{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.fs.zfs.split;
in mkIf cfg.enable {
  # unconditionally enable fstrim for xfs and ext4
  services.fstrim.enable = mkDefault true;

  # enable swraid for split raid1 system array
  boot.swraid.enable = mkDefault true;
  boot.swraid.mdadmConf = mkDefault ''
    PROGRAM ${cfg.mdProg}
  '';

  # secret filesystem backed by swraid
  fileSystems."/nix/var/secret" =
  { device = "/dev/disk/by-uuid/${cfg.secret}";
    fsType = "ext4";
    options = [ "noatime" ];
    neededForBoot = true;
    depends = [ "/nix/var" ];
  };

  # external store backed by swraid
  global.fs = {
    zfs.externalStore = mkDefault true;
    external.device = "/dev/disk/by-uuid/${cfg.store}";
    external.fsType = "xfs";
    external.options = [ "noatime" ];
  };

  # import system state pool after encrypted filesystems become available for key loading
  boot.initrd.systemd.services."zfs-import-${config.global.fs.store}".after = [ "sysroot-nix-var-secret.mount" "cryptsetup.target" ];
}