diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 9e427945..fba33a8b 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -18,7 +18,7 @@
   sane.packages.enableConsolePkgs = true;
   sane.packages.enableSystemPkgs = true;
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     "/var/log"
     "/var/backup"  # for e.g. postgres dumps
     # TODO: move elsewhere
diff --git a/hosts/common/users.nix b/hosts/common/users.nix
index ff1d2ce6..d3c22457 100644
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -82,7 +82,7 @@ in
       mode = config.users.users.colin.homeMode;
     };
 
-    sane.persist.dirs.home.plaintext = [
+    sane.persist.home.plaintext = [
       "archive"
       "dev"
       # TODO: records should be private
@@ -100,7 +100,7 @@ in
       ".local/share/keyrings"
     ];
     # TODO: fix this ugly solution that allows moby to have firefox cache not erased every boot.
-    sane.persist.dirs.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [
+    sane.persist.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [
       # cache is probably too big to fit on the tmpfs
       # ".cache"
       config.sane.web-browser.cacheDir
@@ -116,7 +116,7 @@ in
     # used by password managers, e.g. unix `pass`
     sane.fs."/home/colin/.password-store" = mkSymlink "/home/colin/knowledge/secrets/accounts";
 
-    sane.persist.dirs.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
       # intentionally allow other users to write to the guest folder
       { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];
diff --git a/hosts/desko/default.nix b/hosts/desko/default.nix
index 1ef4abd8..bf409f98 100644
--- a/hosts/desko/default.nix
+++ b/hosts/desko/default.nix
@@ -52,7 +52,7 @@
     remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
     dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
   };
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     ".steam"
     ".local/share/Steam"
   ];
diff --git a/hosts/moby/default.nix b/hosts/moby/default.nix
index aad87500..24c56f52 100644
--- a/hosts/moby/default.nix
+++ b/hosts/moby/default.nix
@@ -24,11 +24,11 @@
   };
 
   # usability compromises
-  sane.persist.dirs.home.private = [
+  sane.persist.home.private = [
     config.sane.web-browser.dotDir
     config.sane.web-browser.cacheDir
   ];
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     ".config/pulse"  # persist pulseaudio volume
   ];
 
diff --git a/hosts/servo/fs.nix b/hosts/servo/fs.nix
index de08c846..7eccd445 100644
--- a/hosts/servo/fs.nix
+++ b/hosts/servo/fs.nix
@@ -42,12 +42,12 @@
   };
   sane.fs."/mnt/persist/ext".mount = {};
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
     { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
   ];
   # make sure large media is stored to the HDD
-  sane.persist.dirs.sys.ext = [
+  sane.persist.sys.ext = [
     {
       user = "colin";
       group = "users";
diff --git a/hosts/servo/services/ejabberd.nix b/hosts/servo/services/ejabberd.nix
index 52e5f90c..88805fef 100644
--- a/hosts/servo/services/ejabberd.nix
+++ b/hosts/servo/services/ejabberd.nix
@@ -19,7 +19,7 @@
 # XXX: avatar support works in MUCs but not DMs
 # lib.mkIf false
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
   networking.firewall.allowedTCPPorts = [
diff --git a/hosts/servo/services/freshrss.nix b/hosts/servo/services/freshrss.nix
index 84b82d7c..448183ad 100644
--- a/hosts/servo/services/freshrss.nix
+++ b/hosts/servo/services/freshrss.nix
@@ -16,7 +16,7 @@
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
   ];
 
diff --git a/hosts/servo/services/gitea.nix b/hosts/servo/services/gitea.nix
index a0069e5a..248b5712 100644
--- a/hosts/servo/services/gitea.nix
+++ b/hosts/servo/services/gitea.nix
@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
   ];
diff --git a/hosts/servo/services/ipfs.nix b/hosts/servo/services/ipfs.nix
index 1ec8b91f..a3849b6d 100644
--- a/hosts/servo/services/ipfs.nix
+++ b/hosts/servo/services/ipfs.nix
@@ -10,7 +10,7 @@
 
 lib.mkIf false # i don't actively use ipfs anymore
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
   ];
diff --git a/hosts/servo/services/jackett.nix b/hosts/servo/services/jackett.nix
index 7114bfea..0f647e6e 100644
--- a/hosts/servo/services/jackett.nix
+++ b/hosts/servo/services/jackett.nix
@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
     { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
   ];
diff --git a/hosts/servo/services/jellyfin.nix b/hosts/servo/services/jellyfin.nix
index 91d6f2fb..d8e8b4e6 100644
--- a/hosts/servo/services/jellyfin.nix
+++ b/hosts/servo/services/jellyfin.nix
@@ -7,7 +7,7 @@ lib.mkIf false
   networking.firewall.allowedUDPPorts = [
     1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
   ];
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
   ];
diff --git a/hosts/servo/services/matrix/default.nix b/hosts/servo/services/matrix/default.nix
index 4181e8b6..bf830d52 100644
--- a/hosts/servo/services/matrix/default.nix
+++ b/hosts/servo/services/matrix/default.nix
@@ -8,7 +8,7 @@
     # ./irc.nix
   ];
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;
diff --git a/hosts/servo/services/matrix/discord-puppet.nix b/hosts/servo/services/matrix/discord-puppet.nix
index 6a41575b..617b92a9 100644
--- a/hosts/servo/services/matrix/discord-puppet.nix
+++ b/hosts/servo/services/matrix/discord-puppet.nix
@@ -1,6 +1,6 @@
 { lib, ... }:
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
   ];
 
diff --git a/hosts/servo/services/matrix/irc.nix b/hosts/servo/services/matrix/irc.nix
index f0919584..56ba7bd3 100644
--- a/hosts/servo/services/matrix/irc.nix
+++ b/hosts/servo/services/matrix/irc.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     # user and group are both "matrix-appservice-irc"
     { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
diff --git a/hosts/servo/services/navidrome.nix b/hosts/servo/services/navidrome.nix
index 1fa1eaaf..1e320b44 100644
--- a/hosts/servo/services/navidrome.nix
+++ b/hosts/servo/services/navidrome.nix
@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: we don't have a static user allocated for navidrome!
     # the chown would happen too early for us to set static perms
     "/var/lib/private/navidrome"
diff --git a/hosts/servo/services/nginx.nix b/hosts/servo/services/nginx.nix
index 3f849d56..bd3f0c17 100644
--- a/hosts/servo/services/nginx.nix
+++ b/hosts/servo/services/nginx.nix
@@ -122,7 +122,7 @@ in
 
   users.users.acme.uid = config.sane.allocations.acme-uid;
   users.groups.acme.gid = config.sane.allocations.acme-gid;
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
     { user = "colin"; group = "users"; directory = "/var/www/sites"; }
diff --git a/hosts/servo/services/pleroma.nix b/hosts/servo/services/pleroma.nix
index b291193e..71762b66 100644
--- a/hosts/servo/services/pleroma.nix
+++ b/hosts/servo/services/pleroma.nix
@@ -6,7 +6,7 @@
 { config, pkgs, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
   ];
diff --git a/hosts/servo/services/postfix.nix b/hosts/servo/services/postfix.nix
index f81cc284..8bdc957b 100644
--- a/hosts/servo/services/postfix.nix
+++ b/hosts/servo/services/postfix.nix
@@ -16,7 +16,7 @@ let
   };
 in
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
     { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
diff --git a/hosts/servo/services/postgres.nix b/hosts/servo/services/postgres.nix
index 27993596..e8ee9b8e 100644
--- a/hosts/servo/services/postgres.nix
+++ b/hosts/servo/services/postgres.nix
@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
   ];
diff --git a/hosts/servo/services/prosody.nix b/hosts/servo/services/prosody.nix
index a5cdc0d8..92771e86 100644
--- a/hosts/servo/services/prosody.nix
+++ b/hosts/servo/services/prosody.nix
@@ -9,7 +9,7 @@
 # nixnet runs ejabberd, so revisiting that.
 lib.mkIf false
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
   ];
   networking.firewall.allowedTCPPorts = [
diff --git a/hosts/servo/services/transmission.nix b/hosts/servo/services/transmission.nix
index 0a0c4ce4..e7e22e51 100644
--- a/hosts/servo/services/transmission.nix
+++ b/hosts/servo/services/transmission.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
     { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
   ];
diff --git a/modules/home-manager/neovim.nix b/modules/home-manager/neovim.nix
index 51f8c144..ae9dc4e8 100644
--- a/modules/home-manager/neovim.nix
+++ b/modules/home-manager/neovim.nix
@@ -3,7 +3,7 @@
 lib.mkIf config.sane.home-manager.enable
 {
   # private because there could be sensitive things in the swap
-  sane.persist.dirs.home.private = [ ".cache/vim-swap" ];
+  sane.persist.home.private = [ ".cache/vim-swap" ];
 
   home-manager.users.colin.programs.neovim = {
     # neovim: https://github.com/neovim/neovim
diff --git a/modules/home-manager/zsh/default.nix b/modules/home-manager/zsh/default.nix
index 0bbb78b6..f7063f4f 100644
--- a/modules/home-manager/zsh/default.nix
+++ b/modules/home-manager/zsh/default.nix
@@ -2,7 +2,7 @@
 
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     # we don't need to full zsh dir -- just the history file --
     # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
     # TODO: should be private?
diff --git a/modules/packages.nix b/modules/packages.nix
index afe1a625..f8fbcde8 100644
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -307,8 +307,8 @@ in
 
   config = {
     environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
-    sane.persist.dirs.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
-    sane.persist.dirs.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
+    sane.persist.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
+    sane.persist.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
     # XXX: this might not be necessary. try removing this and cacert.unbundled?
     environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
   };
diff --git a/modules/persist/computed.nix b/modules/persist/computed.nix
index d33a484d..effa63f1 100644
--- a/modules/persist/computed.nix
+++ b/modules/persist/computed.nix
@@ -18,5 +18,5 @@ let
     builtins.concatLists contextFreeDirSets;
 in
 {
-  sane.persist.all = (mapDirSets "/home/colin" cfg.dirs.home) ++ (mapDirSets "/" cfg.dirs.sys);
+  sane.persist.all = (mapDirSets "/home/colin" cfg.home) ++ (mapDirSets "/" cfg.sys);
 }
diff --git a/modules/persist/default.nix b/modules/persist/default.nix
index 40ad6829..a42b6307 100644
--- a/modules/persist/default.nix
+++ b/modules/persist/default.nix
@@ -87,21 +87,6 @@ let
   #   <option>.private.".cache/vim" = { mode = "0700"; };
   # to place ".cache/vim" into the private store and create with the appropriate mode
   dirsSubModule = types.attrsOf (types.listOf contextualizedDirOrShorthand);
-
-  dirsModule = types.submodule {
-    options = {
-      home = mkOption {
-        description = "directories to persist to disk, relative to a user's home ~";
-        default = {};
-        type = dirsSubModule;
-      };
-      sys = mkOption {
-        description = "directories to persist to disk, relative to the fs root /";
-        default = {};
-        type = dirsSubModule;
-      };
-    };
-  };
 in
 {
   options = {
@@ -114,9 +99,15 @@ in
       type = types.bool;
       description = "define / fs root to be a tmpfs. make sure to mount some other device to /nix";
     };
-    sane.persist.dirs = mkOption {
-      type = dirsModule;
+    sane.persist.home = mkOption {
+      description = "directories to persist to disk, relative to a user's home ~";
       default = {};
+      type = dirsSubModule;
+    };
+    sane.persist.sys = mkOption {
+      description = "directories to persist to disk, relative to the fs root /";
+      default = {};
+      type = dirsSubModule;
     };
     sane.persist.all = mkOption {
       type = types.listOf contextFreeDir;
diff --git a/modules/services/duplicity.nix b/modules/services/duplicity.nix
index cbdccdf3..7cb627be 100644
--- a/modules/services/duplicity.nix
+++ b/modules/services/duplicity.nix
@@ -16,7 +16,7 @@ in
   config = mkIf cfg.enable {
     # we need this mostly because of the size of duplicity's cache
     # TODO: move to cryptClearOnBoot and update perms
-    sane.persist.dirs.sys.plaintext = [ "/var/lib/duplicity" ];
+    sane.persist.sys.plaintext = [ "/var/lib/duplicity" ];
 
     services.duplicity.enable = true;
     services.duplicity.targetUrl = "$DUPLICITY_URL";