ZFS: Ask for stage 2 encryption passwords using systemd-ask-password

nixos/modules/tasks/filesystems/zfs.nix

@@ -490,7 +490,11 @@ in
             description = "Import ZFS pool \"${pool}\"";
             # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
             requires = [ "systemd-udev-settle.service" ];
-            after = [ "systemd-udev-settle.service" "systemd-modules-load.service" ];
+            after = [
+              "systemd-udev-settle.service"
+              "systemd-modules-load.service"
+              "systemd-ask-password-console.service"
+            ];
             wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ];
             before = (getPoolMounts pool) ++ [ "local-fs.target" ];
             unitConfig = {
@@ -515,7 +519,20 @@ in
               done
               poolImported "${pool}" || poolImport "${pool}"  # Try one last time, e.g. to import a degraded pool.
               if poolImported "${pool}"; then
-                ${optionalString cfgZfs.requestEncryptionCredentials "\"${packages.zfsUser}/sbin/zfs\" load-key -r \"${pool}\""}
+                ${optionalString cfgZfs.requestEncryptionCredentials ''
+                  ${packages.zfsUser}/sbin/zfs list -rHo name,keylocation ${pool} | while read ds kl; do
+                    case "$kl" in
+                      none )
+                        ;;
+                      prompt )
+                        ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${packages.zfsUser}/sbin/zfs load-key "$ds"
+                        ;;
+                      * )
+                        ${packages.zfsUser}/sbin/zfs load-key "$ds"
+                        ;;
+                      esac
+                  done
+                ''}
                 echo "Successfully imported ${pool}"
               else
                 exit 1