{
  username,
  ...
}:
{
  environment.persistence."/persistent" = {
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/systemd/coredump"
      "/var/lib/nixos"
      "/var/lib/systemd/timers"
      # agenix identity sealed by the TPM
      {
        directory = "/var/lib/agenix";
        mode = "0700";
        user = "root";
        group = "root";
      }
    ];

    files = [
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
      "/etc/machine-id"
    ];

    users.root = {
      files = [
        ".local/share/fish/fish_history"
      ];
    };
  };

  # bind mount home directory from persistent storage
  fileSystems."/home/${username}" = {
    device = "/persistent/home/${username}";
    fsType = "none";
    options = [ "bind" ];
    neededForBoot = true;
  };

  systemd.tmpfiles.rules = [
    "d /etc 755 root"
  ];
}