hostconfig/gandalf: Encrypt swap

hostconfig/gandalf/hardware-configuration.nix

@@ -27,10 +27,6 @@
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/6993932f-5b29-4207-915a-2f185ec9f485"; }
-    ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hostconfig/gandalf/nixos.nix

@@ -1,17 +1,31 @@
 { pkgs, ... }:
+let
+  swap = "/dev/disk/by-uuid/66d89c4f-6d79-4bb5-8d83-d53ea07a5fb0";
+in
 {
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.kernelParams = [ "amd_pstate=active" ];
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  boot.resumeDevice = "/dev/disk/by-uuid/6993932f-5b29-4207-915a-2f185ec9f485";
+  boot.resumeDevice = swap;
 
   services.logind.lidSwitch = "suspend-then-hibernate";
   systemd.sleep.extraConfig = ''
     HibernateDelaySec=1h
   '';
 
+  swapDevices = [
+    {
+      device = swap;
+      encrypted = {
+        enable = true;
+        label = "swap-dev";
+        blkDev = "/dev/disk/by-uuid/54642cf7-2f34-4a75-9a6b-82a0df72d2bb";
+      };
+    }
+  ];
+
   powerManagement = {
     enable = true;
     powertop.enable = true;