{lib, ...}: {
  imports = with lib.nixosModules; [
    disko
    impermanence
  ];

  disko.devices.disk.NixOS = {
    device = "/dev/sda";
    type = "disk";
    content = {
      type = "gpt";
      partitions = {
        BSP = {
          type = "EF02";
          size = "1M";
        };
        Crypt = {
          size = "100%";
          content = {
            type = "luks";
            name = "crypt";
            extraFormatArgs = ["--type luks1"];
            content = {
              type = "btrfs";
              postCreateHook = ''
                btrfs="$(mktemp -d)"
                mount -o subvol=/ /dev/mapper/crypt "$btrfs"
                btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
                umount "$btrfs"
                rm -rf "$btrfs"
                boot="$(mktemp -d)"
                mount -o subvol=/boot /dev/mapper/crypt "$boot"
                dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
                cryptsetup luksAddKey                     \
                  /dev/disk/by-partlabel/disk-NixOS-Crypt \
                  "$boot/luks.bin"
                umount "$boot"
                rm -rf "$boot"
              '';
              subvolumes = {
                "/root" = {
                  mountpoint = "/";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/boot" = {
                  mountpoint = "/boot";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/home" = {
                  mountpoint = "/home";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/nix" = {
                  mountpoint = "/nix";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/persist" = {
                  mountpoint = "/persist";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/log" = {
                  mountpoint = "/var/log";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/swap" = {
                  mountpoint = "/.swap";
                  swap.swapfile.size = "4G";
                };
              };
            };
          };
        };
      };
    };
  };
  fileSystems = {
    "/persist".neededForBoot = true;
    "/var/log".neededForBoot = true;
  };

  boot = {
    loader = {
      grub = {
        enable = true;
        enableCryptodisk = true;
      };
    };
    initrd = {
      secrets."/luks.bin" = "/boot/luks.bin";
      luks.devices.crypt = {
        device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
        keyFile = "/luks.bin";
      };
      postDeviceCommands = lib.mkBefore ''
        btrfs="$(mktemp -d)"
        mount -o subvol=/ /dev/mapper/crypt "$btrfs"
        trap "umount $btrfs_root; rm -rf $btrfs" EXIT
        btrfs subvolume list -o "$btrfs/root"           \
          | cut -f9 -d' '                               \
          | while read subvolume; do                    \
            btrfs subvolume delete "$btrfs/$subvolume"
          done                                          \
          && btrfs subvolume delete "$btrfs/root"
        btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
      '';
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      {
        directory = "/var/lib/nixos";
        user = "root";
        group = "root";
        mode = "u=rwx,g=rx,o=rx";
      }
    ];
  };
}