diff --git a/modules/impermanence/crypt.nix b/modules/impermanence/crypt.nix
index fbf018f1..424241a3 100644
--- a/modules/impermanence/crypt.nix
+++ b/modules/impermanence/crypt.nix
@@ -31,9 +31,6 @@ let
   };
 in lib.mkIf config.sane.impermanence.enable
 {
-  # declare our backing storage
-  sane.fs."${store.underlying.path}".dir = {};
-
   systemd.services."prepareEncryptedClearedOnBoot" = rec {
     description = "prepare keys for ${store.device}";
     serviceConfig.ExecStart = ''
@@ -68,12 +65,17 @@ in lib.mkIf config.sane.impermanence.enable
     ];
     noCheck = true;
   };
+
   sane.fs."${store.device}" = {
     # ensure the fs is mounted only after the mountpoint directory is created
     dir.reverseDepends = [ store.mount-unit ];
     # HACK: this fs entry is provided by our mount service.
     unit = store.mount-unit;
   };
+  sane.fs."${store.underlying.path}" = {
+    # don't mount until after the backing dir is setup correctly.
+    dir.reverseDepends = [ store.mount-unit ];
+  };
 
   # TODO: could add this *specifically* to the .mount file for the encrypted fs?
   environment.systemPackages = [ pkgs.gocryptfs ];  # fuse needs to find gocryptfs
diff --git a/modules/impermanence/default.nix b/modules/impermanence/default.nix
index 7eb0319f..007557a5 100644
--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@@ -137,33 +137,30 @@ in
           };
         in {
           # create destination and backing directory, with correct perms
-          sane.fs."${opt.directory}".dir = dir-opts;
-          sane.fs."${backing-path}".dir = dir-opts;
+          sane.fs."${opt.directory}" = {
+            # inherit perms & make sure we don't mount until after the mount point is setup correctly.
+            dir = dir-opts // { reverseDepends = [ mount-unit ]; };
+            # HACK: anything depending on this directory should actually depend on it being mounted.
+            unit = mount-unit;
+          };
+          sane.fs."${backing-path}" = {
+            # inherit perms & make sure we don't mount until after the backing dir is setup correctly.
+            dir = dir-opts // { reverseDepends = [ mount-unit ]; };
+          };
           # define the mountpoint.
           fileSystems."${opt.directory}" = {
             device = backing-path;
             options = [
               "bind"
-              # "x-systemd.requires=${backing-mount}.mount"  # this should be implicit
-              "x-systemd.after=${backing-unit}"
-              "x-systemd.after=${dir-unit}"
-              # `wants` doesn't seem to make it to the service file here :-(
-              # "x-systemd.wants=${backing-unit}"
-              # "x-systemd.wants=${dir-unit}"
             ];
             # fsType = "bind";
             noCheck = true;
           };
-          # mounting <opt.directory> must happen after the backing directory is created *and* the mountpt directory is created.
-          systemd.units."${backing-unit}".wantedBy = [ mount-unit ];
-          systemd.units."${dir-unit}".wantedBy = [ mount-unit ];
-
         };
         cfgs = builtins.map cfgFor ingested-dirs;
       in {
         fileSystems = lib.mkMerge (catAttrs "fileSystems" cfgs);
         sane.fs = lib.mkMerge (catAttrs "fs" (catAttrs "sane" cfgs));
-        systemd = lib.mkMerge (catAttrs "systemd" cfgs);
       }
     )