zfs: Load file based keys at boot

files/zfs/zfs-load-key.sh

@@ -37,11 +37,16 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${root}" | awk -F\/ '{print
     # if the root dataset has encryption enabled
     ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${root}")
     if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
-        # decrypt them
-        TRY_COUNT=5
-        while [ $TRY_COUNT -gt 0 ]; do
-            systemd-ask-password "Encrypted ZFS password for ${root}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
-            TRY_COUNT=$((TRY_COUNT - 1))
-        done
+        KEYFORMAT=$(zfs get -H -o value keyformat "${root}")
+        if [ "${KEYFORMAT}" = "passphrase" ]; then
+            # decrypt them
+            TRY_COUNT=5
+            while [ $TRY_COUNT -gt 0 ]; do
+                systemd-ask-password "Encrypted ZFS password for ${root}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
+                TRY_COUNT=$((TRY_COUNT - 1))
+            done
+        else
+            zfs load-key "${ENCRYPTIONROOT}"
+        fi
     fi
 fi

manifests/profile/base/zfs.pp

@@ -3,6 +3,29 @@ class nest::profile::base::zfs {
     ensure => installed,
   }
 
+  $zfs_mount_override = @(EOF)
+    [Service]
+    ExecStart=
+    ExecStart=/sbin/zfs mount -al
+    | EOF
+
+  file {
+    default:
+      mode  => '0644',
+      owner => 'root',
+      group => 'root',
+    ;
+
+    '/etc/systemd/system/zfs-mount.service.d':
+      ensure => directory,
+    ;
+
+    '/etc/systemd/system/zfs-mount.service.d/load-key.conf':
+      content => $zfs_mount_override,
+      notify  => Nest::Systemd_reload['zfs'],
+    ;
+  }
+
   file { '/usr/lib/dracut/modules.d/90zfs/zfs-load-key.sh':
     mode    => '0755',
     owner   => 'root',