diff --git a/hosts/by-name/servo/services/pleroma.nix b/hosts/by-name/servo/services/pleroma.nix
index f05ff9210..ae878e142 100644
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@@ -136,9 +136,10 @@ in
     # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
     pkgs.bash
     # used by Pleroma to strip geo tags from uploads
-    config.sane.programs.exiftool.package
+    pkgs.exiftool
+    # config.sane.programs.exiftool.package  #< XXX(2024-10-20): breaks image uploading
     # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
-    config.sane.programs.gawk.package
+    # config.sane.programs.gawk.package
     # needed for email operations like password reset
     pkgs.postfix
   ];
@@ -153,7 +154,7 @@ in
     # possible that i've set something too strict and won't notice right away
     # make sure to test:
     # - image/media uploading
-    serviceConfig.CapabilityBoundingSet = "~CAP_SYS_ADMIN";  #< TODO: reduce this. try: CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
+    serviceConfig.CapabilityBoundingSet = lib.mkForce [ "" "" ];  # nixos default is `~CAP_SYS_ADMIN`
     serviceConfig.LockPersonality = true;
     serviceConfig.NoNewPrivileges = true;
     serviceConfig.MemoryDenyWriteExecute = true;