{ lib, pkgs, ... }:
{

  boot = {
    zfs.requestEncryptionCredentials = lib.mkForce false;
    postBootCommands = ''
      ${pkgs.zfs}/bin/zfs load-key -a
    '';
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
        "nixos-pv" = {
          device = "/dev/disk/by-uuid/614787a6-784a-4932-b787-cb6424725444";
          preLVM = true;
          allowDiscards = true;
        };
      };

      postResumeCommands = ''
        # let root mount and everything, then manually unlock stuff
        load_zfs_nix() {
          local device="/dev/disk/by-uuid/8bfaa32b-09dd-45c8-831e-05e80be82f9e"
          local mountPoint="/"
          local options="x-initrd.mount,noatime,nodiratime"
          local fsType="ext4"

          echo "manually mounting key location, then unmounting"
          udevadm settle

          mountFS "$device" "$(escapeFstab "$mountPoint")" "$(escapeFstab "$options")" "$fsType"

          zfs load-key -L "file://$targetRoot/crypto/keys/zfs-nix-store-key" "ZFS-primary/nix"
          umount "$targetRoot/"
        }

        load_zfs_nix
      '';
    };
  };

  fileSystems = {
    "/".options = [
      "noatime"
      "nodiratime"
    ];

    "/home".options = [
      "noatime"
      "nodiratime"
    ];

    "/boot".options = [
      "noatime"
      "nodiratime"
      "fmask=0077"
      "dmask=0077"
    ];

    "/nix".depends = [
      "/"
      "/crypto"
    ];

  };
}