From c739ecd89592d439f92ed1b559aec871fbb1f411 Mon Sep 17 00:00:00 2001
From: Nathan McCarty <thatonelutenist@stranger.systems>
Date: Thu, 27 Mar 2025 01:41:39 -0400
Subject: [PATCH] Encrypted swap

---
 nixos/machines/driftwood/hardware.nix | 93 +++++++++++++++------------
 1 file changed, 51 insertions(+), 42 deletions(-)

diff --git a/nixos/machines/driftwood/hardware.nix b/nixos/machines/driftwood/hardware.nix
index 9ee179b..025c247 100644
--- a/nixos/machines/driftwood/hardware.nix
+++ b/nixos/machines/driftwood/hardware.nix
@@ -1,57 +1,66 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
+    fsType = "btrfs";
+    options = ["subvol=root"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
+    fsType = "btrfs";
+    options = ["subvol=nix"];
+  };
 
-  fileSystems."/var" =
-    { device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
-      fsType = "btrfs";
-      options = [ "subvol=var" ];
-    };
+  fileSystems."/var" = {
+    device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
+    fsType = "btrfs";
+    options = ["subvol=var"];
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
+    fsType = "btrfs";
+    options = ["subvol=home"];
+  };
 
-  fileSystems."/etc" =
-    { device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
-      fsType = "btrfs";
-      options = [ "subvol=etc" ];
-    };
+  fileSystems."/etc" = {
+    device = "/dev/disk/by-uuid/e9e1adfb-feb9-4456-80a0-d8d306b36145";
+    fsType = "btrfs";
+    options = ["subvol=etc"];
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/DE13-B03B";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DE13-B03B";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022"];
+  };
 
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/fe4935bf-ae69-4529-87cd-1a913c346876"; }
-    ];
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/d2899053-892b-49b1-b9e9-55df9b635862";
+      randomEncryption = {
+        enable = true;
+      };
+    }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's