Root on ZFS: Warn against native encryption; add NixOS tutorial for LUKS

[ghost]

Hopefully I've got the reStructuredText indentation right. This PR contains two changes:

• Add warning against ZFS native encryption, with references
• Add LUKS-based guide for NixOS

Tested with https://github.com/ne9z/openzfs-docs/actions/runs/6651356857/job/18073228694

[ghost]

Well, I'm not too certain about the "production ready" phrasing. To quote rincebrain again:

Depending on which problem, sometimes this is "just" a kernel panic, sometimes it mangles your key settings so you need something custom and magic to let you reach in and fix it, sometimes it writes records that should not have been allowed in an encrypted dataset and then errors out trying to read them again. (To pick three examples.)

What do you think?

[ghost]

Quote from ElvishJerricco:

One of those bugs even leaked plaintext on disk (#14330)

Quote from rincebrain in that issue

So it seems like somehow we generated an embedded write record on an encrypted dataset. Whoopsie.

So at this point, not even the promise of proper encryption has been fulfilled by ZFS native encryption. You might consider this a disadvantage.

[ghost]

@gmelikov I don't know what your intentions are. Should we hide the fact that native encryption codebase is unmaintained and buggy? In any case, I have updated the pull request to address your comments above.

[gmelikov]

@ne9z of course we should not hide problems, but if something so terribly broken in stable releases, then we have to disable it in code at all, or at least escalate it in code repo. Plus this is an official documentation, we should be careful with (un)ambiguous declarations.

I like your wording, thank you!