{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.impermanence;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    environment.persistence."/nix/persist/system" = {
      hideMounts = true;
      directories = [
        "/var/lib/bluetooth"
        "/var/lib/iwd"
        "/var/lib/nixos"
        "/var/lib/libvirt"
        "/var/lib/waydroid"
        "/var/lib/systemd/coredump"
        "/etc/NetworkManager/system-connections"
        "/var/lib/tailscale"
        {
          directory = "/var/lib/colord";
          user = "colord";
          group = "colord";
          mode = "u=rwx,g=rx,o=";
        }
        {
          directory = "/etc/nix";
          user = "root";
          group = "root";
          mode = "u=rwx,g=rx,o=rx";
        }
        {
          directory = "/var/lib/private";
          mode = "u=rwx,g=rx,o=";
        }
        {
          directory = "/media/nas";
          user = "nas-apps";
          group = "jallen-nas";
          mode = "u=rwx,g=rx,o=rx";
        }
      ] ++ cfg.extraDirectories;
      files = [
        "/etc/machine-id"
      ] ++ cfg.extraFiles;
    };

    security.sudo.extraConfig = ''
      # rollback results in sudo lectures after each reboot
      Defaults lecture = never
    '';
  };
}