diff --git a/hosts/common/users.nix b/hosts/common/users.nix
index 89a0522f8..d9ec675f7 100644
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -71,6 +71,14 @@ in
 
     security.pam.mount.enable = true;
 
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    sane.fs."/home/colin".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
     sane.impermanence.dirs.home.plaintext = [
       "archive"
       "dev"
diff --git a/modules/impermanence/default.nix b/modules/impermanence/default.nix
index f7bc185a3..e0a76be34 100644
--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@@ -181,57 +181,36 @@ in
     ./stores
   ];
 
-  config = mkIf cfg.enable (lib.mkMerge [
-    {
-      # TODO: move to sane.fs, to auto-ensure all user dirs?
-      sane.fs."/home/colin".dir.acl = {
-        user = "colin";
-        group = config.users.users.colin.group;
-        mode = config.users.users.colin.homeMode;
-      };
+  config = let
+    cfgFor = opt:
+      let
+        store = opt.store;
+        store-rel-path = pathFrom store.prefix opt.directory;
+        backing-path = concatPaths [ store.mountpt store-rel-path ];
 
-      # N.B.: we have a similar problem with all mounts:
-      # <crypt>/.cache/mozilla won't inherit <plain>/.cache perms.
-      # this is less of a problem though, since we don't really support overlapping mounts like that in the first place.
-      # what is a problem is if the user specified some other dir we don't know about here.
-      # like "/var", and then "/nix/persist/var" has different perms and something mounts funny.
-      # TODO: just add assertions that sane.fs."${backing}/${dest}".dir == sane.fs."${dest}" for each mount point?
-      sane.fs."/nix/persist/home/colin".dir.acl = config.sane.fs."/home/colin".dir.acl;
-      sane.fs."/mnt/impermanence/crypt/clearedonboot/home/colin".dir.acl = config.sane.fs."/home/colin".dir.acl;
-    }
-
-    (
-      let cfgFor = opt:
-        let
-          store = opt.store;
-          store-rel-path = pathFrom store.prefix opt.directory;
-          backing-path = concatPaths [ store.mountpt store-rel-path ];
-
-          # pass through the perm/mode overrides
-          dir-acl = {
-            user = lib.mkIf (opt.user != null) opt.user;
-            group = lib.mkIf (opt.group != null) opt.group;
-            mode = lib.mkIf (opt.mode != null) opt.mode;
-          };
-        in {
-          # create destination and backing directory, with correct perms
-          sane.fs."${opt.directory}" = {
-            # inherit perms & make sure we don't mount until after the mount point is setup correctly.
-            dir.acl = dir-acl;
-            mount.bind = backing-path;
-            mount.extraOptions = store.extraOptions;
-          };
-          sane.fs."${backing-path}" = {
-            # ensure the backing path has same perms as the mount point
-            dir.acl = config.sane.fs."${opt.directory}".dir.acl;
-          };
+        # pass through the perm/mode overrides
+        dir-acl = {
+          user = lib.mkIf (opt.user != null) opt.user;
+          group = lib.mkIf (opt.group != null) opt.group;
+          mode = lib.mkIf (opt.mode != null) opt.mode;
         };
-        cfgs = builtins.map cfgFor cfg.dirs.all;
       in {
-        sane.fs = lib.mkMerge (catAttrs "fs" (catAttrs "sane" cfgs));
-      }
-    )
-
-  ]);
+        # create destination and backing directory, with correct perms
+        sane.fs."${opt.directory}" = {
+          # inherit perms & make sure we don't mount until after the mount point is setup correctly.
+          dir.acl = dir-acl;
+          mount.bind = backing-path;
+          mount.extraOptions = store.extraOptions;
+        };
+        sane.fs."${backing-path}" = {
+          # ensure the backing path has same perms as the mount point.
+          # TODO: maybe we want to do this, crawling all the way up to the store base?
+          # that would simplify (remove) the code in stores/default.nix
+          dir.acl = config.sane.fs."${opt.directory}".dir.acl;
+        };
+      };
+  in mkIf cfg.enable {
+    sane.fs = lib.mkMerge (map (d: (cfgFor d).sane.fs) cfg.dirs.all);
+  };
 }
 
diff --git a/modules/impermanence/stores/default.nix b/modules/impermanence/stores/default.nix
index 6091d2e1b..a843d1e99 100644
--- a/modules/impermanence/stores/default.nix
+++ b/modules/impermanence/stores/default.nix
@@ -11,5 +11,18 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    # make sure that the store has the same acl as the main filesystem,
+    # particularly for /home/colin.
+    #
+    # N.B.: we have a similar problem with all mounts:
+    # <crypt>/.cache/mozilla won't inherit <plain>/.cache perms.
+    # this is less of a problem though, since we don't really support overlapping mounts like that in the first place.
+    # what is a problem is if the user specified some other dir we don't know about here.
+    # like "/var", and then "/nix/persist/var" has different perms and something mounts funny.
+    # TODO: just add assertions that sane.fs."${backing}/${dest}".dir == sane.fs."${dest}" for each mount point?
+    sane.fs = lib.mapAttrs' (_name: store: {
+      name = "${store.mountpt}/home/colin";
+      value.dir.acl = config.sane.fs."/home/colin".dir.acl;
+    }) cfg.stores;
   };
 }