Secrets should never be world-readable, even to users who are logged in to one of the hosts managed by this configuration. These are generally managed by agenix, allowing them to still be put in the nix store.

• Add a shell to the devShells output in flake.nix.

• Execute use_flake /path/to/repo#name-of-shell > .envrc to initialize the .envrc file.

• Execute direnv allow to load the .envrc file which in turn loads your environment.

1. Create three partitions:

   • Boot
   • Swap
   • ZFS

   For example:

   sgdisk -n 0:0:+512MiB -t 0:EF00 -c 0:boot $DISK
   sgdisk -n 0:0:+32GiB -t 0:8200 -c 0:swap $DISK
   sgdisk -n 0:0:0 -t 0:BF01 -c 0:ZFS $DISK

2. Configure swap and boot as usual.

3. Create ZPool:

   zpool create -O mountpoint=none -O encryption=aes-256-gcm -O keyformat=passphrase rpool $ZFS_PART

   Leave out -O encryption=aes-256-gcm -O keyformat=passphrase if you don't want to fully encrypt the ZFS partition.

4. Create datasets:

   zfs create -o mountpoint=legacy rpool/local/root
   zfs snapshot rpool/local/root@blank
   zfs create -o mountpoint=legacy rpool/local/nix
   zfs set compression=lz4 rpool/local/nix
   zfs create -o mountpoint=legacy rpool/local/cache
   zfs set compression=lz4 rpool/local/cache
   zfs create -o mountpoint=legacy rpool/safe/data
   zfs set compression=lz4 rpool/local/data

5. Mount datasets:

   mount -t zfs rpool/local/root /mnt
   mkdir /mnt/nix
   mount -t zfs rpool/local/nix /mnt/nix
   mkdir /mnt/boot
   mount $BOOT_PART /mnt/boot
   mkdir /mnt/cache
   mount -t zfs rpool/local/cache /mnt/cache
   mkdir /mnt/data
   mount -t zfs rpool/safe/data /mnt/data

6. Configure Host ID

   Set networking.hostid in the nixos config to head -c 8 /etc/machine-id.