{
  config,
  lib,
  pkgs,
  username,
  service_configs,
  inputs,
  ...
}:
{
  imports = [
    inputs.impermanence.nixosModules.impermanence
  ];

  environment.persistence."/persistent" = {
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/systemd/coredump"
      "/var/lib/nixos"

      "/var/lib/systemd/timers"

      # ZFS cache directory - persisting the directory instead of the file
      # avoids "device busy" errors when ZFS atomically updates the cache
      "/etc/zfs"
    ];

    files = [
      # Machine ID
      "/etc/machine-id"
    ];

    users.${username} = {
      files = [
        ".local/share/fish/fish_history"
      ];
    };

    users.root = {
      files = [
        ".local/share/fish/fish_history"
      ];
    };
  };

  # Store SSH host keys directly in /persistent to survive tmpfs root wipes.
  # This is more reliable than bind mounts for service-generated files.
  services.openssh.hostKeys = [
    {
      path = "/persistent/etc/ssh/ssh_host_ed25519_key";
      type = "ed25519";
    }
    {
      path = "/persistent/etc/ssh/ssh_host_rsa_key";
      type = "rsa";
      bits = 4096;
    }
  ];

  # Enforce root ownership on /persistent/etc. The impermanence activation
  # script copies ownership from /persistent/etc to /etc via
  # `chown --reference`. If /persistent/etc ever gets non-root ownership,
  # sshd StrictModes rejects /etc/ssh/authorized_keys.d/root and root SSH
  # breaks while non-root users still work.
  # Use "z" (set ownership, non-recursive) not "d" (create only, no-op on existing).
  systemd.tmpfiles.rules = [
    "z /persistent/etc 0755 root root"
  ];
}