diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py
index 1bc7321..51e052d 100644
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@@ -28,11 +28,64 @@ def get_my_clients(metadata):
     }
 
 
+@metadata_reactor.provides(
+    'backup-server/zfs-base',
+    'dm-crypt/encrypted-devices',
+    'zfs/pools',
+)
+def zfs_pool(metadata):
+    if not metadata.get('backup-server/encrypted-devices', {}):
+        return {}
+
+    crypt_devices = {}
+    pool_devices = set()
+    unlock_actions = set()
+
+    for number, (device, passphrase) in enumerate(sorted(metadata.get('backup-server/encrypted-devices', {}).items())):
+        crypt_devices[device] = {
+            'dm-name': f'backup{number}',
+            'passphrase': passphrase,
+        }
+        pool_devices.add(f'/dev/mapper/backup{number}')
+        unlock_actions.add(f'action:dm-crypt_open_backup{number}')
+
+    pool_opts = {
+        'devices': pool_devices,
+    }
+
+    if len(pool_devices) > 2:
+        pool_opts['type'] = 'raidz'
+    elif len(pool_devices) > 1:
+        pool_opts['type'] = 'mirror'
+
+    return {
+        'backup-server': {
+            'zfs-base': 'backups',
+        },
+        'dm-crypt': {
+            'encrypted-devices': crypt_devices,
+        },
+        'zfs': {
+            'pools': {
+                'backups': {
+                    'when_creating': {
+                        'config': [
+                            pool_opts,
+                        ],
+                    },
+                    'needs': unlock_actions,
+                },
+            },
+        }
+    }
+
+
+
 @metadata_reactor.provides(
     'zfs/datasets',
     'zfs/snapshots/retain_per_dataset',
 )
-def zfs(metadata):
+def zfs_datasets_and_snapshots(metadata):
     zfs_datasets = {}
     zfs_retains = {}
     retain_defaults = {