diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index c30b2264a..00538d5f3 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -1,36 +1,39 @@
-{ config, options, pkgs, ... }: let {
+{ config, pkgs, ... }: let {
   lib = import ../../lib;
 
   body.options.krebs.systemd.services = lib.mkOption {
     default = {};
-    type = lib.types.attrs;
-    description = ''
-      Definition of systemd service units with bonus features.
-
-      Services defined using this option will be restarted whenever any file
-      (described by an absolute path) used in LoadCredential changes.
-    '';
+    type = lib.types.attrsOf (lib.types.submodule {
+      options = {
+        serviceConfig.LoadCredential = lib.mkOption {
+          apply = lib.toList;
+          type =
+            lib.types.either lib.types.str (lib.types.listOf lib.types.str);
+        };
+      };
+    });
   };
 
   body.config.systemd =
     lib.mkMerge
       (lib.flatten
         (lib.mapAttrsToList (serviceName: cfg: let
-          prefix = [ "krebs" "systemd" "services" serviceName ];
-          opts = options.systemd.services.type.getSubOptions prefix;
-
           paths =
             lib.filter
               lib.types.absolute-pathname.check
               (map
                 (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
-                (cfg.serviceConfig.LoadCredential or []));
+                cfg.serviceConfig.LoadCredential);
         in
           lib.singleton {
-            services.${serviceName} = cfg;
+            services.${serviceName} = {
+              serviceConfig = {
+                LoadCredential = cfg.serviceConfig.LoadCredential;
+              };
+            };
           }
           ++
-          lib.optionals (cfg.enable or opts.enable.default) (map (path: let
+          map (path: let
             triggerName = "trigger-${lib.systemd.encodeName path}";
           in {
             paths.${triggerName} = {
@@ -46,6 +49,6 @@
                 ]);
               };
             };
-          }) paths)
+          }) paths
         ) config.krebs.systemd.services));
 }
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index f709b3343..dca764f63 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -229,6 +229,15 @@ with import <stockholm/lib>;
     ) config.krebs.tinc;
 
     krebs.systemd.services = mapAttrs (netname: cfg: {
+      serviceConfig.LoadCredential = filter (x: x != "") [
+        (optionalString (cfg.privkey_ed25519 != null)
+          "ed25519_key:${cfg.privkey_ed25519}"
+        )
+        "rsa_key:${cfg.privkey}"
+      ];
+    }) config.krebs.tinc;
+
+    systemd.services = mapAttrs (netname: cfg: {
       description = "Tinc daemon for ${netname}";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
@@ -239,12 +248,6 @@ with import <stockholm/lib>;
       reloadIfChanged = true;
       restartTriggers = [ cfg.confDir ];
       serviceConfig = {
-        LoadCredential = filter (x: x != "") [
-          (optionalString (cfg.privkey_ed25519 != null)
-            "ed25519_key:${cfg.privkey_ed25519}"
-          )
-          "rsa_key:${cfg.privkey}"
-        ];
         Restart = "always";
         ExecStart = toString [
           "${cfg.tincPackage}/sbin/tincd"