{
  pkgs,
  lib,
  config,
  inputs,
  ...
}:
let
  cfg = config.xyno.impermanence;
  genImpermanenceCfg = cfg: {
    hideMounts = true;
    directories = cfg.directories;
    files = cfg.files;
    users.${config.xyno.system.user.name} = {
      directories = cfg.user.directories;
      files = cfg.user.files;
    };
  };

in
{
  options.xyno.impermanence = {
    enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
    files = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; };
    directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
    user = {
      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
    };
    # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
    cache = {
      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
      user = {
        files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
        directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
      };

    };
  };
  config = lib.mkIf cfg.enable {
    users.mutableUsers = false;
    xyno.impermanence.files = [
      "/etc/machine-id" # systemd/zfs unhappy otherwise
    ];
    xyno.impermanence.directories = [
      "/var/log"
      "/var/lib/systemd/coredump"
      "/etc/ssh" # host keys
      "/var/lib/sbctl" # lanzaboote
      "/var/lib/nixos"

    ];
    xyno.impermanence.user.directories = [
      "Downloads"
      "Music"
      "Pictures"
      "Documents"
      "Videos"
      "docs"
      "proj"
      "git"
      {
        directory = ".gnupg";
        mode = "0700";
      }
      {
        directory = ".ssh";
        mode = "0700";
      }
      {
        directory = ".local/share/keyrings";
        mode = "0700";
      }
      ".local/share/direnv"

    ];
    sops.gnupg.sshKeyPaths = [ "/persistent/etc/ssh/ssh_host_rsa_key" ];
    xyno.impermanence.cache.directories = [ "/var/cache" ];
    xyno.impermanence.cache.user.directories = [ ".cache" ];
    environment.persistence."/persistent" = genImpermanenceCfg cfg;
    environment.persistence."/persistent/cache" = genImpermanenceCfg cfg.cache;

    # https://github.com/nix-community/impermanence/issues/254#issuecomment-2683859091
    system.activationScripts."createPersistentStorageDirs".deps = [
      "var-lib-private-permissions"
      "users"
      "groups"
    ];
    system.activationScripts = {
      "var-lib-private-permissions" = {
        deps = [ "specialfs" ];
        text = ''
          mkdir -p /persistent/var/lib/private /persistent/cache
          chmod 0700 /persistent/var/lib/private
          touch /persistent/cache/.nobackup
        '';
      };
    };
  };
}