diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix
index aa8d51fe..a728467a 100644
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -58,8 +58,7 @@ with lib; {
         fi
 
         # otherwise authenticate with tailscale
-        # to-do: --advertise-exit-node
-        ${getExe tailscale} up -authkey $(cat ${config.sops.secrets.tailscale-key.path})
+        ${getExe tailscale} up --advertise-exit-node -authkey $(cat ${config.sops.secrets.tailscale-key.path})
       '';
     };
   };
diff --git a/tewi/deluge.nix b/tewi/deluge.nix
index 55463012..312072e3 100644
--- a/tewi/deluge.nix
+++ b/tewi/deluge.nix
@@ -1,7 +1,8 @@
-{ config, lib, ... }: let
+{ config, utils, lib, ... }: let
   inherit (lib) mkAfter;
   cfg = config.services.deluge;
-  mediaDir = "/mnt/shadow/deluge";
+  shadowDir = "/mnt/shadow";
+  mediaDir = "${shadowDir}/deluge";
 in {
   sops.secrets.deluge-auth = {
     inherit (cfg) group;
@@ -35,9 +36,12 @@ in {
   };
   systemd.services = {
     deluged = {
+      bindsTo = [
+        "${utils.escapeSystemdPath shadowDir}.mount"
+      ];
       unitConfig = {
         RequiresMountsFor = [
-          "/mnt/shadow"
+          shadowDir
         ];
       };
     };
diff --git a/tewi/mediatomb.nix b/tewi/mediatomb.nix
index eca9fff1..f78d4908 100644
--- a/tewi/mediatomb.nix
+++ b/tewi/mediatomb.nix
@@ -1,8 +1,7 @@
-{ config, lib, ... }: with lib; let
+{ config, utils, lib, ... }: with lib; let
   cfg = config.services.mediatomb;
   shadowDir = "/mnt/shadow";
   inherit (config.services) deluge;
-  delugeDir = "${shadowDir}/deluge";
 in {
   services.mediatomb = {
     enable = true;
@@ -16,7 +15,7 @@ in {
         hidden-files = false;
       }
       (mkIf deluge.enable {
-        path = delugeDir;
+        path = builtins.dirOf deluge.config.download_location;
         recursive = true;
         hidden-files = false;
       })
@@ -24,6 +23,9 @@ in {
   };
   systemd.services.mediatomb = {
     confinement.enable = true;
+    bindsTo = [
+      "${utils.escapeSystemdPath shadowDir}.mount"
+    ];
     unitConfig = {
       RequiresMountsFor = [
         shadowDir
@@ -37,7 +39,7 @@ in {
           "anime" "movies" "tv" "unsorted"
           "music" "music-to-import" "music-raw"
         ])
-        (mkIf deluge.enable [ "${delugeDir}/complete" ])
+        (mkIf deluge.enable [ deluge.config.move_completed_path ])
       ];
     };
   };
diff --git a/tewi/nixos.nix b/tewi/nixos.nix
index 3749d543..67f52ebc 100644
--- a/tewi/nixos.nix
+++ b/tewi/nixos.nix
@@ -7,13 +7,17 @@
   modulesPath,
   ...
 }: let
+  inherit (lib) mkIf;
   hddopts = ["luks" "discard" "noauto" "nofail"];
   md = {
     shadow = rec {
       name = "shadowlegend";
       device = "/dev/md/${name}";
-      unit = utils.escapeSystemdPath device;
+      unit = utils.escapeSystemdPath device + ".device";
+      where = "/mnt/shadow";
+      mount = utils.escapeSystemdPath where + ".mount";
       service = "md-shadow.service";
+      disk = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
       cryptDisks =
         lib.flip lib.mapAttrs {
           seagate0 = {
@@ -91,6 +95,7 @@ in {
 
   services.openiscsi = {
     enable = true;
+    enableAutoLoginOut = true;
     name = "";
   };
 
@@ -102,14 +107,14 @@ in {
       username = "systemd";
     };
     units = {
-      "mnt-shadow.mount" = {};
-      "mediatomb.service" = lib.mkIf config.services.mediatomb.enable {};
+      ${md.shadow.mount} = {};
+      "mediatomb.service" = mkIf config.services.mediatomb.enable {};
     };
   };
 
   environment.etc = {
     "iscsi/initiatorname.iscsi" = lib.mkForce {
-      source = config.sops.secrets.openscsi-config.path;
+      source = config.sops.secrets.openiscsi-config.path;
     };
     crypttab.text = let
       inherit (lib) concatStringsSep mapAttrsToList;
@@ -127,8 +132,8 @@ in {
   };
 
   sops.secrets = {
-    openscsi-config = {};
-    openscsi-env = lib.mkIf config.services.openiscsi.enableAutoLoginOut { };
+    openiscsi-config = {};
+    openiscsi-env = mkIf config.services.openiscsi.enableAutoLoginOut { };
     systemd2mqtt-env = {};
   };
 
@@ -141,8 +146,8 @@ in {
       device = "/dev/disk/by-uuid/85DC-72FA";
       fsType = "vfat";
     };
-    "/mnt/shadow" = {
-      device = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
+    ${md.shadow.where} = {
+      device = md.shadow.disk;
       fsType = "xfs";
       options = [
         "x-systemd.automount"
@@ -154,9 +159,12 @@ in {
     };
   };
   systemd = let
-    inherit (lib) getExe mapAttrsToList mapAttrs' nameValuePair;
+    inherit (lib) getExe;
     serviceName = lib.removeSuffix ".service";
-    cryptServices = mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks;
+    toSystemdIni = pkgs.lib.generators.toINI {
+      listsAsDuplicateKeys = true;
+    };
+    cryptServices = lib.mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks;
   in {
     services = {
       nfs-mountd = {
@@ -165,7 +173,8 @@ in {
       mdmonitor.enable = false;
       ${serviceName md.shadow.service} = rec {
         restartIfChanged = false;
-        wants = cryptServices;
+        wants = cryptServices ++ [ "iscsi.service" ];
+        bindsTo = cryptServices;
         after = wants;
         serviceConfig = {
           Type = "oneshot";
@@ -187,22 +196,34 @@ in {
       };
       iscsi = let
         cfg = config.services.openiscsi;
-      in lib.mkIf cfg.enableAutoLoginOut {
+      in mkIf cfg.enableAutoLoginOut rec {
+        wantedBy = cryptServices;
+        before = wantedBy;
         serviceConfig = {
-          EnvironmentFile = [ config.sops.secrets.openscsi-env.path ];
+          EnvironmentFile = [ config.sops.secrets.openiscsi-env.path ];
           ExecStartPre = [
             "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover"
           ];
         };
       };
-      systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec {
-        requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"];
+      systemd2mqtt = mkIf config.services.systemd2mqtt.enable rec {
+        requires = mkIf config.services.mosquitto.enable ["mosquitto.service"];
         after = requires;
         serviceConfig.EnvironmentFile = [
           config.sops.secrets.systemd2mqtt-env.path
         ];
       };
     };
+    units = {
+      ${md.shadow.mount} = {
+        overrideStrategy = "asDropin";
+        text = toSystemdIni {
+          Unit.BindsTo = [
+            md.shadow.service
+          ];
+        };
+      };
+    };
     network = {
       networks.eno1 = {
         inherit (config.systemd.network.links.eno1) matchConfig;
diff --git a/tewi/secrets.yaml b/tewi/secrets.yaml
index be8ff030..2b1d6a7a 100644
--- a/tewi/secrets.yaml
+++ b/tewi/secrets.yaml
@@ -5,8 +5,8 @@ z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHw
 tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
 vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
 vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
-openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
-openscsi-env: ENC[AES256_GCM,data:qOrDDPSnEJVHBPvrbqTOPx5hffqR2INn+ZuMpP/dplmPhKbJIyJo+w==,iv:lWeiAA1L24tL7VFFnXTcTKqYbkCd5i2WXlBKoEbyEPo=,tag:oBSSczca6OUEe5GhnvS5gA==,type:str]
+openiscsi-config: ENC[AES256_GCM,data:bt39RW/oELLuWkTSwD3xA8j+5SM4N5RAZ+qHKd1aOGxaIHSIxQnK9txJ/EDemQZ5uLGVMeYKGag9,iv:FJJYIH7qlxZFJHm9mqHf6erOyqimdSrSNHAp9FLo7zk=,tag:CTal+n+Vf5VZD8x2haayvw==,type:str]
+openiscsi-env: ENC[AES256_GCM,data:dSUZ/Iu5zabuM64a5WlXETRzSrN+QXMqLmDnw8CK1Ab5NLwbkIP2iA==,iv:z+dv1ddSRUah0RJXDjEtyOweIbT+q4OMzVlSUYXa69M=,tag:gK5iOW5PUthyFkunImLx1A==,type:str]
 systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
 z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
 deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str]
@@ -40,8 +40,8 @@ sops:
             VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
             7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-11T18:05:23Z"
-    mac: ENC[AES256_GCM,data:97lA3tTSp8jm8bFoDM/HiNY4mLOCDB5DxewXH49iUNshkGNylYjSb9I0L2m8Se1/yA6QKlHJKkSq2dtqFIXO/ANaHzRTTnR1D6jjh+2AYsbKZUhMXKLaC7HTSWoj/SkvHlgzznz1xSz8iWZXoIzRMpwRHk56TlPejbxJ+UzNWqc=,iv:y7VSWBQcV1fcdirtouQmpD6gxl6dkUddwnzKvG2dka0=,tag:elpRiXRvjmuIMgQexgMwWg==,type:str]
+    lastmodified: "2023-07-11T18:05:50Z"
+    mac: ENC[AES256_GCM,data:jVRqkX5DofE+y1epkrBwxGnFYt76XOqMYFJRFXDMSoH+6dHOxiaxqMF6vNrfaydOI24r+VpbMR+Q5rhTPKsrZjVj6dWfgNx0K/e99uXndOM1vzw1RJXvWMc1UreESjlYD75eMYEMNwu5+WmrO1K7Ht+9Cv6uNAmhS34KZzaOxak=,iv:+fgew7KHHXN76xK+N0SuQj/hRhgyIAFWMp008OUXaoM=,tag:bX0frWarHF4l+SJfXHfqSA==,type:str]
     pgp:
         - created_at: "2023-03-10T17:06:53Z"
           enc: |