{
  pkgs,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.global.fs.zfs.split;
in
mkIf cfg.enable {
  # unconditionally enable fstrim for xfs and ext4
  services.fstrim.enable = mkDefault true;

  # enable swraid for split raid1 system array
  boot.swraid.enable = mkDefault true;
  boot.swraid.mdadmConf = mkDefault ''
    PROGRAM ${cfg.mdProg}
  '';

  # secret filesystem backed by swraid
  fileSystems."/nix/var/secret" = {
    device = "/dev/disk/by-uuid/${cfg.secret}";
    fsType = "ext4";
    options = [ "noatime" ];
    neededForBoot = true;
    depends = [ "/nix/var" ];
  };

  # external store backed by swraid
  global.fs = {
    zfs.externalStore = mkDefault true;
    external.device = "/dev/disk/by-uuid/${cfg.store}";
    external.fsType = "xfs";
    external.options = [ "noatime" ];
  };

  # import system state pool after encrypted filesystems become available for key loading
  boot.initrd.systemd.services."zfs-import-${config.global.fs.store}".after = [
    "sysroot-nix-var-secret.mount"
    "cryptsetup.target"
  ];
}