diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 3b15c50d..8a45a4c3 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -11,6 +11,7 @@
     ./machine-id.nix
     ./net.nix
     ./persist.nix
+    ./programs.nix
     ./secrets.nix
     ./ssh.nix
     ./users.nix
diff --git a/hosts/common/programs.nix b/hosts/common/programs.nix
new file mode 100644
index 00000000..66b4ee0e
--- /dev/null
+++ b/hosts/common/programs.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+{
+  sane.programs = {
+    btrfs-progs.enableFor.system = true;
+    # "cacert.unbundled".enableFor.system = true;
+    cryptsetup.enableFor.system = true;
+    dig = {
+      enableFor.system = true;
+      suggestedPrograms = [ "efibootmgr" ];
+    };
+    efibootmgr = {};
+    fatresize = {};
+
+    backblaze-b2.enableFor.user.colin = true;
+    cdrtools = {
+      enableFor.user.colin = true;
+      suggestedPrograms = [ "dmidecode" ];
+    };
+    dmidecode = {};
+  };
+}
diff --git a/modules/programs.nix b/modules/programs.nix
index 955e3e60..e73378ab 100644
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -1,7 +1,8 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
-  inherit (builtins) elem map;
-  inherit (lib) mapAttrs mapAttrsToList mkDefault mkIf mkMerge mkOption optionalAttrs types;
+  inherit (builtins) any elem map;
+  inherit (lib) filterAttrs mapAttrs mapAttrsToList mkDefault mkIf mkMerge mkOption optionalAttrs types;
+  inherit (sane-lib) joinAttrsets;
   cfg = config.sane.programs;
   pkgSpec = types.submodule ({ name, ... }: {
     options = {
@@ -10,14 +11,29 @@ let
       };
       enableFor.system = mkOption {
         type = types.bool;
-        default = false;
+        default = any (en: en) (
+          mapAttrsToList
+            (otherName: otherPkg:
+              otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested && otherPkg.enableFor.system
+            )
+            cfg
+        );
         description = ''
           place this program on the system PATH
         '';
       };
       enableFor.user = mkOption {
         type = types.attrsOf types.bool;
-        default = {};
+        # default = mkMerge (mapAttrsToList (_otherName: otherPkg:
+        #   optionalAttrs
+        #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
+        #     otherPkg.enableFor.user
+        # ) cfg);
+        default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
+           optionalAttrs
+             (otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
+             (filterAttrs (user: en: en) otherPkg.enableFor.user)
+        ) cfg);
         description = ''
           place this program on the PATH for some specified user(s).
         '';
@@ -49,30 +65,33 @@ let
     config = {
       # package can be inferred by the attr name, allowing shorthand like
       # sane.packages.nano.enable = true;
-      pkg = mkIf (pkgs ? name) (mkDefault pkgs."${name}");
+      package = mkIf (pkgs ? "${name}") (mkDefault pkgs."${name}");
+
+      # enableFor = mkIf (name == "btrfs-progs") (mkDefault cfg.cryptsetup.enableFor);
 
       # enable this package if it's in the `suggestedPrograms` of any other enabled program
-      enableFor = mkMerge (mapAttrsToList (_otherName: otherPkg:
-        optionalAttrs
-          (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
-          (mkDefault otherPkg.enableFor)
-      ) cfg);
+      # enableFor = mkMerge (mapAttrsToList (_otherName: otherPkg:
+      #   optionalAttrs
+      #     (otherPkg.enableSuggested && elem name otherPkg.suggestedPrograms)
+      #     (mkDefault otherPkg.enableFor)
+      # ) cfg);
     };
+
   });
-  toPkgSpec = types.coercedTo types.package (p: { pkg = p; }) pkgSpec;
+  toPkgSpec = types.coercedTo types.package (p: { package = p; }) pkgSpec;
 
   configs = mapAttrsToList (_name: p: {
     # conditionally add to system PATH
     environment.systemPackages = mkIf p.enableFor.system [ p.package ];
     # conditionally add to user(s) PATH
     users.users = mapAttrs (user: en: optionalAttrs en {
-      packages = [ p ];
-    }) p.enableFor.users;
+      packages = [ p.package ];
+    }) p.enableFor.user;
     # conditionally persist relevant user dirs
     sane.users = mapAttrs (user: en: optionalAttrs en {
       persist.plaintext = p.dir;
       persist.private = p.private;
-    }) p.enableFor.users;
+    }) p.enableFor.user;
   }) cfg;
 in
 {
@@ -88,6 +107,25 @@ in
       take = f: {
         environment.systemPackages = f.environment.systemPackages;
         users.users = f.users.users;
+        sane.users = f.sane.users;
       };
-    in take (sane-lib.mkTypedMerge take configs);
+    in mkMerge [
+      (take (sane-lib.mkTypedMerge take configs))
+      {
+        # sane.programs.cryptsetup.enableFor = mkDefault cfg.btrfs-progs.enableFor;
+        # sane.programs.cryptsetup.enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
+        #   optionalAttrs
+        #   (otherName != "cryptsetup")
+        #   (mkDefault otherPkg.enableFor)
+        # ) cfg);
+
+        # sane.programs = mapAttrs (myName: _me: optionalAttrs (myName == "btrfs-progs") {
+        #   enableFor = mkMerge (mapAttrsToList (otherName: otherPkg:
+        #     optionalAttrs
+        #     (otherName != "cryptsetup")
+        #     (mkDefault otherPkg.enableFor)
+        #   ) cfg);
+        # }) cfg;
+      }
+    ];
 }