On Debian I was used to LUKS encrypt my root partition and unlock it with password and I had swap on a separate partition (real partition, not LVM) and unlock it with /dev/urandom key.
In other words every boot the swap partition data got lost and partition re-encrypted.
It looks like this:
# cat /etc/crypttab rootcrypt UUID=4d0e286a-53b1-4e11-b971-c7a42c9c700a none luks,discard swapcrypt PARTUUID=a8e2f38b-7012-4eb0-981f-5c1852944c88 /dev/urandom cipher=aes-xts-plain64,discard,hash=sha512,plain,sector-size=4096,size=512,swap
# cat /etc/fstab /dev/mapper/rootcrypt / btrfs noatime,subvol=@rootfs 0 0 /dev/mapper/swapcrypt none swap sw 0 0
I set this up before installing from ISO but the
nixos-generate-config picked only the fact that swap is on LUKS, not that it is reencrypted/reformatted every boot.
Could you please tell me how to set this up on NixOS?