User:2r/NixOS on ZFS
This is a userspace draft and is not supported by NixOS Wiki.
Enable ZFS on Existing Installation
Add the following lines to configuration:
boot.supportedFilesystems = [ "zfs" ]; networking.hostId = "deadbeef";
Host ID should be unique, generate one with head -c 8 /etc/machine-id.
Rebuild system with nixos-rebuild switch.
Install NixOS on ZFS
Layout
Partitions
As swap on ZFS will cause deadlock and does not support hibernation, a separate swap partition should be created.
| ESP | bpool | rpool | swap | BIOS boot sector | |
| Filesystem | vfat | ZFS, feature limited for GRUB compatibility. | ZFS | swap | N/A |
| Content | grubx64.efi
|
/boot
|
/
|
swap | N/A |
| Encryption | No, can be validated with Secure Boot | LUKS1 | ZFS Encrytion | random/LUKS2 | N/A |
Datasets
As NixOS lacks a service to handle native ZFS mounting at boot, such as zfs-mount-generator, all mountable datasets must be created with mountpoint=legacy to be mounted with fileSystems option.
Datasets with canmount=off mountpoint=none are used as containers, that is, no data is stored directly under such datasets, but child datasets can inherit their properties or imitate directory structures, such as /var/log.
| Containers | mountpoint | canmount | comment | |||
| bpool | sys | BOOT | default | /boot | noauto | |
| rpool | sys | ROOT | default | / | noauto | |
| DATA | local | / | off | container for datasets that do not need backup, such as /nix | ||
| safe | / | off | container for datasets that need backup, such as /{root,home,home,user} | |||
Encryption
Boot pool can be encrypted with LUKS1 to prevent initrd tempering, however ZFS on LUKS is discouraged on root pool as LUKS abstracts physical devices and thus not desirable. Also, data needs to be encrypted per disk, thus slower than per file, as with ZFS native encryption.
ZFS native encryption does not encrypt dataset paths and default properties. Custom properties containing colon custom:property is encrypted. Also, as ZFS currently does not support replacing master key, once the passphrase/keyfile is compromised, the encrypted dataset must be destroyed to protect confidentiality. Therefore, users are advised to choose a strong password at the beginning.