Work-in-progress. Intended to be tied into secure boot.

$ nixos-rebuild build-vm --flake .#vm
$ ./result/bin/run-nixos-vm

# After logging in (username: root, password: changeme), run
$ tune2fs -O verity /dev/vda
$ reboot
# Then fs-verity and composefs should be available on the machine at least.

This post seems to suggest what I want may be possible using overlayfs+erofs (after implementing additional features in those filesystems...) This discussion seems pretty contentious, to say the least. Watch for replies to this