{ pkgs, ... }:

{
  environment.systemPackages = [ pkgs.nomarchy-system-scripts ];

  # /etc/nixos is owned by root, but `nomarchy-env-update` (and `nix
  # flake` invocations) run as the user and shell out to git. Without
  # this, git refuses with "dubious ownership in repository" and HM
  # evaluation fails. Mark both the standard and impermanence-relocated
  # paths as safe at the system level so every user is covered.
  programs.git.config = {
    safe.directory = [ "/etc/nixos" "/persist/etc/nixos" ];
  };
}