diff --git a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
index 4f82809e8..342524471 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@@ -20,6 +20,7 @@ let
   bitcoind = pkgs.bitcoind;
   # wrapper to run bitcoind with the tor onion address as externalip (computed at runtime)
   _bitcoindWithExternalIp = pkgs.writeShellScriptBin "bitcoind" ''
+    set -xeu
     externalip="$(cat /var/lib/tor/onion/bitcoind/hostname)"
     exec ${bitcoind}/bin/bitcoind "-externalip=$externalip" "$@"
   '';
@@ -68,10 +69,21 @@ in
       # proxy all outbound traffic through Tor
       proxy=127.0.0.1:9050
     '';
+    extraCmdlineOptions = [
+      # "--debug"
+      # "--debug=estimatefee"
+      # "--debug=http"
+      # "--debug=net"
+      "--debug=proxy"
+      "--debug=rpc"
+      # "--debug=validation"
+    ];
   };
 
   users.users.bitcoind-mainnet.extraGroups = [ "tor" ];
 
+  systemd.services.bitcoind-mainnet.after = [ "tor.service" ];
+  systemd.services.bitcoind-mainnet.requires = [ "tor.service" ];
   systemd.services.bitcoind-mainnet.serviceConfig.RestartSec = "30s";  #< default is 0
 
   sane.users.colin.fs.".bitcoin/bitcoin.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets."bitcoin.conf".path;
diff --git a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
index 7b223173e..33f47d743 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@@ -106,6 +106,7 @@
   users.users.clightning.extraGroups = [ "tor" ];
 
   systemd.services.clightning.after = [ "tor.service" ];
+  systemd.services.clightning.requires = [ "tor.service" ];
 
   # lightning-config contains fields from here:
   # - <https://docs.corelightning.org/docs/configuration>
@@ -118,13 +119,15 @@
   # - feature configs (i.e. experimental-xyz options)
   sane.services.clightning.extraConfig = ''
     # log levels: "io", "debug", "info", "unusual", "broken"
-    log-level=info:lightningd
+    log-level=info
+    # log-level=info:lightningd
     # log-level=debug:lightningd
+    # log-level=debug
 
     # peerswap:
     # - config example: <https://github.com/fort-nix/nix-bitcoin/pull/462/files#diff-b357d832705b8ce8df1f41934d613f79adb77c4cd5cd9e9eb12a163fca3e16c6>
     # XXX: peerswap crashes clightning on launch. stacktrace is useless.
-    # plugin=${pkgs.peerswap}/bin/peerswap
+    # plugin={pkgs.peerswap}/bin/peerswap
     # peerswap-db-path=/var/lib/clightning/peerswap/swaps
     # peerswap-policy-path=...
   '';
diff --git a/hosts/by-name/servo/services/cryptocurrencies/tor.nix b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
index 62dfb8860..3fd1d603c 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/tor.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
@@ -1,10 +1,10 @@
 # tor settings: <https://2019.www.torproject.org/docs/tor-manual.html.en>
 { lib, ... }:
 {
-  # tor hidden service hostnames aren't deterministic, so persist.
-  # might be able to get away with just persisting /var/lib/tor/onion, not sure.
-  sane.persist.sys.byStore.private = [
-    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
+  sane.persist.sys.byStore.ephemeral = [
+    # N.B.: tor hidden service hostnames aren't deterministic, so if you need them
+    # to be preserved across reboots then persist /var/lib/tor/onion in "private" store.
+   { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
   ];
 
   # tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.
diff --git a/modules/services/clightning.nix b/modules/services/clightning.nix
index ba200ea03..2e5e46e3f 100644
--- a/modules/services/clightning.nix
+++ b/modules/services/clightning.nix
@@ -149,20 +149,23 @@ in
   };
   config = lib.mkIf cfg.enable {
     systemd.services.clightning = {
-      path  = [ bitcoind.package ];
+      path  = [ bitcoind.package ];  #< TODO: maybe need only `sane.programs.bitcoin-cli.package` (sandboxed) ?
       # note the wantedBy bitcoind: this should make it so that a bitcoind restart causes clightning to also restart (instead of to only stop)
       wantedBy = [ "bitcoind-${cfg.bitcoindName}.service" "multi-user.target" ];
       requires = [ "bitcoind-${cfg.bitcoindName}.service" ];
       after = [ "bitcoind-${cfg.bitcoindName}.service" ];
 
       serviceConfig = {
-        # TODO: hardening
         ExecStart = "${cfg.package}/bin/lightningd --lightning-dir=${cfg.dataDir}";
         User = cfg.user;
-        Restart = "on-failure";
+        Restart = "always";
         RestartSec = "30s";
 
-        ReadWritePaths = [ cfg.dataDir ];
+        ReadWritePaths = [
+          cfg.dataDir
+          "/var/lib/bitcoind-${cfg.bitcoindName}"  #< TODO: can this be ReadOnlyPaths?
+        ];
+        TimeoutStartSec = "360s";  #< give some chance in case bitcoind needs to sync
 
         # hardening
         LockPersonality = true;