nixos/clevis: add support for parent encrypted zfs datasets

    assertions = (attrValues (mapAttrs

      (device: _: {

        assertion = (any (fs: fs.device == device && (elem fs.fsType supportedFs)) config.system.build.fileSystems) || (hasAttr device config.boot.initrd.luks.devices);

        assertion = (any (fs: fs.device == device && (elem fs.fsType supportedFs) || (fs.fsType == "zfs" && hasPrefix "${device}/" fs.device)) config.system.build.fileSystems) || (hasAttr device config.boot.initrd.luks.devices);

        message = ''

          No filesystem or LUKS device with the name ${device} is declared in your configuration.'';

      })

  cfgZED = config.services.zfs.zed;

  selectModulePackage = package: config.boot.kernelPackages.${package.kernelModuleAttribute};

  clevisDatasets = map (e: e.device) (filter (e: e.device != null && (hasAttr e.device config.boot.initrd.clevis.devices) && e.fsType == "zfs" && (fsNeededForBoot e)) config.system.build.fileSystems);

  clevisDatasets = attrNames (filterAttrs (device: _: any (e: e.fsType == "zfs" && (fsNeededForBoot e) && (e.device == device || hasPrefix "${device}/" e.device)) config.system.build.fileSystems) config.boot.initrd.clevis.devices);

  inInitrd = config.boot.initrd.supportedFilesystems.zfs or false;

  inSystem = config.boot.supportedFilesystems.zfs or false;

    clevisLuksFallback

    clevisZfs

    clevisZfsFallback

    clevisZfsParentDataset

    clevisZfsParentDatasetFallback

    gptAutoRoot

    clevisBcachefs

    clevisBcachefsFallback

    '';

  };

  mkClevisZfsTest = { fallback ? false }: makeInstallerTest "clevis-zfs${optionalString fallback "-fallback"}" {

  mkClevisZfsTest = { fallback ? false, parentDataset ? false }: makeInstallerTest "clevis-zfs${optionalString parentDataset "-parent-dataset"}${optionalString fallback "-fallback"}" {

    clevisTest = true;

    clevisFallbackTest = fallback;

    enableOCR = fallback;

        "udevadm settle",

        "mkswap /dev/vda2 -L swap",

        "swapon -L swap",

    '' + optionalString (!parentDataset) ''

        "zpool create -O mountpoint=legacy rpool /dev/vda3",

        "echo -n password | zfs create"

        + " -o encryption=aes-256-gcm -o keyformat=passphrase rpool/root",

    '' + optionalString (parentDataset) ''

        "echo -n password | zpool create -O mountpoint=none -O encryption=on -O keyformat=passphrase rpool /dev/vda3",

        "zfs create -o mountpoint=legacy rpool/root",

    '' +

    ''

        "mount -t zfs rpool/root /mnt",

        "mkfs.ext3 -L boot /dev/vda1",

        "mkdir -p /mnt/boot",

        "mount LABEL=boot /mnt/boot",

        "udevadm settle")

    '';

    extraConfig = ''

    extraConfig = optionalString (!parentDataset) ''

      boot.initrd.clevis.devices."rpool/root".secretFile = "/etc/nixos/clevis-secret.jwe";

    '' + optionalString (parentDataset) ''

      boot.initrd.clevis.devices."rpool".secretFile = "/etc/nixos/clevis-secret.jwe";

    '' +

    ''

      boot.zfs.requestEncryptionCredentials = true;

  clevisLuksFallback = mkClevisLuksTest { fallback = true; };

  clevisZfs = mkClevisZfsTest { };

  clevisZfsFallback = mkClevisZfsTest { fallback = true; };

  clevisZfsParentDataset = mkClevisZfsTest { parentDataset = true; };

  clevisZfsParentDatasetFallback = mkClevisZfsTest { parentDataset = true; fallback = true; };

} // optionalAttrs systemdStage1 {

  stratisRoot = makeInstallerTest "stratisRoot" {

    createPartitions = ''