{ ... }:
{
  # Set up impernance configuration for things like bluetooth
  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.

  environment.persistence."/nix/persist/system" = {
    hideMounts = true;
    directories = [
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/libvirt"
      "/var/lib/systemd/coredump"
      {
        directory = "/var/lib/private";
        mode = "u=rwx,g=,o=";
      }
      "/etc/NetworkManager/system-connections"
      {
        directory = "/etc/nix";
        user = "root";
        group = "root";
        mode = "u=rwx,g=rx,o=rx";
      }
    ];
#    files = [
#      "/etc/machine-id"
#      { file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
#    ];
  };

  security.sudo.extraConfig = ''
    # rollback results in sudo lectures after each reboot
    Defaults lecture = never
  '';

}