diff --git a/global/fs/default.nix b/global/fs/default.nix
index e2c80c57..4805dc3e 100644
--- a/global/fs/default.nix
+++ b/global/fs/default.nix
@@ -8,8 +8,8 @@ in {
     ./ext4.nix
     ./f2fs.nix
     ./xfs.nix
-    ./zfs.nix
     ./bcachefs.nix
+    ./zfs
   ];
 
   options.global.fs = {
diff --git a/global/fs/zfs.nix b/global/fs/zfs/default.nix
similarity index 78%
rename from global/fs/zfs.nix
rename to global/fs/zfs/default.nix
index a7faedd8..a36916f2 100644
--- a/global/fs/zfs.nix
+++ b/global/fs/zfs/default.nix
@@ -4,6 +4,10 @@
 , ... }: with lib; let
   cfg = config.global.fs;
 in {
+  imports = [
+    ./split.nix
+  ];
+
   # -o ashift=12
   # -O encryption=on -O keyformat=passphrase -O keylocation=prompt
   # -O compression=on -O mountpoint=none -O xattr=sa -O acltype=posixacl
@@ -21,6 +25,19 @@ in {
       description = "zfs dataset mountpoints";
     };
     externalStore = mkEnableOption "external nix store filesystem";
+
+    split = {
+      enable = mkEnableOption "zfs state with split nix store";
+      mdProg = mkOption {
+        type = with types; str;
+        default = "/usr/bin/true";
+        description = "mdadm PROGRAM config value";
+      };
+      secret = mkOption {
+        type = with types; str;
+        description = "UUID of secret filesystem";
+      };
+    };
   };
 
   config = mkIf (cfg.type == "zfs") {
diff --git a/global/fs/zfs/split.nix b/global/fs/zfs/split.nix
new file mode 100644
index 00000000..ea0dd93b
--- /dev/null
+++ b/global/fs/zfs/split.nix
@@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.global.fs.zfs.split;
+in mkIf cfg.enable {
+  # unconditionally enable fstrim for xfs and ext4
+  services.fstrim.enable = mkDefault true;
+
+  # enable swraid for split raid1 system array
+  boot.swraid.enable = mkDefault true;
+  boot.swraid.mdadmConf = mkDefault ''
+    PROGRAM ${cfg.mdProg}
+  '';
+
+  # secret filesystem backed by LUKS on swraid
+  fileSystems."/nix/var/secret" =
+  { device = "/dev/disk/by-uuid/${cfg.secret}";
+    fsType = "ext4";
+    options = [ "noatime" ];
+    neededForBoot = true;
+    depends = [ "/nix/var" ];
+  };
+
+  # import system state pool after encrypted filesystems become available for key loading
+  boot.initrd.systemd.services."zfs-import-${config.global.fs.store}".after = [ "cryptsetup.target" ];
+}