diff --git a/modules/persist/stores/ephemeral.nix b/modules/persist/stores/ephemeral.nix
index 70eeeb141..594d951a2 100644
--- a/modules/persist/stores/ephemeral.nix
+++ b/modules/persist/stores/ephemeral.nix
@@ -54,5 +54,43 @@ lib.mkIf config.sane.persist.enable
   sane.fs."${origin}".mount = { };
   sane.fs."${backing}" = sane-lib.fs.wantedDir;
 
+  systemd.mounts = let
+    fsEntry = config.fileSystems."${origin}";
+  in [{
+    #VVV repeat what systemd would ordinarily scrape from /etc/fstab
+    where = origin;
+    what = fsEntry.device;
+    type = fsEntry.fsType;
+    options = lib.concatStringsSep "," fsEntry.options;
+
+    # sandbox options
+    mountConfig.AmbientCapabilities = "";
+    # CAP_LEASE is probably not necessary -- does any fs user use leases?
+    mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_CHOWN CAP_MKNOD CAP_LEASE CAP_SETGID CAP_SETUID CAP_FOWNER";
+    mountConfig.LockPersonality = true;
+    mountConfig.MemoryDenyWriteExecute = true;
+    mountConfig.NoNewPrivileges = true;
+    mountConfig.ProtectClock = true;
+    mountConfig.ProtectHostname = true;
+    mountConfig.RemoveIPC = true;
+    mountConfig.RestrictAddressFamilies = "AF_UNIX";  # "none" works, but then it can't connect to the logger
+    #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
+    # see `systemd-analyze filesystems` for a full list
+    mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs";
+    mountConfig.RestrictNamespaces = true;
+    mountConfig.RestrictNetworkInterfaces = "";
+    mountConfig.RestrictRealtime = true;
+    mountConfig.RestrictSUIDSGID = true;
+    mountConfig.SystemCallArchitectures = "native";
+    mountConfig.SystemCallFilter = [
+      # unfortunately, i need to keep @network-io (accept, bind, connect, listen, recv, send, socket, ...). not sure why (daemon control socket?).
+      # TODO: @module?
+      "@system-service" "@mount" "~@cpu-emulation" "~@keyring"
+    ];
+    # note that anything which requires mount namespaces (ProtectHome, ReadWritePaths, ...) does NOT work.
+    # it's in theory possible, via mount propagation, but systemd provides no way for that.
+    # PrivateNetwork = true  BREAKS the mount action; i think systemd or udev needs that internally to communicate with the service manager?
+  }];
+
   system.fsPackages = [ gocryptfs-ephemeral ];  # fuse needs to find gocryptfs
 }