{ config, ... }:
{
  systemd.tmpfiles.rules = [
    # 1. THE PARENT DIRS
    # Change 0770 -> 0755 so users like 'postgres' can walk through the door.
    "d /mnt/data             0755 root     root     -"
    "d /mnt/media            0755 root     root     -"

    # 2. THE SERVICES (SSD / Data)
    # IMPORTANT: These MUST match where your services.postgresql.dataDir points
    "d /mnt/data/postgresql  0700 postgres postgres -"
    "d /mnt/data/forgejo     0750 forgejo  forgejo  -"

    # 3. THE STORAGE (HDD / Media)
    "d /mnt/media/immich     0750 immich   immich   -"
  ];

  fileSystems."/mnt/media" = {
    device = "//u536222.your-storagebox.de/backup";
    fsType = "cifs";
    options = [
      "nofail"
      "noperm"
      "rw"
      "credentials=${config.sops.secrets.storage_box_credentials.path}"
      "uid=900"
      "gid=900"
      "forceuid"
      "forcegid"
      "file_mode=0660"
      "dir_mode=0770"
    ];
  };
}