byrongibson · August 1, 2021 01:55
diff --git a/setup-02-create-efi-boot-zfs-pool-nixosgenconfig.sh b/setup-02-create-efi-boot-zfs-pool-nixosgenconfig.sh
 #!/usr/bin/env bash

 # A NixOS partition scheme with UEFI boot, root on tmpfs, everything else 
 # on encrypted ZFS datasets, and no swap.
 # This script assumes two target drives is already formatted with two partitions:
 # 1. 1GB FAT32 UEFI boot partition (each Nix generation consumes about 20MB on 
 #    /boot, so size this based on how many generations you want to store)
 # 2. the remainder of the disk formatted for ZFS.

 # This script creates the following:
 # 1. UEFI boot partition at /boot (or /boot1 for mirroredBoots)
 # 2. Encrypted ZFS pool comprising all remaining disk space - rpool
 # 3. Tmpfs root - /
 # 4. ZFS datasets - rpool/local/[nix,opt,boot], rpool/safe/[home,persist], rpool/reserved
 # 5. mounts all of the above
 # 6. generates hardware-configuration.nix customized to this machine and tmpfs
 # 7. generates a generic default configuration.nix replace-able with a custom one
 #
 # useful resources:
 # https://grahamc.com/blog/nixos-on-zfs
 # https://grahamc.com/blog/erase-your-darlings
 # https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
 # https://elis.nu/blog/2020/06/nixos-tmpfs-as-home/
 # https://www.reddit.com/r/NixOS/comments/g9wks6/root_on_tmpfs/
 # https://elis.nu/blog/2019/08/encrypted-zfs-mirror-with-mirrored-boot-on-nixos/
 # https://www.reddit.com/r/NixOS/comments/o1er2p/tmpfs_as_root_but_without_hardcoding_your/
 # https://jrs-s.net/2018/08/17/zfs-tuning-cheat-sheet
 # https://www.reddit.com/r/zfs/comments/nsc235/what_are_all_the_properties_that_cant_be_modified/

 # Disk Partitions:
 # sda
 # ├─sda1           	/boot/efi EFI BOOT
 # └─sda2           	rpool ZFS POOL
 #
 # for pool naming convention, use zfs-p0, zfs-p1, zfs-p2, etc.
 # alternately, rpoolX for root pools, dpoolX for data pools
 # for device naming convention, use zfs-d0, zfs-d1, zfs-d2, etc.
 #
 # Mount Layout:
 # /			tmpfs
 # ├─/boot		/dev/sda1
 # ├─/boot/efi	/dev/sda1
 # ├─/nix		rpool/local/nix
 # ├─/opt		rpool/local/opt
 # ├─/home		rpool/safe/home
 # └─/persist		rpool/safe/persist

 #useful commands
 # mount -l | grep sda
 # findmnt | grep zfs
 # lsblk
 # ncdu -x /
 # smartctl -a /dev/disk/by-id/<diskid>
 # ls /dev/disk/by-label
 # ls /dev/disk/by-partlabel
 # zpool list
 # zfs list -o name,mounted,mountpoint
 # zfs mount (only usable with non-legacy datasets)
 # zfs unmount -a (unmount everything, only usable with non-legacy datasets)
 # umount -R /mnt (unmount everything in /mnt recursively, required for legacy zfs datasets)
 # zpool export $POOL (disconnects the pool)
 # zpool remove $POOL sda1 (removes the disk from your zpool)
 # zpool destroy $POOL (this destroys the pool and it's gone and rather difficult to retrieve)

 # Some ZFS properties cannot be changed after the pool and/or datasets are created.  Some discussion on this:
 # https://www.reddit.com/r/zfs/comments/nsc235/what_are_all_the_properties_that_cant_be_modified/
 # `ashift` is one of these properties, but is easy to determine.  Use the following commands:
 # disk logical blocksize:  `$ sudo blockdev --getbsz /dev/sdX` (ashift)
 # disk physical blocksize: `$ sudo blockdev --getpbsz /dev/sdX` (not ashift but interesting)

 #set -euo pipefail
 set -e

 USER=me
 SYSTEM=arbitrary-hostname

 #INSTALL=/run/media/nixos/DATA/System/USBDrives/System/Install
 #INSTALL=/run/media/$USER/DATA/System/USBDrives/System/Install
 #INSTALL=/run/media/nixos/SWISSBIT02/System/Install
 #INSTALL=/run/media/$USER/SWISSBIT02/System/Install
 INSTALL=/run/media/nixos/SWISSBIT01/System/Install
 #INSTALL=/run/media/$USER/SWISSBIT01/System/Install

 pprint () {
    local cyan="\e[96m"
    local default="\e[39m"
    # ISO8601 timestamp + ms
    local timestamp
    timestamp=$(date +%FT%T.%3NZ)
    echo -e "${cyan}${timestamp} $1${default}" 1>&2
 }

 echo # move to a new line

 # Set primary installation disk
 pprint "> Select primary installation disk: "
 select ENTRY in $(ls /dev/disk/by-id/);
 do
    DISK1="/dev/disk/by-id/$ENTRY"
    BOOT1="$DISK1-part1"
    ZFS1="$DISK1-part2"
    echo "Installing system on $DISK1."
    break
 done
 read -p "> You selected '$DISK1'.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 # DISK1 ashift
 read -p "> What is the Ashift for this disk ($DISK1)?  Use 'blockdev --getbsz /dev/sdX' to find logical blocksize.  Example, 4096 => ashift=12. " ASHIFT1
 read -p "> You entered ashift=$ASHIFT1.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 # Set mirrored disk
 pprint "> Select mirrored installation disk: "
 select ENTRY in $(ls /dev/disk/by-id/);
 do
    DISK2="/dev/disk/by-id/$ENTRY"
 	BOOT2="$DISK2-part1"
 	ZFS2="$DISK2-part2"
    echo "Mirroring system on $DISK2."
    break
 done
 read -p "> You selected '$DISK2'.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 # DISK2 ashift
 read -p "> What is the Ashift for this disk ($DISK2)?  Use 'blockdev --getbsz /dev/sdX' to find logical blocksize.  Example, 4096 => ashift=12. " ASHIFT2
 read -p "> You entered ashift=$ASHIFT2.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 # Set ZFS pool name
 read -p "> Name your ZFS pool: " POOL
 read -p "> You entered '$POOL'.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 # Set hostname for this installation
 read -p "> What is the network hostname for this installation? (networking.hostName=?) " HOSTNAME
 read -p "> You entered '$HOSTNAME'.  Is this correct?  (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1
 echo # move to a new line

 pprint "Creating ZFS pool on $ZFS1 ..."
 # -f force
 # -m none (mountpoint), canmount=off.  ZFS datasets on this pool inherit 
 # unmountable, unless explicitly specified otherwise in 'zfs create'.
 # Use blockdev --getbsz /dev/sdX to find correct ashift for your disk.
 # acltype=posix, xattr=sa required
 # atime=off and relatime=on for performance
 # recordsize depends on usage, 16k for database server or similar, 1M for home media server with large files
 # normalization=formD for max compatility
 # secondarycache=none to disable L2ARC which is not needed
 # best encryption methods are lz4 (fastest) and zstd (almost as fast, better compression)
 # more info on pool properties:
 # https://nixos.wiki/wiki/NixOS_on_ZFS#Dataset_Properties
 # https://jrs-s.net/2018/08/17/zfs-tuning-cheat-sheet/
 zpool create -f -t $POOL -m none -R /mnt	\
 	-o ashift=$ASHIFT1			\
 	-o autotrim=on 				\
 	-o listsnapshots=on			\
 	-O secondarycache=none		\
 	-O acltype=posix			\
 	-O compression=lz4			\
 	-O encryption=on			\
 	-O keylocation=prompt		\
 	-O keyformat=passphrase 	\
 	-O mountpoint=none			\
 	-O canmount=off				\
 	-O atime=off				\
 	-O relatime=on 				\
 	-O recordsize=1M			\
 	-O dnodesize=auto			\
 	-O xattr=sa					\
 	-O normalization=formD		\
 	$POOL $ZFS1
 pprint "Done."
 echo # move to a new line

 pprint "Creating ZFS datasets nix, opt, home, persist, reserved ..."
 zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/nix
 zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/opt
 #zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/lxd  # must be created by `lxd init`
 #zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/boot
 zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/home
 zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/persist
 # "reserved is an unused, unmounted 2GB dataset.  In case the rest of the pool runs out 
 # of space required for ZFS operations (even deletions require disk space in a 
 # copy-on-write filesystem), shrink or delete this pool to free enough
 # space to continue ZFS operations.
 # https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
 zfs create -o refreservation=4G -o primarycache=none -o secondarycache=none -o mountpoint=none ${POOL}/reserved
 pprint "Done."
 echo # move to a new line

 pprint "Enabling auto-snapshotting for ${POOL}/safe/[home,persist] datasets ..."
 zfs set com.sun:auto-snapshot=true ${POOL}/safe
 #zfs set com.sun:auto-snapshot=true ${POOL}/local/lxd  # do this manually after running `lxd init`
 pprint "Done."
 echo # move to a new line

 # attach mirrored drive
 zpool attach -o ashift=$ASHIFT2 $POOL $ZFS1 $ZFS2

 pprint "Mounting Tmpfs and ZFS datasets ..."
 mkdir -p /mnt
 mount -t tmpfs tmpfs /mnt
 mkdir -p /mnt/nix
 mount -t zfs ${POOL}/local/nix /mnt/nix
 mkdir -p /mnt/opt
 mount -t zfs ${POOL}/local/opt /mnt/opt
 mkdir -p /mnt/home
 mount -t zfs ${POOL}/safe/home /mnt/home
 mkdir -p /mnt/persist
 mount -t zfs ${POOL}/safe/persist /mnt/persist
 #mkdir -p /mnt/boot/efi
 #mount -t vfat "${BOOT}" /mnt/boot/efi
 # use boot1 and boot2 for mirroredBoots config
 mkdir -p /mnt/boot1/
 mount -t vfat ${BOOT} /mnt/boot1
 pprint "Done."
 echo # move to a new line

 pprint "Creating /mnt/build for temporarily mounting to tmpfs during nixos-rebuilds ..."
 umount /build || :
 mkdir -p /mnt/build
 #do not mount unless running nixos-rebuild, only for use in nixos-rebuild.sh script.
 pprint "Done."
 echo # move to a new line

 pprint "Making /mnt/persist/ subdirectories for persisted artifacts ..."
 mkdir -p /mnt/persist/etc/ssh
 mkdir -p /mnt/persist/etc/users
 mkdir -p /mnt/persist/etc/nixos
 mkdir -p /mnt/persist/etc/nixos/archive
 mkdir -p /mnt/persist/etc/wireguard/
 mkdir -p /mnt/persist/etc/NetworkManager/system-connections
 mkdir -p /mnt/persist/var/lib/bluetooth
 mkdir -p /mnt/persist/var/lib/acme
 pprint "Done."
 echo # move to a new line

 pprint "Generating NixOS configuration ..."
 nixos-generate-config --force --root /mnt
 pprint "Done."
 echo # move to a new line

 # Specify machine-specific ZFS properties for hardware-configuration.nix
 HOSTID=$(head -c8 /etc/machine-id)

 HARDWARE_CONFIG=$(mktemp)
 cat <<CONFIG > "$HARDWARE_CONFIG"

  networking.hostName = "$HOSTNAME";
  networking.hostId = "$HOSTID";  # "$(head -c 8 /etc/machine-id)"; required by ZFS
  #boot.zfs.devNodes = "$ZFS";
  # prevents "multiple pools with same name" problem during boot
  # https://discourse.nixos.org/t/nixos-on-mirrored-ssd-boot-swap-native-encrypted-zfs/9215/5
  boot.zfs.devNodes = "/dev/disk/by-partuuid";  # nixos-generation-config defaults to using partuuid ...
  #boot.zfs.devNodes = "/dev/disk/by-id";  # but should change to by-id after it's created
  hardware.cpu.intel.updateMicrocode = true;
 CONFIG

 # Add extra Tmpfs config options to the / mount section in hardware-configuration.nix
 # mode=755: required for some software like openssh, or will complain about permissions
 # size=2G: Tmpfs size. A fresh NixOS + Gnome4 install uses just over 200MB on tmpfs.
 # size=512M is sufficient, or larger if you have enough RAM and want more headroom.
 # backing up original to /mnt/etc/nixos/hardware-configuration.nix.original.
 # https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks
 pprint "Adding Tmpfs properties to hardware-configuration.nix ..."
 sed --in-place=.original '/fsType = "tmpfs";/a\      options = [ "defaults" "size=2G" "mode=755" ];' /mnt/etc/nixos/hardware-configuration.nix
 pprint "Done."
 echo # move to a new line

 #same as above, but try to be more specific to just /
 #pprint "Adding Tmpfs properties to hardware-configuration.nix ..."
 #sed -e --in-place=.original '/fileSystems."/",/fsType = "tmpfs";/a\      options = [ "defaults" "size=2G" "mode=755" ];' /mnt/etc/nixos/hardware-configuration.nix
 #pprint "Done."
 #echo # move to a new line

 pprint "Appending machine-specific networking and ZFS properties to hardware-configuration.nix ..."
 sed -i "\$e cat $HARDWARE_CONFIG" /mnt/etc/nixos/hardware-configuration.nix
 unset HARDWARE_CONFIG
 pprint "Done."
 echo # move to a new line

 # only needed when /boot/efi on separate partition from /boot
 #pprint "Adding /boot/efi partition to hardware-configuration.nix ..."
 #sed --in-place=.original '
 #  fileSystems."/boot" =
 #    { device = "rpool/local/boot";
 #      fsType = "zfs";
 #    };
 #/a\
 #
 #  fileSystems."/boot/efi" =
 #    { device = "$BOOT";
 #      fsType = "vfat";
 #    };
 #' /mnt/etc/nixos/hardware-configuration.nix
 #pprint "Done."
 #echo # move to a new line

 # not needed when overwriting original configuration.nix
 #pprint "Deleting incorrect/redundant networking.hostName from configuration.nix ..."
 #sed '/^# networking.hostName/d' /mnt/etc/nixos/configuration.nix
 #pprint "Done."
 #echo # move to a new line

 # TODO: look into move networking properties, including networking.interfaces = { ... }, to either 
 # hardware-configuration.nix or to a separate module.  Tested with the former
 # but didn't work, not sure why.
 # sed '\:// START TEXT:,\:// END TEXT:d' file
 # https://serverfault.com/questions/137829/how-to-remove-a-tagged-block-of-text-in-a-file

 pprint "Backing up configuration.nix and hardware-configuration.nix to /mnt/persist/etc/nixos/archive ..."
 mv /mnt/etc/nixos/configuration.nix /mnt/persist/etc/nixos/archive/configuration.nix.original
 cp /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/archive/hardware-configuration.nix.custom
 cp /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hardware-configuration.nix
 mv /mnt/etc/nixos/hardware-configuration.nix.original /mnt/persist/etc/nixos/archive/
 pprint "Done."
 echo # move to a new line

 pprint "Copying configuration.tmpfsroot.zfscrypt.nix to /mnt/persist/etc/nixos/configuration.nix ..."
 cp -r $INSTALL/NixOS/Setup/config/configuration.tmpfsroot.zfscrypt.full.nix /mnt/persist/etc/nixos/archive/
 cp -r $INSTALL/NixOS/Setup/config/configuration.$SYSTEM.nix /mnt/persist/etc/nixos/archive/
 cp -r /mnt/persist/etc/nixos/archive/configuration.tmpfsroot.zfscrypt.full.nix /mnt/persist/etc/nixos/configuration.nix
 cp -r /mnt/persist/etc/nixos/archive/configuration.$SYSTEM.nix /mnt/persist/etc/nixos/configuration.$SYSTEM.nix
 cp -r /mnt/persist/etc/nixos/configuration.nix /mnt/etc/nixos/configuration.nix
 cp -r /mnt/persist/etc/nixos/configuration.$SYSTEM.nix /mnt/etc/nixos/configuration.$SYSTEM.nix
 chown -Rv root:root /mnt/persist/etc/nixos
 chmod -Rv 0644 /mnt/persist/etc/nixos
 chown -Rv root:root /mnt/etc/nixos
 chmod -Rv 0644 /mnt/etc/nixos
 pprint "Done."
 echo # move to a new line

 pprint "Copying $INSTALL/NixOS/Setup/persist/etc/users to /mnt/persist/etc/"
 cp -rv $INSTALL/NixOS/Setup/persist/etc/users /mnt/persist/etc/
 #cp -rv /mnt/persist/etc/users /mnt/etc/
 chown -Rv root:root /mnt/persist/etc/users
 chmod -Rv 0640 /mnt/persist/etc/users
 #chown -Rv root:root /mnt/etc/users
 #chmod -Rv 0640 /mnt/etc/users
 pprint "Done."
 echo # move to a new line

 pprint "Making blank pre-installation zfs snapshot, in case want to rollback to blank datasets ..."
 zfs snapshot -r ${POOL}@blank
 pprint "Done."
 echo # move to a new line

 pprint "Configuration complete."
 pprint "Backup configuration.nix and hardware-configuration.nix to a separate drive." 
 pprint "Then install by running setup-04-nixos-install.sh."

 # WARNING: Before rebooting, backup /mnt/etc/nixos/hardware-configuration.nix to USBDrive

 # install with:
 # ---- install script ---- 
 # #!/usr/bin/env bash
 # install NixOS with no root password
 #set -e
 # If nixos-install fails, may need to prepend this nixos-build line to install script:
 # https://github.com/NixOS/nixpkgs/issues/126141#issuecomment-861720372
 #nix-build -v '<nixpkgs/nixos>' -A config.system.build.toplevel -I nixos-config=/mnt/etc/nixos/configuration.nix
 # install NixOS with no root password.  Must use `passwd` on first use to set user password.
 #nixos-install -v --show-trace --no-root-passwd
 # ---- /install script ----
	#!/usr/bin/env bash

	# A NixOS partition scheme with UEFI boot, root on tmpfs, everything else
	# on encrypted ZFS datasets, and no swap.
	# This script assumes two target drives is already formatted with two partitions:
	# 1. 1GB FAT32 UEFI boot partition (each Nix generation consumes about 20MB on
	# /boot, so size this based on how many generations you want to store)
	# 2. the remainder of the disk formatted for ZFS.

	# This script creates the following:
	# 1. UEFI boot partition at /boot (or /boot1 for mirroredBoots)
	# 2. Encrypted ZFS pool comprising all remaining disk space - rpool
	# 3. Tmpfs root - /
	# 4. ZFS datasets - rpool/local/[nix,opt,boot], rpool/safe/[home,persist], rpool/reserved
	# 5. mounts all of the above
	# 6. generates hardware-configuration.nix customized to this machine and tmpfs
	# 7. generates a generic default configuration.nix replace-able with a custom one
	#
	# useful resources:
	# https://grahamc.com/blog/nixos-on-zfs
	# https://grahamc.com/blog/erase-your-darlings
	# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
	# https://elis.nu/blog/2020/06/nixos-tmpfs-as-home/
	# https://www.reddit.com/r/NixOS/comments/g9wks6/root_on_tmpfs/
	# https://elis.nu/blog/2019/08/encrypted-zfs-mirror-with-mirrored-boot-on-nixos/
	# https://www.reddit.com/r/NixOS/comments/o1er2p/tmpfs_as_root_but_without_hardcoding_your/
	# https://jrs-s.net/2018/08/17/zfs-tuning-cheat-sheet
	# https://www.reddit.com/r/zfs/comments/nsc235/what_are_all_the_properties_that_cant_be_modified/

	# Disk Partitions:
	# sda
	# ├─sda1 /boot/efi EFI BOOT
	# └─sda2 rpool ZFS POOL
	#
	# for pool naming convention, use zfs-p0, zfs-p1, zfs-p2, etc.
	# alternately, rpoolX for root pools, dpoolX for data pools
	# for device naming convention, use zfs-d0, zfs-d1, zfs-d2, etc.
	#
	# Mount Layout:
	# / tmpfs
	# ├─/boot /dev/sda1
	# ├─/boot/efi /dev/sda1
	# ├─/nix rpool/local/nix
	# ├─/opt rpool/local/opt
	# ├─/home rpool/safe/home
	# └─/persist rpool/safe/persist

	#useful commands
	# mount -l \| grep sda
	# findmnt \| grep zfs
	# lsblk
	# ncdu -x /
	# smartctl -a /dev/disk/by-id/<diskid>
	# ls /dev/disk/by-label
	# ls /dev/disk/by-partlabel
	# zpool list
	# zfs list -o name,mounted,mountpoint
	# zfs mount (only usable with non-legacy datasets)
	# zfs unmount -a (unmount everything, only usable with non-legacy datasets)
	# umount -R /mnt (unmount everything in /mnt recursively, required for legacy zfs datasets)
	# zpool export $POOL (disconnects the pool)
	# zpool remove $POOL sda1 (removes the disk from your zpool)
	# zpool destroy $POOL (this destroys the pool and it's gone and rather difficult to retrieve)

	# Some ZFS properties cannot be changed after the pool and/or datasets are created. Some discussion on this:
	# https://www.reddit.com/r/zfs/comments/nsc235/what_are_all_the_properties_that_cant_be_modified/
	# `ashift` is one of these properties, but is easy to determine. Use the following commands:
	# disk logical blocksize: `$ sudo blockdev --getbsz /dev/sdX` (ashift)
	# disk physical blocksize: `$ sudo blockdev --getpbsz /dev/sdX` (not ashift but interesting)

	#set -euo pipefail
	set -e

	USER=me
	SYSTEM=arbitrary-hostname

	#INSTALL=/run/media/nixos/DATA/System/USBDrives/System/Install
	#INSTALL=/run/media/$USER/DATA/System/USBDrives/System/Install
	#INSTALL=/run/media/nixos/SWISSBIT02/System/Install
	#INSTALL=/run/media/$USER/SWISSBIT02/System/Install
	INSTALL=/run/media/nixos/SWISSBIT01/System/Install
	#INSTALL=/run/media/$USER/SWISSBIT01/System/Install

	pprint () {
	local cyan="\e[96m"
	local default="\e[39m"
	# ISO8601 timestamp + ms
	local timestamp
	timestamp=$(date +%FT%T.%3NZ)
	echo -e "${cyan}${timestamp} $1${default}" 1>&2
	}

	echo # move to a new line

	# Set primary installation disk
	pprint "> Select primary installation disk: "
	select ENTRY in $(ls /dev/disk/by-id/);
	do
	DISK1="/dev/disk/by-id/$ENTRY"
	BOOT1="$DISK1-part1"
	ZFS1="$DISK1-part2"
	echo "Installing system on $DISK1."
	break
	done
	read -p "> You selected '$DISK1'. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	# DISK1 ashift
	read -p "> What is the Ashift for this disk ($DISK1)? Use 'blockdev --getbsz /dev/sdX' to find logical blocksize. Example, 4096 => ashift=12. " ASHIFT1
	read -p "> You entered ashift=$ASHIFT1. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	# Set mirrored disk
	pprint "> Select mirrored installation disk: "
	select ENTRY in $(ls /dev/disk/by-id/);
	do
	DISK2="/dev/disk/by-id/$ENTRY"
	BOOT2="$DISK2-part1"
	ZFS2="$DISK2-part2"
	echo "Mirroring system on $DISK2."
	break
	done
	read -p "> You selected '$DISK2'. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	# DISK2 ashift
	read -p "> What is the Ashift for this disk ($DISK2)? Use 'blockdev --getbsz /dev/sdX' to find logical blocksize. Example, 4096 => ashift=12. " ASHIFT2
	read -p "> You entered ashift=$ASHIFT2. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	# Set ZFS pool name
	read -p "> Name your ZFS pool: " POOL
	read -p "> You entered '$POOL'. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	# Set hostname for this installation
	read -p "> What is the network hostname for this installation? (networking.hostName=?) " HOSTNAME
	read -p "> You entered '$HOSTNAME'. Is this correct? (Y/N): " confirm && [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]] \|\| exit 1
	echo # move to a new line

	pprint "Creating ZFS pool on $ZFS1 ..."
	# -f force
	# -m none (mountpoint), canmount=off. ZFS datasets on this pool inherit
	# unmountable, unless explicitly specified otherwise in 'zfs create'.
	# Use blockdev --getbsz /dev/sdX to find correct ashift for your disk.
	# acltype=posix, xattr=sa required
	# atime=off and relatime=on for performance
	# recordsize depends on usage, 16k for database server or similar, 1M for home media server with large files
	# normalization=formD for max compatility
	# secondarycache=none to disable L2ARC which is not needed
	# best encryption methods are lz4 (fastest) and zstd (almost as fast, better compression)
	# more info on pool properties:
	# https://nixos.wiki/wiki/NixOS_on_ZFS#Dataset_Properties
	# https://jrs-s.net/2018/08/17/zfs-tuning-cheat-sheet/
	zpool create -f -t $POOL -m none -R /mnt \
	-o ashift=$ASHIFT1 \
	-o autotrim=on \
	-o listsnapshots=on \
	-O secondarycache=none \
	-O acltype=posix \
	-O compression=lz4 \
	-O encryption=on \
	-O keylocation=prompt \
	-O keyformat=passphrase \
	-O mountpoint=none \
	-O canmount=off \
	-O atime=off \
	-O relatime=on \
	-O recordsize=1M \
	-O dnodesize=auto \
	-O xattr=sa \
	-O normalization=formD \
	$POOL $ZFS1
	pprint "Done."
	echo # move to a new line

	pprint "Creating ZFS datasets nix, opt, home, persist, reserved ..."
	zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/nix
	zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/opt
	#zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/lxd # must be created by `lxd init`
	#zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/local/boot
	zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/home
	zfs create -p -v -o secondarycache=none -o mountpoint=legacy ${POOL}/safe/persist
	# "reserved is an unused, unmounted 2GB dataset. In case the rest of the pool runs out
	# of space required for ZFS operations (even deletions require disk space in a
	# copy-on-write filesystem), shrink or delete this pool to free enough
	# space to continue ZFS operations.
	# https://nixos.wiki/wiki/NixOS_on_ZFS#Reservations
	zfs create -o refreservation=4G -o primarycache=none -o secondarycache=none -o mountpoint=none ${POOL}/reserved
	pprint "Done."
	echo # move to a new line

	pprint "Enabling auto-snapshotting for ${POOL}/safe/[home,persist] datasets ..."
	zfs set com.sun:auto-snapshot=true ${POOL}/safe
	#zfs set com.sun:auto-snapshot=true ${POOL}/local/lxd # do this manually after running `lxd init`
	pprint "Done."
	echo # move to a new line

	# attach mirrored drive
	zpool attach -o ashift=$ASHIFT2 $POOL $ZFS1 $ZFS2

	pprint "Mounting Tmpfs and ZFS datasets ..."
	mkdir -p /mnt
	mount -t tmpfs tmpfs /mnt
	mkdir -p /mnt/nix
	mount -t zfs ${POOL}/local/nix /mnt/nix
	mkdir -p /mnt/opt
	mount -t zfs ${POOL}/local/opt /mnt/opt
	mkdir -p /mnt/home
	mount -t zfs ${POOL}/safe/home /mnt/home
	mkdir -p /mnt/persist
	mount -t zfs ${POOL}/safe/persist /mnt/persist
	#mkdir -p /mnt/boot/efi
	#mount -t vfat "${BOOT}" /mnt/boot/efi
	# use boot1 and boot2 for mirroredBoots config
	mkdir -p /mnt/boot1/
	mount -t vfat ${BOOT} /mnt/boot1
	pprint "Done."
	echo # move to a new line

	pprint "Creating /mnt/build for temporarily mounting to tmpfs during nixos-rebuilds ..."
	umount /build \|\| :
	mkdir -p /mnt/build
	#do not mount unless running nixos-rebuild, only for use in nixos-rebuild.sh script.
	pprint "Done."
	echo # move to a new line

	pprint "Making /mnt/persist/ subdirectories for persisted artifacts ..."
	mkdir -p /mnt/persist/etc/ssh
	mkdir -p /mnt/persist/etc/users
	mkdir -p /mnt/persist/etc/nixos
	mkdir -p /mnt/persist/etc/nixos/archive
	mkdir -p /mnt/persist/etc/wireguard/
	mkdir -p /mnt/persist/etc/NetworkManager/system-connections
	mkdir -p /mnt/persist/var/lib/bluetooth
	mkdir -p /mnt/persist/var/lib/acme
	pprint "Done."
	echo # move to a new line

	pprint "Generating NixOS configuration ..."
	nixos-generate-config --force --root /mnt
	pprint "Done."
	echo # move to a new line

	# Specify machine-specific ZFS properties for hardware-configuration.nix
	HOSTID=$(head -c8 /etc/machine-id)

	HARDWARE_CONFIG=$(mktemp)
	cat <<CONFIG > "$HARDWARE_CONFIG"

	networking.hostName = "$HOSTNAME";
	networking.hostId = "$HOSTID"; # "$(head -c 8 /etc/machine-id)"; required by ZFS
	#boot.zfs.devNodes = "$ZFS";
	# prevents "multiple pools with same name" problem during boot
	# https://discourse.nixos.org/t/nixos-on-mirrored-ssd-boot-swap-native-encrypted-zfs/9215/5
	boot.zfs.devNodes = "/dev/disk/by-partuuid"; # nixos-generation-config defaults to using partuuid ...
	#boot.zfs.devNodes = "/dev/disk/by-id"; # but should change to by-id after it's created
	hardware.cpu.intel.updateMicrocode = true;
	CONFIG

	# Add extra Tmpfs config options to the / mount section in hardware-configuration.nix
	# mode=755: required for some software like openssh, or will complain about permissions
	# size=2G: Tmpfs size. A fresh NixOS + Gnome4 install uses just over 200MB on tmpfs.
	# size=512M is sufficient, or larger if you have enough RAM and want more headroom.
	# backing up original to /mnt/etc/nixos/hardware-configuration.nix.original.
	# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks
	pprint "Adding Tmpfs properties to hardware-configuration.nix ..."
	sed --in-place=.original '/fsType = "tmpfs";/a\ options = [ "defaults" "size=2G" "mode=755" ];' /mnt/etc/nixos/hardware-configuration.nix
	pprint "Done."
	echo # move to a new line

	#same as above, but try to be more specific to just /
	#pprint "Adding Tmpfs properties to hardware-configuration.nix ..."
	#sed -e --in-place=.original '/fileSystems."/",/fsType = "tmpfs";/a\ options = [ "defaults" "size=2G" "mode=755" ];' /mnt/etc/nixos/hardware-configuration.nix
	#pprint "Done."
	#echo # move to a new line

	pprint "Appending machine-specific networking and ZFS properties to hardware-configuration.nix ..."
	sed -i "\$e cat $HARDWARE_CONFIG" /mnt/etc/nixos/hardware-configuration.nix
	unset HARDWARE_CONFIG
	pprint "Done."
	echo # move to a new line

	# only needed when /boot/efi on separate partition from /boot
	#pprint "Adding /boot/efi partition to hardware-configuration.nix ..."
	#sed --in-place=.original '
	# fileSystems."/boot" =
	# { device = "rpool/local/boot";
	# fsType = "zfs";
	# };
	#/a\
	#
	# fileSystems."/boot/efi" =
	# { device = "$BOOT";
	# fsType = "vfat";
	# };
	#' /mnt/etc/nixos/hardware-configuration.nix
	#pprint "Done."
	#echo # move to a new line

	# not needed when overwriting original configuration.nix
	#pprint "Deleting incorrect/redundant networking.hostName from configuration.nix ..."
	#sed '/^# networking.hostName/d' /mnt/etc/nixos/configuration.nix
	#pprint "Done."
	#echo # move to a new line

	# TODO: look into move networking properties, including networking.interfaces = { ... }, to either
	# hardware-configuration.nix or to a separate module. Tested with the former
	# but didn't work, not sure why.
	# sed '\:// START TEXT:,\:// END TEXT:d' file
	# https://serverfault.com/questions/137829/how-to-remove-a-tagged-block-of-text-in-a-file

	pprint "Backing up configuration.nix and hardware-configuration.nix to /mnt/persist/etc/nixos/archive ..."
	mv /mnt/etc/nixos/configuration.nix /mnt/persist/etc/nixos/archive/configuration.nix.original
	cp /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/archive/hardware-configuration.nix.custom
	cp /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hardware-configuration.nix
	mv /mnt/etc/nixos/hardware-configuration.nix.original /mnt/persist/etc/nixos/archive/
	pprint "Done."
	echo # move to a new line

	pprint "Copying configuration.tmpfsroot.zfscrypt.nix to /mnt/persist/etc/nixos/configuration.nix ..."
	cp -r $INSTALL/NixOS/Setup/config/configuration.tmpfsroot.zfscrypt.full.nix /mnt/persist/etc/nixos/archive/
	cp -r $INSTALL/NixOS/Setup/config/configuration.$SYSTEM.nix /mnt/persist/etc/nixos/archive/
	cp -r /mnt/persist/etc/nixos/archive/configuration.tmpfsroot.zfscrypt.full.nix /mnt/persist/etc/nixos/configuration.nix
	cp -r /mnt/persist/etc/nixos/archive/configuration.$SYSTEM.nix /mnt/persist/etc/nixos/configuration.$SYSTEM.nix
	cp -r /mnt/persist/etc/nixos/configuration.nix /mnt/etc/nixos/configuration.nix
	cp -r /mnt/persist/etc/nixos/configuration.$SYSTEM.nix /mnt/etc/nixos/configuration.$SYSTEM.nix
	chown -Rv root:root /mnt/persist/etc/nixos
	chmod -Rv 0644 /mnt/persist/etc/nixos
	chown -Rv root:root /mnt/etc/nixos
	chmod -Rv 0644 /mnt/etc/nixos
	pprint "Done."
	echo # move to a new line

	pprint "Copying $INSTALL/NixOS/Setup/persist/etc/users to /mnt/persist/etc/"
	cp -rv $INSTALL/NixOS/Setup/persist/etc/users /mnt/persist/etc/
	#cp -rv /mnt/persist/etc/users /mnt/etc/
	chown -Rv root:root /mnt/persist/etc/users
	chmod -Rv 0640 /mnt/persist/etc/users
	#chown -Rv root:root /mnt/etc/users
	#chmod -Rv 0640 /mnt/etc/users
	pprint "Done."
	echo # move to a new line

	pprint "Making blank pre-installation zfs snapshot, in case want to rollback to blank datasets ..."
	zfs snapshot -r ${POOL}@blank
	pprint "Done."
	echo # move to a new line

	pprint "Configuration complete."
	pprint "Backup configuration.nix and hardware-configuration.nix to a separate drive."
	pprint "Then install by running setup-04-nixos-install.sh."

	# WARNING: Before rebooting, backup /mnt/etc/nixos/hardware-configuration.nix to USBDrive

	# install with:
	# ---- install script ----
	# #!/usr/bin/env bash
	# install NixOS with no root password
	#set -e
	# If nixos-install fails, may need to prepend this nixos-build line to install script:
	# https://github.com/NixOS/nixpkgs/issues/126141#issuecomment-861720372
	#nix-build -v '<nixpkgs/nixos>' -A config.system.build.toplevel -I nixos-config=/mnt/etc/nixos/configuration.nix
	# install NixOS with no root password. Must use `passwd` on first use to set user password.
	#nixos-install -v --show-trace --no-root-passwd
	# ---- /install script ----