{ lib, ... }:
{

  boot.zfs.requestEncryptionCredentials = lib.mkForce false;

  boot.initrd = {
    services.lvm.enable = true;
    luks.devices = {
      "nixos-pv" = {
        device = "/dev/disk/by-uuid/614787a6-784a-4932-b787-cb6424725444";
        preLVM = true;
        allowDiscards = true;
      };
    };

    postResumeCommands = ''
      # let root mount and everything, then manually unlock stuff
      load_zfs_nix() {
        local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
        local mountPoint="/"
        local options="x-initrd.mount,noatime,nodiratime"
        local fsType="ext4"

        echo "manually mounting key location, then unmounting"
        udevadm settle

        mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"

        zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
        umount "$targetRoot/"
      }

      load_zfs_nix
    '';
  };

  fileSystems = {
    "/".options = [
      "noatime"
      "nodiratime"
    ];

    "/home".options = [
      "noatime"
      "nodiratime"
    ];

    "/boot".options = [
      "noatime"
      "nodiratime"
      "fmask=0077"
      "dmask=0077"
    ];

    "/nix".depends = [
      "/"
      "/crypto"
    ];

  };
}