]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/zfs.nix
nix: security: add doc
[julm/julm-nix.git] / nixos / profiles / zfs.nix
1 { pkgs, lib, hostName, ... }:
2 {
3 # none is the recommended elevator with ZFS (which has its own I/O scheduler)
4 services.udev.extraRules = ''
5 ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
6 '';
7
8 boot.supportedFilesystems = [ "zfs" ];
9 boot.initrd.supportedFilesystems = [ "zfs" ];
10
11 boot.kernelParams = [
12 # Disabled because the zfs kernel module is not signed
13 "module.sig_enforce=0"
14 ];
15
16 # Using ZFS together with hibernation (suspend to disk)
17 # may cause filesystem corruption.
18 # See https://github.com/openzfs/zfs/issues/260
19 boot.zfs.allowHibernation = false;
20
21 # Stable enough, clearer, and faster than the default /dev/disk/by-id
22 boot.zfs.devNodes = "/dev/disk/by-partlabel";
23 # Not useful so far.
24 # See also https://github.com/NixOS/nixpkgs/issues/62644#issuecomment-1479523469
25 boot.zfs.forceImportAll = false;
26 # More resilient for remote hosts,
27 # though it may call zpool clear.
28 boot.zfs.forceImportRoot = true;
29 boot.zfs.requestEncryptionCredentials = lib.mkDefault [ "${hostName}/root" ];
30
31 boot.zfs.enableUnstable = false;
32
33 # Enables periodic scrubbing of ZFS pools.
34 services.zfs.autoScrub.enable = true;
35 services.zfs.autoScrub.interval = "Sun *-*-08..14 00:15:00";
36
37 # According to zpool(8), for consumer hardware
38 # periodic manual TRIM is preferred over the automatic TRIM
39 # that ZFS implements.
40 services.zfs.trim.enable = true;
41 services.zfs.trim.interval = "Sun *-*-01..07 00:15:00";
42
43 # Hide ZFS mountpoints from gio, hence nautilus or caja
44 systemd.services.zfs-mount.postStart = ''
45 /run/wrappers/bin/mount -t zfs | cut -f 1 -d ' ' |
46 xargs -n 1 -r -t /run/wrappers/bin/mount -o remount,x-gvfs-hide
47 '';
48
49 environment.systemPackages = [
50 pkgs.lzop # For remote syncoid
51 pkgs.mbuffer # For remote syncoid
52 pkgs.sanoid
53 ];
54
55 # Force zpool import, even if the disk has not been exported,
56 # (ie. still imported onto another computer).
57 systemd.services."zfs-import@" = {
58 description = "ZFS import pool: %I";
59 unitConfig = {
60 ConditionPathIsDirectory = "/sys/module/zfs";
61 StartLimitIntervalSec = 0;
62 };
63 after = [ "systemd-modules-load.service" ];
64 path = lib.mkBefore [ "/run/booted-system/sw" ];
65 serviceConfig = {
66 Type = "oneshot";
67 RemainAfterExit = true;
68 PrivateTmp = true;
69 SyslogIdentifier = "zfs-import@%i";
70 Restart = "no";
71 ExecStart = pkgs.writeShellScript "zfs-import" ''
72 pool="$1"
73 set -eux
74 zpool import -lFd /dev/disk/by-id/ -o cachefile=none "$pool" ||
75 zpool reopen "$pool" ||
76 zpool import -lfd /dev/disk/by-id/ -o cachefile=none "$pool" ||
77 zpool clear -nFX "$pool"
78 ${pkgs.systemd}/bin/systemctl restart zfs-mount.service
79 '' + " %I";
80 };
81 };
82 }