diff --git a/hosts/by-name/servo/services/postgres.nix b/hosts/by-name/servo/services/postgres.nix
index d074f7b14..d394c825c 100644
--- a/hosts/by-name/servo/services/postgres.nix
+++ b/hosts/by-name/servo/services/postgres.nix
@@ -6,9 +6,9 @@ let
   KiB = n: 1024*n;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
+  sane.persist.sys.byStore.private = [
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/lib/postgresql"; method = "bind"; }
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/backup/postgresql"; method = "bind"; }
   ];
   services.postgresql.enable = true;
 
diff --git a/hosts/by-name/servo/services/transmission/default.nix b/hosts/by-name/servo/services/transmission/default.nix
index dfae19394..1b126fb27 100644
--- a/hosts/by-name/servo/services/transmission/default.nix
+++ b/hosts/by-name/servo/services/transmission/default.nix
@@ -38,6 +38,7 @@ in
   sane.persist.sys.byStore.private = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
     { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/backup/torrents"; method = "bind"; }
   ];
   users.users.transmission.extraGroups = [ "media" ];
 
diff --git a/hosts/common/persist.nix b/hosts/common/persist.nix
index fd68638e8..803ec4c9c 100644
--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -2,11 +2,7 @@
 
 {
   sane.persist.sys.byStore.initrd = [
-    "/var/log"
-  ];
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: these should be private.. somehow
-    "/var/backup"  # for e.g. postgres dumps
+    "/var/log"  #< TODO: this includes e.g. /var/log/nginx, which SHOULD NOT BE PERSISTED in plaintext
   ];
   sane.persist.sys.byStore.ephemeral = [
     "/var/lib/systemd/coredump"