{ ... }:
{
  # Set up impernance configuration for things like bluetooth
  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.

  environment.persistence."/nix/persist/system" = {
    hideMounts = true;
    directories = [
      "/var/lib/bluetooth"
      "/var/lib/iwd"
      "/var/lib/nixos"
      "/var/lib/libvirt"
      "/var/lib/waydroid"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/var/lib/tailscale"
      "/var/lib/homeassistant"
      "/var/lib/mosquitto"
      "/var/lib/music-assistant"
      "/var/lib/postgresql"
      "/var/lib/zigbee2mqtt"
      {
        directory = "/var/lib/colord";
        user = "colord";
        group = "colord";
        mode = "u=rwx,g=rx,o=";
      }
      {
        directory = "/etc/nix";
        user = "root";
        group = "root";
        mode = "u=rwx,g=rx,o=rx";
      }
      {
        directory = "/var/lib/private/authentik/media";
        user = "authentik";
        group = "authentik";
        mode = "u=rwx,g=,o=";
      }
      {
        directory = "/var/lib/private";
        mode = "u=rwx,g=rx,o=";
      }
      {
        directory = "/media/nas";
        user = "nas-apps";
        group = "jallen-nas";
        mode = "u=rwx,g=rx,o=rx";
      }
      {
        directory = "/var/lib/crowdsec";
        user = "crowdsec";
        group = "crowdsec";
        mode = "u=rwx,g=rwx,o=rx";
      }
      {
        directory = "/plugins-storage";
        user = "traefik";
        group = "traefik";
        mode = "u=rwx,g=rwx,o=rx";
      }
    ];
    files = [
      "/etc/machine-id"
    ];
  };

  security.sudo.extraConfig = ''
    # rollback results in sudo lectures after each reboot
    Defaults lecture = never
  '';

}