{
  adminUser,
  config,
  lib,
  ...
}:
{
  system.activationScripts = lib.mkIf config.ephemeralRoot {
    "createPersistentStorageDirs".deps = [
      "var-lib-private-permissions"
      "home-user-permissions"
      "users"
      "groups"
    ];
    "var-lib-private-permissions" = {
      deps = [ "specialfs" ];
      text = ''
        mkdir -p /persist/var/lib/private
        chmod 0700 /persist/var/lib/private
      '';
    };
    "home-user-permissions" = {
      deps = [ "specialfs" ];
      text = ''
        mkdir -p /persist/save/home/${adminUser.name}
        chown -R ${toString adminUser.uid}:${toString adminUser.gid} /persist/save/home/${adminUser.name}
        chmod 0700 /persist/save/home/${adminUser.name}
      '';
    };
  };

  environment.persistence."/persist" = {
    enable = config.ephemeralRoot;
    hideMounts = true;
    directories = [
      "/root"
      "/var/lib/containers"
      "/var/lib/nixos"
      "/var/lib/systemd"
      "/var/log"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
  };

  environment.persistence."/persist/save" = {
    enable = config.ephemeralRoot;
    hideMounts = true;
    users.${adminUser.name} = {
      directories = [ ];
      files = [
        ".ssh/known_hosts"
      ];
    };
  };
}