diff --git a/hosts/common/home/keyring/default.nix b/hosts/common/home/keyring/default.nix
index 4e944056f..6fa08f56b 100644
--- a/hosts/common/home/keyring/default.nix
+++ b/hosts/common/home/keyring/default.nix
@@ -10,7 +10,7 @@ in
   sane.user.persist.private = [ ".local/share/keyrings" ];
 
   sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.script.scriptArgs = [ "${init-keyring}/bin/init-keyring" ];
+    generated.command = [ "${init-keyring}/bin/init-keyring" ];
     # TODO: is this `wantedBy` needed? can we inherit it?
     wantedBy = [ config.sane.fs."/home/colin/private".unit ];
     wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
diff --git a/hosts/modules/derived-secrets/default.nix b/hosts/modules/derived-secrets/default.nix
index 2839b9829..4aaf79be8 100644
--- a/hosts/modules/derived-secrets/default.nix
+++ b/hosts/modules/derived-secrets/default.nix
@@ -37,7 +37,7 @@ in
 
   config = {
     sane.fs = mapAttrs (path: c: {
-      generated.script.scriptArgs = [
+      generated.command = [
         "${hash-path-with-salt}/bin/hash-path-with-salt"
         path
       ];
diff --git a/hosts/modules/roles/client/bluetooth-pairings.nix b/hosts/modules/roles/client/bluetooth-pairings.nix
index b292b3aa3..88d5e9bfe 100644
--- a/hosts/modules/roles/client/bluetooth-pairings.nix
+++ b/hosts/modules/roles/client/bluetooth-pairings.nix
@@ -15,7 +15,7 @@ in
     sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
     sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
       wantedBeforeBy = [ "bluetooth.service" ];
-      generated.script.scriptArgs = [
+      generated.command = [
         "${install-bluetooth}/bin/install-bluetooth"
         "/run/secrets/bt"
         ""
diff --git a/hosts/modules/roles/client/wifi-pairings.nix b/hosts/modules/roles/client/wifi-pairings.nix
index 53e1f2d26..31e563fd4 100644
--- a/hosts/modules/roles/client/wifi-pairings.nix
+++ b/hosts/modules/roles/client/wifi-pairings.nix
@@ -12,7 +12,7 @@ in
     sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
       wantedBeforeBy = [ "iwd.service" ];
       generated.acl.mode = "0600";
-      generated.script.scriptArgs = [
+      generated.command = [
         "${install-iwd}/bin/install-iwd"
         "/run/secrets/net"
         "/var/lib/iwd"
diff --git a/modules/fs/default.nix b/modules/fs/default.nix
index 2653d2d2d..690254020 100644
--- a/modules/fs/default.nix
+++ b/modules/fs/default.nix
@@ -86,9 +86,9 @@ let
       ];
 
       # actually generate the item
-      generated.script = lib.mkMerge [
-        (lib.mkIf (config.dir != null) (ensureDirScript name config.dir))
-        (lib.mkIf (config.symlink != null) (ensureSymlinkScript name config.symlink))
+      generated.command = lib.mkMerge [
+        (lib.mkIf (config.dir != null) [ "${ensure-dir}/bin/ensure-dir" name ])
+        (lib.mkIf (config.symlink != null) [ "${ensure-symlink}/bin/ensure-symlink" name config.symlink.target ])
       ];
 
       # make the unit file which generates the underlying thing available so that `mount` can use it.
@@ -156,7 +156,7 @@ let
         '';
         default = [];
       };
-      script.scriptArgs = mkOption {
+      command = mkOption {
         type = types.listOf types.str;
         default = [];
       };
@@ -192,7 +192,13 @@ let
 
   mkGeneratedConfig = path: opt: let
     gen-opt = opt.generated;
-    wrapper = generateWrapperScript path gen-opt;
+    wrappedCommand = [
+      "${ensure-perms}/bin/ensure-perms"
+      path
+      gen-opt.acl.user
+      gen-opt.acl.group
+      gen-opt.acl.mode
+    ] ++ gen-opt.command;
   in {
     systemd.services."${serviceNameFor path}" = {
       description = "prepare ${path}";
@@ -200,7 +206,7 @@ let
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;  # makes `systemctl start ensure-blah` a noop if already completed, instead of a restart
-        ExecStart = escapeShellArgs wrapper.scriptArgs;
+        ExecStart = escapeShellArgs wrappedCommand;
       };
 
       after = gen-opt.depends;
@@ -252,33 +258,6 @@ let
     (lib.mkIf (opt.mount != null) (mkMountConfig path opt))
   ];
 
-  generateWrapperScript = path: gen-opt: {
-    scriptArgs = [
-      "${ensure-perms}/bin/ensure-perms"
-      path
-      gen-opt.acl.user
-      gen-opt.acl.group
-      gen-opt.acl.mode
-    ] ++ gen-opt.script.scriptArgs;
-  };
-
-  # systemd/shell script used to create and set perms for a specific dir
-  ensureDirScript = path: dir-cfg: {
-    scriptArgs = [
-      "${ensure-dir}/bin/ensure-dir"
-      path
-    ];
-  };
-
-  # systemd/shell script used to create a symlink
-  ensureSymlinkScript = path: link-cfg: {
-    scriptArgs = [
-      "${ensure-symlink}/bin/ensure-symlink"
-      path
-      link-cfg.target
-    ];
-  };
-
   # return all ancestors of this path.
   # e.g. ancestorsOf "/foo/bar/baz" => [ "/" "/foo" "/foo/bar" ]
   ancestorsOf = path: lib.init (path-lib.walk "/" path);
diff --git a/modules/persist/stores/crypt.nix b/modules/persist/stores/crypt.nix
index 227b36800..bde9d3745 100644
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -51,7 +51,7 @@ lib.mkIf config.sane.persist.enable
       ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
     '';
   in {
-    script.scriptArgs = [ "${script}" underlying key ];
+    command = [ "${script}" underlying key ];
     # we need the key in order to initialize the store
     depends = [ config.sane.fs."${key}".unit ];
   };
@@ -62,7 +62,7 @@ lib.mkIf config.sane.persist.enable
       dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
     '';
   in {
-    script.scriptArgs = [ "${script}" key ];
+    command = [ "${script}" key ];
     # no need for anyone else to be able to read the key
     acl.mode = "0400";
   };