{
  inputs,
  options,
  ...
}: {
  imports = [inputs.impermanence.nixosModules.impermanence];

  # There are bind mounts into here that are important for boot.
  fileSystems."/persist".neededForBoot = true;

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos"
      "/var/lib/bluetooth"
      "/var/lib/fprint"
      "/var/lib/upower"
      "/var/lib/tailscale"
      "/var/lib/libvirt"
      "/var/lib/samba"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/var/lib/iwd" # Known networks and keys
      {
        directory = "/var/lib/colord";
        user = "colord";
        group = "colord";
        mode = "u=rwx,g=rx,o=";
      }
      # TODO: cups?
    ];
    files = [
      "/etc/machine-id"
      #{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
      "/var/lib/NetworkManager/secret_key"
      "/var/lib/NetworkManager/seen-bssids"
      "/var/lib/NetworkManager/timestamps"
    ];
  };

  # /etc/{passwd,shadow} are not persisted
  users.mutableUsers = false;

  # Some report issues with impermanence file config for host keys, so just change their location
  services.openssh.hostKeys =
    builtins.map
    (x: x // {path = "/persist" + x.path;})
    options.services.openssh.hostKeys.default;

  # sudo lecture db is not persisted, turn it off
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
}