diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix
index 11aa8cf..0a427cf 100644
--- a/modules/config/impermanence.nix
+++ b/modules/config/impermanence.nix
@@ -90,16 +90,11 @@ in {
     hideMounts = true;
     directories =
       [
-        {
-          directory = "/var/tmp/agenix-rekey";
-          mode = "1777";
-        }
-        "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
         "/var/lib/systemd"
         "/var/log"
+        "/var/spool"
         #{ directory = "/tmp"; mode = "1777"; }
         #{ directory = "/var/tmp"; mode = "1777"; }
-        "/var/spool"
       ]
       ++ optionals config.networking.wireless.iwd.enable [
         {
diff --git a/modules/optional/dev/default.nix b/modules/optional/dev/default.nix
index 4c29439..3723176 100644
--- a/modules/optional/dev/default.nix
+++ b/modules/optional/dev/default.nix
@@ -18,6 +18,14 @@ lib.optionalAttrs (!minimal) {
   # Add the agenix-rekey sandbox path permanently to avoid adding myself to trusted-users
   nix.settings.extra-sandbox-paths = ["/var/tmp/agenix-rekey"];
 
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/tmp/agenix-rekey";
+      mode = "1777";
+    }
+    "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
+  ];
+
   services.nixseparatedebuginfod = {
     enable = true;
     # We need a system-level user to be able to use nix.settings.allowed-users with it.