diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 7c176d224..b3cf212e4 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -108,7 +108,7 @@ let
   };
 
   imp = {
-    krebs.systemd.services.exim = {};
+    krebs.systemd.services.exim.restartIfCredentialsChange = true;
     systemd.services.exim.serviceConfig.LoadCredential =
       map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
     krebs.exim = {
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index c4cfb9a49..5b8a53be8 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -159,7 +159,9 @@ let
     ) cfg.repos;
 
     krebs.systemd.services = mapAttrs' (name: _:
-      nameValuePair "repo-sync-${name}" {}
+      nameValuePair "repo-sync-${name}" {
+        restartIfCredentialsChange = true;
+      }
     ) cfg.repos;
 
     systemd.services = mapAttrs' (name: repo:
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index 194e8b24a..61bfcf639 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -6,11 +6,7 @@
     type = lib.types.attrsOf (lib.types.submodule {
       options = {
         restartIfCredentialsChange = lib.mkOption {
-          # Enabling this by default only makes sense here as the user already
-          # bothered to write down krebs.systemd.services.* = {}.  If this
-          # functionality gets upstreamed to systemd.services, restarting
-          # should be disabled by default.
-          default = true;
+          default = false;
           description = ''
             Whether to restart the service whenever any of its credentials
             change.  Only credentials with an absolute path in LoadCredential=
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index c33b30f0d..0babc448a 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -232,6 +232,7 @@ with import <stockholm/lib>;
     ) config.krebs.tinc;
 
     krebs.systemd.services = mapAttrs (netname: cfg: {
+      restartIfCredentialsChange = true;
     }) config.krebs.tinc;
 
     systemd.services = mapAttrs (netname: cfg: {
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index e3a41a57b..71a1a597a 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -127,7 +127,7 @@ in {
       })
     ];
 
-    krebs.systemd.services.ejabberd = {};
+    krebs.systemd.services.ejabberd.restartIfCredentialsChange = true;
 
     systemd.services.ejabberd = {
       wantedBy = [ "multi-user.target" ];
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index f19bfebcc..eb9b1ae4e 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -26,7 +26,7 @@ in {
     };
   };
   config = mkIf cfg.enable {
-    krebs.systemd.services.x0vncserver = {};
+    krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true;
     systemd.services.x0vncserver = {
       after = [ "graphical.target" ];
       requires = [ "graphical.target" ];