From c5d81f1e9ed209b70360cc281c2e1647d8d4c111 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sat, 4 Oct 2025 23:17:12 +0200
Subject: [PATCH 1/5] Set up disko zfs encrypted root for 'vm' host

---
 flake.lock                           | 71 ++++++++++++++++++++++++
 flake.nix                            | 17 ++++--
 hosts/vm/configuration.nix           |  1 +
 hosts/vm/disk.nix                    |  1 +
 hosts/vm/hard.nix                    |  9 ----
 modules/disko.zfs-encrypted-root.nix | 81 ++++++++++++++++++++++++++++
 6 files changed, 167 insertions(+), 13 deletions(-)
 create mode 100644 flake.lock
 create mode 100644 hosts/vm/disk.nix
 create mode 100644 modules/disko.zfs-encrypted-root.nix

diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..b227cbb
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,71 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758463745,
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1759439645,
+        "narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "879bd460b3d3e8571354ce172128fbcbac1ed633",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
index 1233659..fda0b39 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,15 +1,24 @@
 {
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05";
-    home-manager.url = "github:nix-community/home-manager/release-25.05";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    nixpkgs = {
+      url = "github:nixos/nixpkgs?ref=nixos-25.05";
+    };
+    home-manager = {
+      url = "github:nix-community/home-manager/release-25.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager }: {
+  outputs = { self, nixpkgs, disko, home-manager }: {
     nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
         ./hosts/vm/configuration.nix
+        disko.nixosModules.disko
         home-manager.nixosModules.home-manager {
           home-manager.useGlobalPkgs = true;
           home-manager.useUserPackages = true;
diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
index 95526b3..7eb7924 100644
--- a/hosts/vm/configuration.nix
+++ b/hosts/vm/configuration.nix
@@ -6,6 +6,7 @@
   imports =
     [
       ./hard.nix
+      ./disk.nix
       ../../modules/bootloader.nix
       ../../modules/networking.nix
       ../../modules/users.nix
diff --git a/hosts/vm/disk.nix b/hosts/vm/disk.nix
new file mode 100644
index 0000000..accc839
--- /dev/null
+++ b/hosts/vm/disk.nix
@@ -0,0 +1 @@
+import ../../modules/disko.zfs-encrypted-root.nix
diff --git a/hosts/vm/hard.nix b/hosts/vm/hard.nix
index f4a5f23..f198f81 100644
--- a/hosts/vm/hard.nix
+++ b/hosts/vm/hard.nix
@@ -13,15 +13,6 @@
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/7d406784-bf6b-420e-a956-134f719c8206";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/4cbaffdb-0ca2-4735-87d0-eefe994f0e18"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
diff --git a/modules/disko.zfs-encrypted-root.nix b/modules/disko.zfs-encrypted-root.nix
new file mode 100644
index 0000000..871f0cd
--- /dev/null
+++ b/modules/disko.zfs-encrypted-root.nix
@@ -0,0 +1,81 @@
+{
+  disko.devices = {
+    disk = {
+      root = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "nofail" ];
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          mountpoint = "none";
+          compression = "zstd";
+          acltype = "posixacl";
+          xattr = "sa";
+          "com.sun:auto-snapshot" = "true";
+        };
+        options.ashift = "12";
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options = {
+              encryption = "aes-256-gcm";
+              keyformat = "passphrase";
+              #keylocation = "file:///tmp/secret.key";
+              keylocation = "prompt";
+            };
+            mountpoint = "/";
+
+          };
+          "root/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "/nix";
+            mountpoint = "/nix";
+          };
+
+          # README MORE: https://wiki.archlinux.org/title/ZFS#Swap_volume
+          "root/swap" = {
+            type = "zfs_volume";
+            size = "10M";
+            content = {
+              type = "swap";
+            };
+            options = {
+              volblocksize = "4096";
+              compression = "zle";
+              logbias = "throughput";
+              sync = "always";
+              primarycache = "metadata";
+              secondarycache = "none";
+              "com.sun:auto-snapshot" = "false";
+            };
+          };
+        };
+      };
+    };
+  };
+}

From fc5a3f4eca295e96a3140ac54dd47eaf6d0fed4c Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sat, 4 Oct 2025 23:31:09 +0200
Subject: [PATCH 2/5] Fix inputrc path

---
 hosts/vm/home.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/vm/home.nix b/hosts/vm/home.nix
index 15652c6..1b6951a 100644
--- a/hosts/vm/home.nix
+++ b/hosts/vm/home.nix
@@ -6,7 +6,7 @@
   home.username = "h";
   home.homeDirectory = "/home/h";
 
-  home.file.".inputrc".source = ./dots/.inputrc;
+  home.file.".inputrc".source = ../../dots/.inputrc;
 
   programs.home-manager.enable = true;
 }

From 0abaab830e18f11a6f31988e81033d9ba41b8689 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sat, 4 Oct 2025 23:57:46 +0200
Subject: [PATCH 3/5] Fix ZFS issue with virtual disks
 (https://discourse.nixos.org/t/zfs-with-disko-faluire-to-import-zfs-pool/61988/3)

---
 hosts/vm/configuration.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
index 7eb7924..2b66865 100644
--- a/hosts/vm/configuration.nix
+++ b/hosts/vm/configuration.nix
@@ -18,6 +18,12 @@
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
+  boot = {
+    zfs = {
+        devNodes = "/dev/disk/by-uuid";
+      };
+  };
+
   programs.git.enable = true;
   programs.firefox.enable = true;
 

From 34c02e404961a6a0a67e19d6db42e4e49b9a78b7 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sun, 5 Oct 2025 00:00:48 +0200
Subject: [PATCH 4/5] Add 'networking.hostId' (required for ZFS)

---
 hosts/vm/configuration.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix
index 2b66865..891e5e3 100644
--- a/hosts/vm/configuration.nix
+++ b/hosts/vm/configuration.nix
@@ -18,6 +18,10 @@
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
+  # These are needed for ZFS
+
+  networking.hostId = "25698a58";
+  # https://discourse.nixos.org/t/zfs-with-disko-faluire-to-import-zfs-pool/61988/3
   boot = {
     zfs = {
         devNodes = "/dev/disk/by-uuid";

From cbdc5a99f26c7a9ffc702087b66cfb78a30bed32 Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sun, 5 Oct 2025 00:07:19 +0200
Subject: [PATCH 5/5] Update readme

---
 README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6c1a56b..f8ff59f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,9 @@
 # nixos
 
-My NixOS config
\ No newline at end of file
+My NixOS config
+
+```
+git clone https://git.hektormisplon.xyz/hektor/nix.git
+cd nix
+sudo nix run 'github:nix-community/disko/latest#disko-install' -- --flake .#vm --disk root /dev/vda
+```