diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix
index 51fbcad..d3655cb 100644
--- a/modules/servers/stash.nix
+++ b/modules/servers/stash.nix
@@ -6,6 +6,7 @@
 }:
 let
   cfg = config.my.servers.stash;
+  cfgS = config.services.stash;
   setup = import ../factories/mkserver.nix { inherit lib config; };
   stashPythonFHS = pkgs.buildFHSEnv {
     name = "stash-python-fhs";
@@ -52,9 +53,15 @@ in
         ];
       };
     };
-    systemd.services.stash.environment = {
-      PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
-      LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
+    systemd.services.stash = {
+      environment = {
+        PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
+        LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
+      };
+      serviceConfig = {
+        BindReadOnlyPaths = lib.mkForce [ ];
+        BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
+      };
     };
     users.users.stash = {
       isSystemUser = true;