{ ... }:
{
  # Set up impernance configuration for things like bluetooth
  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.

  environment.persistence."/nix/persist/system" = {
    hideMounts = true;
    directories = [
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/tailscale"
      "/var/lib/homeassistant"
      "/var/lib/mosquitto"
      "/var/lib/music-assistant"
      "/var/lib/postgresql"
      "/var/lib/zigbee2mqtt"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/etc/secureboot"
      {
        directory = "/var/lib/private";
        mode = "u=rwx,g=rx,o=";
      }
      {
        directory = "/var/lib/colord";
        user = "colord";
        group = "colord";
        mode = "u=rwx,g=rx,o=";
      }
    ];
  };

  security.sudo.extraConfig = ''
    # rollback results in sudo lectures after each reboot
    Defaults lecture = never
  '';
}