diff --git a/TODO.md b/TODO.md
index 5efb4701..107ecfca 100644
--- a/TODO.md
+++ b/TODO.md
@@ -34,6 +34,9 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
     - at least, only give them access to the portion of the fs they *need*.
     - Android takes approach of giving each app its own user: could hack that in here.
+    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+      - presumably uses the same options as systemd services
+      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
     - flatpak does this, somehow
     - apparmor?  SElinux?  (desktop) "portals"?
     - see Spectrum OS; Alyssa Ross; etc
diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 38b6865e..7a035990 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -43,6 +43,24 @@
   # does the builder use some content-addressed db to efficiently dedupe?
   nix.settings.auto-optimise-store = true;
 
+  systemd.services.nix-daemon.serviceConfig = {
+    # the nix-daemon manages nix builders
+    # kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
+    # see:
+    # - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
+    # - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
+    #
+    # systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
+    # see `man oomd.conf` for further tunables that may help.
+    #
+    # alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
+    # TODO: also apply this to the guest user's slice (user-1100.slice)
+    # TODO: also apply this to distccd
+    ManagedOOMMemoryPressure = "kill";
+    ManagedOOMSwap = "kill";
+  };
+
+  # TODO: move this to gui machines only
   fonts = {
     enableDefaultFonts = true;
     fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
diff --git a/hosts/common/fs.nix b/hosts/common/fs.nix
index 743a0366..01533fab 100644
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@@ -7,6 +7,7 @@ let fsOpts = rec {
   common = [
     "_netdev"
     "noatime"
+    "user"  # allow any user with access to the device to mount the fs
     "x-systemd.requires=network-online.target"
     "x-systemd.after=network-online.target"
     "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
@@ -19,7 +20,6 @@ let fsOpts = rec {
   ];
 
   ssh = common ++ [
-    "user"
     "identityfile=/home/colin/.ssh/id_ed25519"
     "allow_other"
     "default_permissions"