diff --git a/hosts/modules/services/rsync-net/default.nix b/hosts/modules/services/rsync-net/default.nix
index 89d5de6e5..9046fa2b8 100644
--- a/hosts/modules/services/rsync-net/default.nix
+++ b/hosts/modules/services/rsync-net/default.nix
@@ -25,8 +25,8 @@ in
         list of directories to upload to rsync.net.
         note that this module does NOT add any encryption to the files (layer that yourself).
       '';
-      default = [
-        "/nix/persist/private"
+      default = lib.optionals config.sane.persist.enable [
+        config.sane.persist.stores."private".origin
       ];
     };
   };
@@ -55,7 +55,7 @@ in
       # hardening
       serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
       serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
-      serviceConfig.ReadOnlyPaths = "/nix/persist/private";
+      serviceConfig.ReadOnlyPaths = cfg.dirs;
       serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6";
 
       serviceConfig.LockPersonality = true;