_: {
  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      # "/etc/secureboot"
      "/etc/ssh"
      "/etc/secrets"

      "/var/log"
      "/var/lib/systemd/coredump"
      "/var/lib/nixos"
      "/var/lib/containers"
      "/var/db/sudo"

      "/var/lib/acme"

      "/var/lib/prometheus2"
      "/var/lib/grafana"
      "/var/lib/bitwarden_rs"

      "/srv"
    ];
    files = [
      "/etc/machine-id"
    ];
  };

  fileSystems = {
    "/".neededForBoot = true;
    "/etc/ssh" = {
      depends = ["/persist"];
      neededForBoot = true;
    };
    "/persist".neededForBoot = true; # no further config is needed, disko handles the rest
  };
}