/disk.key";
-            };
-          };
-          "secure/persist/data" = {
+          "root/persist/data" = {
             type = "zfs_fs";
             mountpoint = "/persist/data";
             options."com.sun:auto-snapshot" = "true";
           };
-          "secure/persist/state" = {
+          "root/persist/state" = {
             type = "zfs_fs";
             mountpoint = "/persist/state";
             options."com.sun:auto-snapshot" = "true";
           };
-          "secure/local/nix" = {
+          "root/local/nix" = {
             type = "zfs_fs";
             mountpoint = "/nix";
           };
-          "secure/local/cache" = {
+          "root/local/cache" = {
             type = "zfs_fs";
             mountpoint = "/persist/local/cache";
           };

hosts/nixos/lapetus/filesystems/zfs.nix

@@ -3,32 +3,11 @@ let secretMountpoint = "/hermes";
 in
 {
   # Configure ZFS
-  boot.supportedFilesystems = [ "zfs" "ext4" ];
+  boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.extraPools = [ "zroot" ];
-  boot.zfs.requestEncryptionCredentials = [ "secure" ];
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   boot.kernelParams = [ "nohibernate" ];
 
-  fileSystems."/hermes" = {
-    neededForBoot = true;
-    device = "/dev/disk/by-uuid/9f795d9c-5ee0-4c53-a5bf-97767cd9a30b";
-    fsType = "ext4";
-    options = [ "x-systemd.automount" "nofail" ];
-  };
-
-  # # {{{ Mount usb for zfs secrets
-  # boot.initrd.systemd.mounts = [{
-  #   where = "/hermes";
-  #   what = "/dev/sdb";
-  #
-  #   # The usb contains sensitive data that should only be readable to root
-  #   # mountConfig.DirectoryMode = "0750";
-  #
-  #   wantedBy = [ "zfs-import.target" ];
-  #   before = [ "zfs-import.target" ];
-  # }];
-  # # }}}
-
   boot.initrd.systemd.services = {
     # # {{{ Rollback 
     # rollback = {