diff --git a/hosts/modules/roles/client/bluetooth-pairings.nix b/hosts/modules/roles/client/bluetooth-pairings.nix
index dedf286cc..8470c563e 100644
--- a/hosts/modules/roles/client/bluetooth-pairings.nix
+++ b/hosts/modules/roles/client/bluetooth-pairings.nix
@@ -13,9 +13,7 @@ lib.optionalAttrs false  #< disabled 2024-09-27 while i rework sane.fs
     # persist external pairings by default
     sane.persist.sys.byStore.plaintext = [ "/var/lib/bluetooth" ];  #< TODO: port to private, but may be tricky to ensure service dependencies
 
-    systemd.tmpfiles.settings."20-sane-bluetooth-pairings"."/var/lib/bluetooth".d = {
-      mode = "0700";
-    };
+    sane.fs."/var/lib/bluetooth".dir.acl.mode = "0700";
     systemd.services.bluetooth-provision-secrets = {
       before = [ "bluetooth.service" ];
       wantedBy = [ "bluetooth.service" ];
diff --git a/hosts/modules/roles/client/wifi-pairings.nix b/hosts/modules/roles/client/wifi-pairings.nix
index ce53f8877..0f150c8b6 100644
--- a/hosts/modules/roles/client/wifi-pairings.nix
+++ b/hosts/modules/roles/client/wifi-pairings.nix
@@ -10,19 +10,19 @@ in
   config = lib.mkIf config.sane.roles.client {
     sops.secrets."net/all.json".owner = "networkmanager";
 
-    systemd.tmpfiles.settings."20-sane-wifi-pairings"."/var/lib/iwd".d = {
-      mode = "0700";
-    };
     systemd.services.iwd-provision-secrets = {
       before = [ "iwd.service" ];
       wantedBy = [ "iwd.service" ];
       serviceConfig.ExecStart = "${lib.getExe install-nm} /run/secrets/net/all.json /var/lib/iwd --flavor iwd";
     };
 
-    systemd.tmpfiles.settings."20-sane-wifi-pairings"."/var/lib/NetworkManager/system-connections".d = {
+    sane.fs."/var/lib/NetworkManager/system-connections".dir.acl = {
+      user = "networkmanager";
+      group = "networkmanager";
       mode = "0700";
     };
     systemd.services.NetworkManager-provision-secrets = {
+      after = [ "systemd-tmpfiles-setup.service" ];  #< for sane.fs; ensure system-connections exists as a directory first.
       before = [ "NetworkManager.service" ];
       wantedBy = [ "NetworkManager.service" ];
       serviceConfig.ExecStart = "${lib.getExe install-nm} /run/secrets/net/all.json /var/lib/NetworkManager/system-connections --flavor nm";