diff --git a/hosts/by-name/servo/fs.nix b/hosts/by-name/servo/fs.nix
index 751b28b39..003294d28 100644
--- a/hosts/by-name/servo/fs.nix
+++ b/hosts/by-name/servo/fs.nix
@@ -84,7 +84,7 @@
 
   sane.persist.sys.byStore.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
+    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; method = "bind"; }
   ];
   # force some problematic directories to always get correct permissions:
   sane.fs."/var/lib/uninsane/media".dir.acl = {
diff --git a/hosts/by-name/servo/services/calibre.nix b/hosts/by-name/servo/services/calibre.nix
index b77fc7102..fe6308769 100644
--- a/hosts/by-name/servo/services/calibre.nix
+++ b/hosts/by-name/servo/services/calibre.nix
@@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; method = "bind"; }
   ];
 
   services.calibre-web.enable = true;
diff --git a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
index 64147c3ed..a06030713 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@@ -30,8 +30,7 @@ let
 in
 {
   sane.persist.sys.byStore.ext = [
-    # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
+    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; method = "bind"; }
   ];
 
   # sane.ports.ports."8333" = {
diff --git a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
index cac2b2d79..20a8c612a 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@@ -73,7 +73,7 @@
 { config, pkgs, ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; }
+    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
   ];
 
   # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
diff --git a/hosts/by-name/servo/services/cryptocurrencies/monero.nix b/hosts/by-name/servo/services/cryptocurrencies/monero.nix
index a7eb0360f..a96ac34dc 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/monero.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/monero.nix
@@ -3,7 +3,7 @@
 {
   sane.persist.sys.byStore.ext = [
     # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "monero"; group = "monero"; path = "/var/lib/monero"; }
+    { user = "monero"; group = "monero"; path = "/var/lib/monero"; method = "bind"; }
   ];
 
   services.monero.enable = true;
diff --git a/hosts/by-name/servo/services/cryptocurrencies/tor.nix b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
index 9cd42145e..e3caa8cd7 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/tor.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
@@ -4,7 +4,7 @@
   # tor hidden service hostnames aren't deterministic, so persist.
   # might be able to get away with just persisting /var/lib/tor/onion, not sure.
   sane.persist.sys.byStore.plaintext = [
-    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; }
+    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
   ];
 
   # tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.
diff --git a/hosts/by-name/servo/services/ejabberd.nix b/hosts/by-name/servo/services/ejabberd.nix
index 71303786b..444e66491 100644
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -45,7 +45,7 @@ in
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
   ];
   sane.ports.ports = lib.mkMerge ([
     {
diff --git a/hosts/by-name/servo/services/email/postfix.nix b/hosts/by-name/servo/services/email/postfix.nix
index 20a1162fc..36b6ce241 100644
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@@ -20,9 +20,9 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
-    { user = "root"; group = "root"; path = "/var/spool/mail"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
     # *probably* don't need these dirs:
     # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
     # "/var/lib/dovecot"
diff --git a/hosts/by-name/servo/services/export/default.nix b/hosts/by-name/servo/services/export/default.nix
index 1671f4061..c183d93c8 100644
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@@ -30,7 +30,7 @@
   # to query the quota/status:
   # - `sudo btrfs qgroup show -re /var/export/playground`
   sane.persist.sys.byStore.ext = [
-    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; method = "bind"; }
   ];
 
   sane.fs."/var/export/README.md" = {
diff --git a/hosts/by-name/servo/services/freshrss.nix b/hosts/by-name/servo/services/freshrss.nix
index 525b08f48..e3b301462 100644
--- a/hosts/by-name/servo/services/freshrss.nix
+++ b/hosts/by-name/servo/services/freshrss.nix
@@ -16,7 +16,7 @@
     mode = "0400";
   };
   sane.persist.sys.byStore.plaintext = [
-    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; method = "bind"; }
   ];
 
   services.freshrss.enable = true;
diff --git a/hosts/by-name/servo/services/gitea.nix b/hosts/by-name/servo/services/gitea.nix
index b767a6826..2ee43e1b6 100644
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -4,7 +4,7 @@
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
   ];
   services.gitea.enable = true;
   services.gitea.user = "git";  # default is 'gitea'
diff --git a/hosts/by-name/servo/services/ipfs.nix b/hosts/by-name/servo/services/ipfs.nix
index 7cec3d389..ca52da796 100644
--- a/hosts/by-name/servo/services/ipfs.nix
+++ b/hosts/by-name/servo/services/ipfs.nix
@@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? could be more granular
-    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
   ];
 
   networking.firewall.allowedTCPPorts = [ 4001 ];
diff --git a/hosts/by-name/servo/services/jackett.nix b/hosts/by-name/servo/services/jackett.nix
index 6076ba373..acf5d1e67 100644
--- a/hosts/by-name/servo/services/jackett.nix
+++ b/hosts/by-name/servo/services/jackett.nix
@@ -3,7 +3,7 @@
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
   ];
   services.jackett.enable = true;
 
diff --git a/hosts/by-name/servo/services/jellyfin.nix b/hosts/by-name/servo/services/jellyfin.nix
index bba5a51f7..46bf6b267 100644
--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@@ -41,7 +41,7 @@
   };
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; method = "bind"; }
   ];
   sane.fs."/var/lib/jellyfin/config/logging.json" = {
     # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
diff --git a/hosts/by-name/servo/services/kiwix-serve.nix b/hosts/by-name/servo/services/kiwix-serve.nix
index a6e811333..c6b185a3f 100644
--- a/hosts/by-name/servo/services/kiwix-serve.nix
+++ b/hosts/by-name/servo/services/kiwix-serve.nix
@@ -7,7 +7,7 @@
 { ... }:
 {
   sane.persist.sys.byStore.ext = [
-    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; }
+    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; method = "bind"; }
   ];
 
   sane.services.kiwix-serve = {
diff --git a/hosts/by-name/servo/services/komga.nix b/hosts/by-name/servo/services/komga.nix
index 9e6d44101..6606830e3 100644
--- a/hosts/by-name/servo/services/komga.nix
+++ b/hosts/by-name/servo/services/komga.nix
@@ -5,7 +5,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; method = "bind"; }
   ];
 
   services.komga.enable = true;
diff --git a/hosts/by-name/servo/services/matrix/default.nix b/hosts/by-name/servo/services/matrix/default.nix
index 816466624..977ac6ba2 100644
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@@ -21,7 +21,7 @@
   ];
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
   ];
   services.matrix-synapse.enable = true;
   services.matrix-synapse.settings = {
diff --git a/hosts/by-name/servo/services/matrix/discord-puppet.nix b/hosts/by-name/servo/services/matrix/discord-puppet.nix
index 303d5aa41..855de55a8 100644
--- a/hosts/by-name/servo/services/matrix/discord-puppet.nix
+++ b/hosts/by-name/servo/services/matrix/discord-puppet.nix
@@ -6,7 +6,7 @@
 lib.mkIf false
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
   ];
 
   services.matrix-synapse.settings.app_service_config_files = [
diff --git a/hosts/by-name/servo/services/matrix/irc.nix b/hosts/by-name/servo/services/matrix/irc.nix
index 274414c2e..d64abddb1 100644
--- a/hosts/by-name/servo/services/matrix/irc.nix
+++ b/hosts/by-name/servo/services/matrix/irc.nix
@@ -103,7 +103,7 @@ in
 
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
   ];
 
   # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
diff --git a/hosts/by-name/servo/services/matrix/signal.nix b/hosts/by-name/servo/services/matrix/signal.nix
index cb254bd98..d0942aa05 100644
--- a/hosts/by-name/servo/services/matrix/signal.nix
+++ b/hosts/by-name/servo/services/matrix/signal.nix
@@ -5,8 +5,8 @@
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
-    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
   ];
 
   # allow synapse to read the registration file
diff --git a/hosts/by-name/servo/services/navidrome.nix b/hosts/by-name/servo/services/navidrome.nix
index c467d761e..2a4bda72a 100644
--- a/hosts/by-name/servo/services/navidrome.nix
+++ b/hosts/by-name/servo/services/navidrome.nix
@@ -2,7 +2,7 @@
 
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; method = "bind"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {
diff --git a/hosts/by-name/servo/services/nginx.nix b/hosts/by-name/servo/services/nginx.nix
index fcc6e177c..dd453031e 100644
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@@ -169,8 +169,8 @@ in
   security.acme.defaults.email = "admin.acme@uninsane.org";
 
   sane.persist.sys.byStore.plaintext = [
-    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; path = "/var/www/sites"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
   ];
 
   # let's encrypt default chain looks like:
diff --git a/hosts/by-name/servo/services/ntfy/ntfy-sh.nix b/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
index 0ffc3e48d..724a14e15 100644
--- a/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
@@ -34,7 +34,7 @@ in
     # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
     # for pushing notifications to users who become offline.
     # ACLs also live here.
-    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; }
+    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; method = "bind"; }
   ];
 
   services.ntfy-sh.enable = true;
diff --git a/hosts/by-name/servo/services/pict-rs.nix b/hosts/by-name/servo/services/pict-rs.nix
index a005f55eb..215f08396 100644
--- a/hosts/by-name/servo/services/pict-rs.nix
+++ b/hosts/by-name/servo/services/pict-rs.nix
@@ -6,7 +6,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; method = "bind"; }
   ];
 
   systemd.services.pict-rs.serviceConfig = {
diff --git a/hosts/by-name/servo/services/pleroma.nix b/hosts/by-name/servo/services/pleroma.nix
index ff3b53398..1fd09e147 100644
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@@ -15,7 +15,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
   ];
   services.pleroma.enable = true;
   services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
diff --git a/hosts/by-name/servo/services/postgres.nix b/hosts/by-name/servo/services/postgres.nix
index 7c2c42b4b..d074f7b14 100644
--- a/hosts/by-name/servo/services/postgres.nix
+++ b/hosts/by-name/servo/services/postgres.nix
@@ -8,7 +8,7 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
   ];
   services.postgresql.enable = true;
 
diff --git a/hosts/by-name/servo/services/prosody/default.nix b/hosts/by-name/servo/services/prosody/default.nix
index 72a49bbe0..5efc126a3 100644
--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@@ -57,7 +57,7 @@ let
 in
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
   ];
   sane.ports.ports."5000" = {
     protocol = [ "tcp" ];
diff --git a/hosts/by-name/servo/services/slskd.nix b/hosts/by-name/servo/services/slskd.nix
index b2fcab604..ae8608ffe 100644
--- a/hosts/by-name/servo/services/slskd.nix
+++ b/hosts/by-name/servo/services/slskd.nix
@@ -6,7 +6,7 @@
 { config, lib, ... }:
 {
   sane.persist.sys.byStore.plaintext = [
-    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; }
+    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; method = "bind"; }
   ];
   sops.secrets."slskd_env" = {
     owner = config.users.users.slskd.name;
diff --git a/hosts/by-name/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix
index 0dd6b97e4..72f31f7e0 100644
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@@ -26,7 +26,7 @@ in
 {
   sane.persist.sys.byStore.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
   ];
   users.users.transmission.extraGroups = [ "media" ];