{
  lib,
  config,
  ...
}: let
  workingDirectory = "/var/lib/private/crab-hole";
in {
  options.services.crab-hole = {
    impermanence.enable = lib.mkOption {
      type = lib.types.bool;
      default = config.services.crab-hole.enable && config.host.impermanence.enable;
    };
  };

  config = lib.mkIf config.services.crab-hole.impermanence.enable {
    assertions = [
      {
        assertion =
          config.systemd.services.crab-hole.serviceConfig.WorkingDirectory == (builtins.replaceStrings ["/private"] [""] workingDirectory);
        message = "crab-hole working directory does not match persistence";
      }
    ];
    environment.persistence."/persist/system/root" = {
      directories = [
        {
          directory = workingDirectory;
          user = "crab-hole";
          group = "crab-hole";
        }
      ];
    };
  };
}