zfs: create zfs_data pool with LUKS encryption

modules/disko/disko-ab-partitions.nix

@@ -44,6 +44,10 @@
     boot = {
       initrd.availableKernelModules = [ "zfs" ];
       supportedFilesystems = [ "zfs" ];
+      zfs.extraPools = [ "zfs_data" ];
+      initrd.luks.devices.zfs_data = {
+        device = "/dev/disk/by-partlabel/disk-disk1-zfs_data";
+      };
     };
     disko = {
       # 8GB is the recommeneded minimum for ZFS, so we are using this for VMs to avoid `cp` oom errors.
@@ -57,7 +61,7 @@
       devices = {
         disk.disk1 = {
           type = "disk";
-          imageSize = "60G";
+          imageSize = "70G";
           content = {
             type = "gpt";
             partitions = {
@@ -91,18 +95,26 @@
                   #randomEncryption = true;
                 };
               };
-              zfs_1 = {
+              zfs_root = {
+                size = "30G";
+                content = {
+                  type = "zfs";
+                  pool = "zfs_root";
+                };
+              };
+              zfs_data = {
                 size = "100%";
                 content = {
                   type = "zfs";
-                  pool = "zfspool";
+                  pool = "zfs_data";
                 };
               };
             };
           };
         };
+
         zpool = {
-          zfspool = {
+          zfs_root = {
             type = "zpool";
             rootFsOptions = {
               mountpoint = "none";
@@ -124,6 +136,12 @@
                   quota = "30G";
                 };
               };
+            };
+          };
+
+          zfs_data = {
+            type = "zpool";
+            datasets = {
               "vm_storage" = {
                 type = "zfs_fs";
                 options = {

modules/disko/disko-zfs-postboot.nix

@@ -2,40 +2,79 @@
 # SPDX-License-Identifier: Apache-2.0
 { pkgs, ... }:
 let
-  postBootCmds = ''
-    set -xeuo pipefail
+  zfsPostBoot = pkgs.writeShellApplication {
+    name = "zfsPostBootScript";
+    runtimeInputs = with pkgs; [
+      zfs
+      gnugrep
+      gawk
+      cryptsetup
+      util-linux
+      gptfdisk
+      parted
+      systemd
+    ];
+    text = ''
+      set -xeuo pipefail
 
-    # Check which physical disk is used by ZFS
-    ZFS_POOLNAME=$(${pkgs.zfs}/bin/zpool list | ${pkgs.gnugrep}/bin/grep -v NAME |  ${pkgs.gawk}/bin/awk '{print $1}')
-    ZFS_LOCATION=$(${pkgs.zfs}/bin/zpool status -P | ${pkgs.gnugrep}/bin/grep dev | ${pkgs.gawk}/bin/awk '{print $1}')
+      # Check which physical disk is used by ZFS
+      ENCRYPTED_POOLNAME=zfs_data
+      zpool import -f "$ENCRYPTED_POOLNAME"
+      ZFS_POOLNAME=$(zpool list | grep -v NAME | grep $ENCRYPTED_POOLNAME | awk '{print $1}')
+      ZFS_LOCATION=$(zpool status "$ZFS_POOLNAME" -P | grep dev | awk '{print $1}')
 
-    # Get the actual device path
-    P_DEVPATH=$(readlink -f "$ZFS_LOCATION")
+      # Get the actual device path
+      P_DEVPATH=$(readlink -f "$ZFS_LOCATION")
 
-    # Extract the partition number using regex
-    if [[ "$P_DEVPATH" =~ [0-9]+$ ]]; then
-      PARTNUM=$(echo "$P_DEVPATH" | ${pkgs.gnugrep}/bin/grep -o '[0-9]*$')
-      PARENT_DISK=/dev/$(${pkgs.util-linux}/bin/lsblk -no pkname "$P_DEVPATH")
-    else
-      echo "No partition number found in device path: $P_DEVPATH"
-    fi
+      if [[ "$P_DEVPATH" =~ [0-9]+$ ]]; then
+        PARTNUM=$(echo "$P_DEVPATH" | grep -o '[0-9]*$')
+        PARENT_DISK=/dev/$(lsblk -no pkname "$P_DEVPATH")
+      else
+        echo "No partition number found in device path: $P_DEVPATH"
+      fi
 
-    # Fix GPT first
-    ${pkgs.gptfdisk}/bin/sgdisk "$PARENT_DISK" -e
+      set +o pipefail
+      # Check if zfs pool has luks headers
+      if (cryptsetup status "$ZFS_POOLNAME") | grep -q "is inactive"; then
+        # Fix GPT first
+        sgdisk "$PARENT_DISK" -e
 
-    # Call partprobe to update kernel's partitions
-    ${pkgs.parted}/bin/partprobe
+        # Call partprobe to update kernel's partitions
+        partprobe
 
-    # Extend the partition to use unallocated space
-    ${pkgs.parted}/bin/parted -s -a opt "$PARENT_DISK" "resizepart $PARTNUM 100%"
+        # Extend the partition to use unallocated space
+        parted -s -a opt "$PARENT_DISK" "resizepart $PARTNUM 100%"
+
+        # Extend ZFS pool to use newly allocated space
+        zpool online -e "$ZFS_POOLNAME" "$ZFS_LOCATION"
+
+        # Exporting pool to avoid device in use errors
+        zpool export "$ZFS_POOLNAME"
+
+        # TODO: Remove hardcoded password and have better password mechanism
+        pswd="ghaf"
+        # Format pool with LUKS
+        echo -n $pswd | cryptsetup luksFormat --type luks2 -q "$ZFS_LOCATION"
+        echo -n $pswd | cryptsetup luksOpen "$ZFS_LOCATION" "$ZFS_POOLNAME" --persistent
+
+        # Enrolling for disk unlocking, it automatically assigns keys to a specific slot in the TPM
+        PASSWORD=$pswd systemd-cryptenroll --tpm2-device auto "$P_DEVPATH"
+
+        # Create pool, datasets as luksFormat will erase pools, ZFS datasets stored on that partition
+        zpool create -o ashift=12 -O compression=lz4 -O acltype=posixacl -O xattr=sa -f "$ZFS_POOLNAME" /dev/mapper/"$ZFS_POOLNAME"
+        zfs create -o quota=30G "$ZFS_POOLNAME"/vm_storage
+        zfs create -o quota=10G -o mountpoint=none "$ZFS_POOLNAME"/reserved
+        zfs create -o quota=50G "$ZFS_POOLNAME"/gp_storage
+        zfs create "$ZFS_POOLNAME"/storagevm
+        zfs create -o mountpoint=none "$ZFS_POOLNAME"/recovery
+      fi
+    '';
+  };
 
-    # Extend ZFS pool to use newly allocated space
-    ${pkgs.zfs}/bin/zpool online -e "$ZFS_POOLNAME" "$ZFS_LOCATION"
-  '';
 in
 {
   # To debug postBootCommands, one may run
   # journalctl -u initrd-nixos-activation.service
   # inside the running Ghaf host.
-  boot.postBootCommands = postBootCmds;
+  boot.postBootCommands = "${zfsPostBoot}/bin/zfsPostBootScript";
 }