diff --git a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
index 342524471..7cbded148 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@@ -86,7 +86,6 @@ in
   systemd.services.bitcoind-mainnet.requires = [ "tor.service" ];
   systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s";  #< default is 0
 
-  sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
   sops.secrets."bitcoin.conf" = {
     mode = "0600";
     owner = "colin";
diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index d0e6dc671..7cd168330 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -410,14 +410,6 @@ in
 
     backblaze-b2 = {};
 
-    bitcoin-cli.packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.bitcoind "bin/bitcoin-cli";
-    bitcoin-cli.sandbox.method = "bwrap";
-    bitcoin-cli.sandbox.autodetectCliPaths = "existing";  #< for `bitcoin-cli -datadir=/var/lib/...`
-    bitcoin-cli.sandbox.extraHomePaths = [
-      ".config/bitcoin/bitcoin.conf"
-    ];
-    bitcoin-cli.sandbox.net = "all";  # actually needs only localhost
-
     blanket.buildCost = 1;
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.whitelistAudio = true;
diff --git a/hosts/common/programs/bitcoin-cli.nix b/hosts/common/programs/bitcoin-cli.nix
new file mode 100644
index 000000000..4c02a92b7
--- /dev/null
+++ b/hosts/common/programs/bitcoin-cli.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  sane.programs.bitcoin-cli = {
+    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.bitcoind "bin/bitcoin-cli";
+    sandbox.method = "bwrap";
+    sandbox.autodetectCliPaths = "existing";  #< for `bitcoin-cli -datadir=/var/lib/...`
+    sandbox.extraHomePaths = [
+      ".bitcoin/bitcoin.conf"
+    ];
+    sandbox.net = "all";  # actually needs only localhost
+    secrets.".bitcoin/bitcoin.conf" = ../../../secrets/servo/bitcoin.conf.bin;
+  };
+}
diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index cf4a03214..1beb7cea7 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -12,6 +12,7 @@
     ./ausyscall.nix
     ./avahi.nix
     ./bemenu.nix
+    ./bitcoin-cli.nix
     ./blast-ugjka
     ./bonsai.nix
     ./brave.nix