{ lib, ... }:
{

  boot = {
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
        "nixos-pv" = {
          device = "/dev/disk/by-uuid/614787a6-784a-4932-b787-cb6424725444";
          preLVM = true;
          allowDiscards = true;
        };
      };

      clevis = {
        enable = true;
        useTang = true;
        devices = {
          # Unlock LUKS root device via Tang
          "nixos-pv".secretFile = ./nixos-pv.jwe;
          # Unlock ZFS native-encrypted dataset via Tang
          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
        };
      };

      # Static networking needed in initrd so Tang is reachable before any disk mounts
      systemd.network = {
        enable = true;
        networks."10-initrd-eno1" = {
          matchConfig.Name = "eno1";
          address = [ "192.168.76.2/24" ];
          routes = [ { Gateway = "192.168.76.1"; } ];
          dns = [ "192.168.76.1" ];
          linkConfig.RequiredForOnline = "routable";
        };
      };
    };
  };

  fileSystems = {
    "/".options = [
      "noatime"
      "nodiratime"
    ];

    "/home".options = [
      "noatime"
      "nodiratime"
    ];

    "/boot".options = [
      "noatime"
      "nodiratime"
      "fmask=0077"
      "dmask=0077"
    ];

    "/nix".depends = [ "/" ];

  };
}