Documentation

how is the aquaris set passed to modules?
the commands module

ZFS magic

Split security domain concept:

root dataset:
- uses key stored on TPM, gated by Secure Boot, managed by clevis and zfs-autokey
- or: ZFS on LUKS, managed by systemd-cryptenroll
- track this PR for binding to OS-specific PCRs
user datasets:
- use user passwords as keys, managed by zfs-pam
- or maybe something like this?