diff --git a/TODO.md b/TODO.md
new file mode 100644
index 00000000..40cc2e23
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,23 @@
+## refactoring:
+### sops/secrets
+- move every secret into its own file.
+- define SOPS secrets by crawling the ./secrets directory instead of manually defining them.
+- see about removing the sops activation script and just using systemd scripts instead.
+    - maybe this fixes the multiple "building the system configuration..." messages during nixos-rebuild switch?
+
+### roles
+- allow any host to take the role of `uninsane.org`
+    - will make it easier to test new services?
+
+## improvements:
+### security
+- have `sane.programs` be wrapped such that they run in a cgroup?
+    - at least, only give them access to the portion of the fs they *need*.
+    - Android takes approach of giving each app its own user: could hack that in here.
+
+
+## new features:
+- add a FTP-accessible file share to servo
+    - just /var/www?
+- migrate MAME cabinet to nix
+    - boot it from PXE from servo?