diff --git a/install.sh b/install.sh
index 4ce0ac2..384f6c2 100755
--- a/install.sh
+++ b/install.sh
@@ -18,13 +18,15 @@ fi
 
 echo "Installing NixOS to $DISK using flake at $FLAKE_DIR"
 
-# Create temporary directory for secureboot keys
+# Create temporary directories
 mkdir -p /tmp/secureboot
+mkdir -p /tmp/persistent
 
 # Function to cleanup on exit
 cleanup() {
     echo "Cleaning up..."
     rm -rf /tmp/secureboot 2>/dev/null || true
+    rm -rf /tmp/persistent 2>/dev/null || true
 }
 trap cleanup EXIT
 
@@ -40,6 +42,15 @@ nix-shell -p age --run "age -d -i '$FLAKE_DIR/usb-secrets/usb-secrets-key' '$FLA
 
 echo "Secureboot keys extracted"
 
+# Extract persistent partition secrets
+echo "Extracting persistent partition contents..."
+if [[ -f "$FLAKE_DIR/secrets/persistent.tar" ]]; then
+    tar -xzf "$FLAKE_DIR/secrets/persistent.tar" -C /tmp/persistent
+    echo "Persistent partition contents extracted"
+else
+    echo "Warning: persistent.tar not found, skipping persistent secrets"
+fi
+
 # Check if disko-install is available
 if ! command -v disko-install >/dev/null 2>&1; then
     echo "Running disko-install via nix..."
@@ -50,10 +61,28 @@ fi
 
 echo "Running disko-install to partition, format, and install NixOS..."
 
+# Build the extra-files arguments
+EXTRA_FILES_ARGS=(
+    --extra-files /tmp/secureboot /etc/secureboot
+    --extra-files "$FLAKE_DIR/usb-secrets/usb-secrets-key" /mnt/usb-secrets/usb-secrets-key
+)
+
+# Add each top-level item from persistent separately to avoid nesting
+# cp -ar creates /dst/src when copying directories, so we need to copy each item
+#
+# Also disko-install actually copies the files from extra-files, so we are good here
+if [[ -d /tmp/persistent ]] && [[ -n "$(ls -A /tmp/persistent 2>/dev/null)" ]]; then
+    for item in /tmp/persistent/*; do
+        if [[ -e "$item" ]]; then
+            basename=$(basename "$item")
+            EXTRA_FILES_ARGS+=(--extra-files "$item" "/persistent/$basename")
+        fi
+    done
+fi
+
 # Run disko-install with secureboot keys available
 sudo $DISKO_INSTALL \
     --mode format \
     --flake "$FLAKE_DIR#muffin" \
     --disk main "$DISK" \
-    --extra-files /tmp/secureboot /etc/secureboot \
-    --extra-files "$FLAKE_DIR/usb-secrets/usb-secrets-key" /mnt/usb-secrets/usb-secrets-key
+    "${EXTRA_FILES_ARGS[@]}"
diff --git a/secrets/persistent.tar b/secrets/persistent.tar
new file mode 100644
index 0000000..aa191e5
Binary files /dev/null and b/secrets/persistent.tar differ