diff --git a/.sops.yaml b/.sops.yaml
index b6c1cd4..8be98aa 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,7 +2,7 @@ keys:
   - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
   - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
   - &lithium age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk
-  - &cert-store age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7
+  - &cert-store age1hy7uunj0lnjv6uyqf7s5t5dnc8e0u48x30jva05sxykqtplqe44sf4acxc
   - &cert-store-age age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp
   - &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
   - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
diff --git a/hosts/cert-store/configuration.nix b/hosts/cert-store/configuration.nix
index de3ae0a..3a738e5 100644
--- a/hosts/cert-store/configuration.nix
+++ b/hosts/cert-store/configuration.nix
@@ -1,7 +1,6 @@
-{ lib, ... }:
+{ ... }:
 {
   environment.persistence."/persist".enable = true;
-  swapDevices = lib.mkForce [ ];
   imports = [
     ../../shared/base.nix
 
diff --git a/hosts/ci/configuration.nix b/hosts/ci/configuration.nix
index e7fdc97..6b29cf0 100644
--- a/hosts/ci/configuration.nix
+++ b/hosts/ci/configuration.nix
@@ -1,5 +1,12 @@
 { ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   imports = [
     ../../shared/base.nix
     ../../shared/hardware/vm.nix
diff --git a/hosts/forgejo/configuration.nix b/hosts/forgejo/configuration.nix
index 5de4085..c3945b7 100644
--- a/hosts/forgejo/configuration.nix
+++ b/hosts/forgejo/configuration.nix
@@ -1,5 +1,12 @@
 { ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   imports = [
     ../../shared/base.nix
     ../../shared/hardware/vm.nix
diff --git a/hosts/gaming/configuration.nix b/hosts/gaming/configuration.nix
index 57d1e63..eb44176 100644
--- a/hosts/gaming/configuration.nix
+++ b/hosts/gaming/configuration.nix
@@ -1,5 +1,12 @@
 { lib, ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   imports = [
     ../../shared/base.nix
     ../../shared/hardware/nvidia.nix
diff --git a/hosts/idacloud/configuration.nix b/hosts/idacloud/configuration.nix
index 0b6a776..2f0a8fc 100644
--- a/hosts/idacloud/configuration.nix
+++ b/hosts/idacloud/configuration.nix
@@ -1,5 +1,12 @@
 { config, ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   custom.nextcloud_domain = "idacloud.sinerva.eu";
   services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
   custom.collabora_domain = "idacollab.sinerva.eu";
diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix
index 99c2654..9f262fc 100644
--- a/hosts/nextcloud/configuration.nix
+++ b/hosts/nextcloud/configuration.nix
@@ -1,5 +1,12 @@
 { ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   custom.nextcloud_domain = "nextcloud.vsinerva.fi";
 
   imports = [
diff --git a/hosts/syncthing/configuration.nix b/hosts/syncthing/configuration.nix
index de20889..47010d0 100644
--- a/hosts/syncthing/configuration.nix
+++ b/hosts/syncthing/configuration.nix
@@ -1,5 +1,12 @@
 { lib, ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   imports = [
     ../../shared/base.nix
     ../../shared/hardware/vm.nix
diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix
index ccfb135..7a52774 100644
--- a/hosts/vaultwarden/configuration.nix
+++ b/hosts/vaultwarden/configuration.nix
@@ -1,5 +1,12 @@
 { ... }:
 {
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
   imports = [
     ../../shared/base.nix
     ../../shared/hardware/vm.nix
diff --git a/secrets/cert-store.yaml b/secrets/cert-store.yaml
index 8ef082c..2dca54b 100644
--- a/secrets/cert-store.yaml
+++ b/secrets/cert-store.yaml
@@ -5,20 +5,20 @@ sops:
         - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKczdMTHNtaDdCVG5XNWV3
-            SGhoYTRyNnh3TUJKYmhvTlh3dlU4SThjRmwwCjE0a1ltMEJ1UjdTaUhGVHc5cHhn
-            V1NZWko2Mm4wWnRmdFZ3TVdSNGVjd0kKLS0tIGhXN0NvKzFiS3llN3QwYjRCNU85
-            enVpUDZhNEd4OCsySDZnSmIrRGlNaW8KTDI/B+JR5FO3h1kjEzC7PGn0WCsFKO6F
-            Efgr1f5PdyaNZOGgnWm1GarH9WeFSPX57q+p+z6xU+DU7xv72oH6Uw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RDIvZVNibVRQV24zNm9V
+            a1Q5SU5UakZ4eDA2RWQxbXduZ3JsMHUyNlhBCkYyUmpON0htZ3RyNWJXYUVHMWpv
+            NUd5ZVZmMzFMQk5PR3gzbEowUmV2Q1kKLS0tIEJIUDkraERVcG9SMWFUblhXam42
+            SHlycUJvd0RNNDNBY3REc2VhN0RpNlkKij54wD3j8yDeurHOTL9IwnkXiCqJMePK
+            PVxSF1VLLEUSiPaZpXKhUD4ghz/YwjBDsbVORh1btpol2LKq63ChUw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7
+        - recipient: age1hy7uunj0lnjv6uyqf7s5t5dnc8e0u48x30jva05sxykqtplqe44sf4acxc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFcyWU1FTTBHa2YxeGVZ
-            NG93RVFCUVNpNWJQVVp5QXpUbzl0cFV5SDFRCjFiQjcrN0JkRTVNSFRtelVqa3g1
-            bnE2QldHeHV6Mm1UR01EcG16MXZzaVkKLS0tIDF5QkVhVVNIbllHSExXRVYzSW0y
-            dEw0eC9vQ09UYUxVYlByZ3U1MW5RQTAKjRYBemgMpjuO7kIgWWY/dIngE+oWJoaI
-            8WJ1n7QqrOo5Q3tBFcSbQc0dR5AGSo5itZzPBsDjS7e4fIz3DrPJOQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFVNTGhBcDhEZW9DVHFW
+            Y3hhSWo4V3JKbmFnelZZUnFWcGNQM29rS2lFClBLUlArUGcxb2kvR3dEaVJoR0pS
+            cWpvME10M01BNENXQWtjcWdPYU5PVEUKLS0tIDYrUTAvT21CQ1d1REFsUlFINi9m
+            WmVyUDFxNEhhZEhhcTg2QmlacjZGY2MKn3fLG9OMtKmZ71PXJLqpEonlWHNd5zTR
+            cwvrSNArR5neDMdlVQlh9pHweSWQKP6MQ5ilbTnH5ksoTP+Or36aBQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-22T21:06:19Z"
     mac: ENC[AES256_GCM,data:721h9RrvnmUmIIpp02tLqlkF0Nx4Fmy36pMagqg9wo7xP8gtauEwE8FYOQWsrqo6vJTv1G+nzMRoorRrRodPuvYHBzxvxgNVacU4bzD5zN9v+wz/HEgbB+YIDKeOAY3/8Sjf5BrZdaN/75GNJUtYX8EVpUy9m9Y/WqtP3OWHTsA=,iv:jYXah33gFURc0+AbaHoBpsoWhBNJaBkie7Hc8Gz8qco=,tag:j96I6pH4xSUhocEpEr586Q==,type:str]
diff --git a/shared/disko/zfs-impermanence.nix b/shared/disko/zfs-impermanence.nix
index b5e6315..c56f72c 100644
--- a/shared/disko/zfs-impermanence.nix
+++ b/shared/disko/zfs-impermanence.nix
@@ -18,6 +18,14 @@
                 mountOptions = [ "umask=0077" ];
               };
             };
+            swap = {
+              size = "2G";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                randomEncryption = true;
+              };
+            };
             zfs = {
               size = "100%";
               content = {
diff --git a/shared/hardware/vm.nix b/shared/hardware/vm.nix
index cdc579d..7433547 100644
--- a/shared/hardware/vm.nix
+++ b/shared/hardware/vm.nix
@@ -1,12 +1,5 @@
 { lib, modulesPath, ... }:
 {
-  swapDevices = [
-    {
-      device = "/var/lib/swapfile";
-      size = 2 * 1024;
-    }
-  ];
-
   services.qemuGuest.enable = true;
 
   imports = [