{ config, lib, ... }: {
  environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";

  systemd.tmpfiles.rules = let
    forUsers = lib.flip map users;
    isUser = { name, group, ... }:
      name == "root" || lib.hasSuffix "users" group;
    users = builtins.filter isUser (builtins.attrValues config.users.users);
  in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
}