diff --git a/machines/moby/firmware.nix b/machines/moby/firmware.nix
index a8a89ead..930588d8 100644
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -3,6 +3,7 @@
   # we need space in the GPT header to place tow-boot.
   # only actually need 1 MB, but better to over-allocate than under-allocate
   colinsane.image.extraGPTPadding = 16 * 1024 * 1024;
+  colinsane.image.firstPartGap = 0;
   system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
     cp -v ${config.system.build.img-without-firmware}/nixos.img $out
     chmod +w $out
diff --git a/machines/servo/default.nix b/machines/servo/default.nix
index 63ef637b..599d7fdb 100644
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -24,9 +24,14 @@
   colinsane.home-manager.extraPackages = [
     pkgs.matrix-synapse
   ];
+  colinsane.impermanence.enable = true;
   colinsane.services.duplicity.enable = true;
+
   # TODO: validate this
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-tow-boot-rpi-aarch64 ];
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  colinsane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
 
   sops.secrets.duplicity_passphrase = {
     sopsFile = ../../secrets/servo.yaml;
diff --git a/machines/servo/fs.nix b/machines/servo/fs.nix
index 67e7c5b3..a13fa7be 100644
--- a/machines/servo/fs.nix
+++ b/machines/servo/fs.nix
@@ -1,27 +1,49 @@
 { ... }:
 
 {
+  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/2be70d38-79f4-41b6-bee2-bce5a25f8f7b";
-    fsType = "ext4";
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
   };
+  # we need a /tmp of default size (half RAM) for building large nix things
+  fileSystems."/tmp" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=777"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
+    fsType = "btrfs";
+  };
+
   fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/B318-A67E";
+    device = "/dev/disk/by-uuid/31D3-40CB";
     fsType = "vfat";
   };
 
 
-  fileSystems."/var/lib/pleroma" = {
-    device = "/opt/pleroma";
-    options = [ "bind" ];
-  };
+  # fileSystems."/var/lib/pleroma" = {
+  #   device = "/opt/pleroma";
+  #   options = [ "bind" ];
+  # };
 
+  # TODO: does transmission handle symlinks?
   fileSystems."/var/lib/transmission/Downloads" = {
-    device = "/opt/uninsane/media";
+    device = "/var/lib/uninsane/media";
     options = [ "bind" ];
   };
   fileSystems."/var/lib/transmission/.incomplete" = {
-    device = "/opt/uninsane/media/incomplete";
+    device = "/var/lib/uninsane/media/incomplete";
     options = [ "bind" ];
   };
 
@@ -31,7 +53,7 @@
   };
 
   swapDevices = [
-    { device = "/swapfile"; size = 4096; }
+    { device = "/nix/persist/swapfile"; size = 4096; }
   ];
 }
 
diff --git a/machines/servo/hardware.nix b/machines/servo/hardware.nix
index f4bbc946..f82f30d1 100644
--- a/machines/servo/hardware.nix
+++ b/machines/servo/hardware.nix
@@ -12,15 +12,9 @@
   # see: https://github.com/raspberrypi/linux
   boot.kernelPackages = pkgs.linuxPackages_rpi4;
 
-  # NixOS defaults to grub: we don't want that.
-  boot.loader.grub.enable = false;
   # raspberryPi boot loader creates extlinux.conf.
   #   otherwise, enable the generic-extlinux-compatible loader below.
   # note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
-  # boot.loader.generic-extlinux-compatible.enable = true;
-  boot.loader.raspberryPi.enable = true;
-  boot.loader.raspberryPi.uboot.enable = true;
-  boot.loader.raspberryPi.version = 4;
 
   boot.initrd.availableKernelModules = [
     "bcm2711_thermal"
diff --git a/machines/servo/services/nginx.nix b/machines/servo/services/nginx.nix
index 3cc387e5..9977b2c7 100644
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -6,7 +6,7 @@
 
   # web blog/personal site
   services.nginx.virtualHosts."uninsane.org" = {
-    root = "/opt/uninsane/root";
+    root = "/var/lib/uninsane/root";
     # a lot of places hardcode https://uninsane.org,
     # and then when we mix http + non-https, we get CORS violations
     # and things don't look right. so force SSL.
diff --git a/machines/servo/services/postgres.nix b/machines/servo/services/postgres.nix
index d2653183..badf666d 100644
--- a/machines/servo/services/postgres.nix
+++ b/machines/servo/services/postgres.nix
@@ -2,7 +2,7 @@
 
 {
   services.postgresql.enable = true;
-  services.postgresql.dataDir = "/opt/postgresql/13";
+  # services.postgresql.dataDir = "/opt/postgresql/13";
   # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
   # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
   #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
diff --git a/modules/image.nix b/modules/image.nix
index bb178cee..a6ee7141 100644
--- a/modules/image.nix
+++ b/modules/image.nix
@@ -12,8 +12,20 @@ in
     };
     colinsane.image.extraGPTPadding = mkOption {
       default = 0;
+      # NB: rpi doesn't like non-zero values for this.
+      # at the same time, spinning disks REALLY need partitions to be aligned to 4KiB boundaries.
+      # maybe there's some imageBuilder.fileSystem type which represents empty space?
+      # default = 2014 * 512;  # standard is to start part0 at sector 2048  (versus 34 if no padding)
       type = types.int;
     };
+    colinsane.image.firstPartGap = mkOption {
+      # align the first part to 16 MiB.
+      # do this by inserting a gap of 16 MiB - gptHeaderSize
+      # and then multiply by 1MiB and subtract 1 because mobile-nixos
+      # has a bug which will divide this by 1 MiB (and round up)
+      default = (16 * 1024 * 1024 - 34 * 512) * 1024 * 1024 - 1;
+      type = types.nullOr types.int;
+    };
     colinsane.image.bootPartSize = mkOption {
       default = 512 * 1024 * 1024;
       type = types.int;
@@ -62,6 +74,7 @@ in
       # Tow-Boot manages to do that; not sure how.
       headerHole = cfg.extraGPTPadding;
       partitions = [
+        (pkgs.imageBuilder.gap cfg.firstPartGap)
         (fsBuilderMapBoot."${bootFs.fsType}" {
           # fs properties
           name = "ESP";
diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index 9b713d81..91ca804d 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -69,6 +69,24 @@ in
         # "/var/lib/systemd"           # nothing obviously necessary
         # "/var/lib/udisks2"           # empty on lappy
         # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
+        #
+        # servo additions:
+        "/var/lib/acme"
+        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
+        # "/var/lib/dovecot"
+        # "/var/lib/duplicity"
+        "/var/lib/gitea"               # TODO: could be more granular
+        "/var/lib/ipfs"                # TODO: could be more granular
+        "/var/lib/jackett"             # TODO: we only need this to save Indexer creds ==> migrate to config?
+        "/var/lib/jellyfin"            # TODO: could be more granular
+        "/var/lib/matrix-appservice-irc"
+        "/var/lib/matrix-synapse"
+        "/var/lib/opendkim"            # TODO: move this to the nix config (SOPS)
+        "/var/lib/pleroma"             # TODO: could be more granular
+        "/var/lib/postgresql"
+        "/var/lib/postfix"             # TODO: could be more granular
+        "/var/lib/transmission"        # we need this specifically for the stats tracking in .config/
+        "/var/lib/uninsane"
         "/var/log"
         # TODO: what even GOES in /srv?
         "/srv"
diff --git a/modules/services/duplicity.nix b/modules/services/duplicity.nix
index 7c6c2d78..8e727163 100644
--- a/modules/services/duplicity.nix
+++ b/modules/services/duplicity.nix
@@ -37,17 +37,15 @@ in
       "/sys"
       "/tmp"
       # bind mounted (dupes):
-      "/var/lib/pleroma"
-      "/var/lib/transmission/Downloads"
-      "/var/lib/transmission/.incomplete"
+      "/var/lib"
       # other mounts
       "/mnt"
       # data that's not worth the cost to backup:
-      "/opt/uninsane/media"
+      "/nix/persist/var/lib/uninsane/media"
+      "/nix/persist/home/colin/tmp"
+      "/nix/persist/home/colin/Videos"
       "/home/colin/tmp"
       "/home/colin/Videos"
-      # TODO: transitional
-      "/home/colin/internal"
     ];
 
     services.duplicity.extraFlags = [
diff --git a/modules/universal/fs.nix b/modules/universal/fs.nix
index 12d7182c..e27d9ca2 100644
--- a/modules/universal/fs.nix
+++ b/modules/universal/fs.nix
@@ -18,11 +18,11 @@ let sshOpts = {
 in
 {
   fileSystems."/mnt/servo-media-wan" = {
-    device = "colin@uninsane.org:/opt/uninsane/media";
+    device = "colin@uninsane.org:/var/lib/uninsane/media";
     inherit (sshOpts) fsType options;
   };
   fileSystems."/mnt/servo-media-lan" = {
-    device = "colin@servo:/opt/uninsane/media";
+    device = "colin@servo:/var/lib/uninsane/media";
     inherit (sshOpts) fsType options;
   };
   fileSystems."/mnt/desko-home" = {