diff --git a/hosts/common/programs/pipewire.nix b/hosts/common/programs/pipewire.nix
index f6e2a5164..81f4010d3 100644
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@@ -28,17 +28,25 @@ in
       ".config/pulse"
     ];
 
+    # see: <https://docs.pipewire.org/page_module_protocol_native.html>
+    # defaults to placing the socket in /run/user/$id/{pipewire-0,pipewire-0-manager,...}
+    # but that's trickier to sandbox
+    env.PIPEWIRE_RUNTIME_DIR = "$XDG_RUNTIME_DIR/pipewire";
+
     services.pipewire = {
       description = "pipewire: multimedia service";
       partOf = [ "sound" ];
       # env PIPEWIRE_LOG_SYSTEMD=false"
       # env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
-      command = "pipewire";
-      readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" ''
-        [ -e "$XDG_RUNTIME_DIR/pipewire-0" ] && \
-        [ -e "$XDG_RUNTIME_DIR/pipewire-0-manager" ]
+      command = pkgs.writeShellScript "pipewire-start" ''
+        mkdir -p $PIPEWIRE_RUNTIME_DIR
+        exec pipewire
       '';
-      cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"'';
+      readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" ''
+        test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0" && \
+        test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0-manager"
+      '';
+      cleanupCommand = ''rm -f "$PIPEWIRE_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"'';
     };
     services.pipewire-pulse = {
       description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients";
@@ -46,8 +54,8 @@ in
       partOf = [ "sound" ];
       command = "pipewire-pulse";
       readiness.waitCommand = pkgs.writeShellScript "pipewire-pulse-wait-started" ''
-        [ -e "$XDG_RUNTIME_DIR/pulse/native" ] && \
-        [ -e "$XDG_RUNTIME_DIR/pulse/pid" ]
+        test -e "$XDG_RUNTIME_DIR/pulse/native" && \
+        test -e "$XDG_RUNTIME_DIR/pulse/pid"
       '';
       cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/pulse/{native,pid}"'';
     };
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 5ead24101..923cfc0ff 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -70,7 +70,7 @@ let
               (p: path-lib.concat [ xdgRuntimeDir p ])
               (
                 sandbox.extraRuntimePaths
-                ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ]  # also pipewire-0-manager, unknown purpose
+                ++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?
                 ++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
                 ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
               )