diff --git a/configurations/nixos/defiant/services.nix b/configurations/nixos/defiant/services.nix
index 2774a1d..73c7024 100644
--- a/configurations/nixos/defiant/services.nix
+++ b/configurations/nixos/defiant/services.nix
@@ -135,11 +135,6 @@ in {
       };
     };
 
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
-
     networking.firewall.allowedTCPPorts =
       [
         httpPort
diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix
index 7eecdd0..bd39d4c 100644
--- a/modules/nixos-modules/server/reverse_proxy.nix
+++ b/modules/nixos-modules/server/reverse_proxy.nix
@@ -2,7 +2,9 @@
   lib,
   config,
   ...
-}: {
+}: let
+  dataDir = "/var/lib/acme";
+in {
   options.host.reverse_proxy = {
     enable = lib.mkEnableOption "turn on the reverse proxy";
     hostname = lib.mkOption {
@@ -32,25 +34,46 @@
     };
   };
 
-  # TODO: impermanence for ACME keys
-  config = {
-    security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
+  config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [
+    {
+      security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
+        acceptTerms = true;
+        defaults.email = "jan-leila@protonmail.com";
+      };
 
-    services.nginx = {
-      enable = config.host.reverse_proxy.enable;
-      virtualHosts = lib.attrsets.mapAttrs' (name: value:
-        lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
-          forceSSL = config.host.reverse_proxy.forceSSL;
-          enableACME = config.host.reverse_proxy.enableACME;
-          locations."/" = {
-            proxyPass = value.target;
-            proxyWebsockets = value.websockets;
-          };
-        })
-      config.host.reverse_proxy.subdomains;
-    };
-  };
+      services.nginx = {
+        enable = true;
+        virtualHosts = lib.attrsets.mapAttrs' (name: value:
+          lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
+            forceSSL = config.host.reverse_proxy.forceSSL;
+            enableACME = config.host.reverse_proxy.enableACME;
+            locations."/" = {
+              proxyPass = value.target;
+              proxyWebsockets = value.websockets;
+            };
+          })
+        config.host.reverse_proxy.subdomains;
+      };
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      # TODO: figure out how to write an assertion for this
+      # assertions = [
+      #   {
+      #     assertion = security.acme.certs.<name>.directory == dataDir;
+      #     message = "postgres data directory does not match persistence";
+      #   }
+      # ];
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = dataDir;
+            user = "acme";
+            group = "acme";
+          }
+        ];
+      };
+    })
+  ]);
 }