diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index c620e2fb00fe3b24fc1f6b3c5defc12cddc30aa1..7b7892cdfdbfafd97af9f9b01cced93a50970a20 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -121,7 +121,7 @@ in
           # access to any data.  It does grant access to storage capabilities
           # but with our plugin configuration you still need ZKAPs to use
           # those...
-          "web.port" = "tcp:3456:interface=127.0.0.1";
+          "web.port" = "systemd:domain=INET:index=0";
           # We have to tell Tahoe-LAFS where to listen for Foolscap
           # connections for the storage protocol.  We have to tell it twice.
           # First, in the syntax which it uses to listen.
diff --git a/nixos/modules/tahoe.nix b/nixos/modules/tahoe.nix
index 17641c47bac6d477637ed6e2eaa23a82f34b9fd9..e1153ec8febb9da7bc13802cf248e633c62767b6 100644
--- a/nixos/modules/tahoe.nix
+++ b/nixos/modules/tahoe.nix
@@ -116,15 +116,6 @@ in
         # networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.introducers
         #   (node: settings: settings.tub.port);
 
-        # Make systemd open a port for us:
-        systemd.sockets.tahoe-web = {
-          description = "Tahoe Web Server Socket";
-          wantedBy = [ "sockets.target" ];
-          before = [ "multi-user.target" ];
-          socketConfig.Accept = true;
-          socketConfig.ListenStream = settings.tub.port;
-        };
-
         systemd.services = flip mapAttrs' cfg.introducers (node: settings:
           let
             pidfile = "/run/tahoe.introducer-${node}.pid";
@@ -140,8 +131,6 @@ in
             serviceConfig = {
               Type = "simple";
               PIDFile = pidfile;
-              Twisted wants non-blocking sockets:
-              NonBlocking = true;
               # Believe it or not, Tahoe is very brittle about the order of
               # arguments to $(tahoe run). The node directory must come first,
               # and arguments which alter Twisted's behavior come afterwards.
@@ -194,6 +183,18 @@ in
         # Open up the firewall.
         # networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.nodes
         #   (node: settings: settings.tub.port);
+
+        # Make systemd open a port for us:
+        # Systemd uses the socket name to link to the corresponding Service Unit.
+        systemd.sockets."tahoe.storage" = {
+          description = "Tahoe Web Server Socket";
+          wantedBy = [ "sockets.target" ];
+          before = [ "multi-user.target" ];
+          socketConfig = {
+            ListenStream = "127.0.0.1:3456";
+          };
+        };
+
         systemd.services = flip mapAttrs' cfg.nodes (node: settings:
           let
             pidfile = "/run/tahoe.${lib.escapeShellArg node}.pid";
@@ -216,6 +217,8 @@ in
               ExecStart = ''
                 ${settings.package}/bin/tahoe --eliot-destination ${eliotLog} run ${nodedir} -n -l- --pidfile=${pidfile}
               '';
+              # Twisted wants non-blocking sockets:
+              NonBlocking = true;
               # The rlimit on number of open files controls how many
               # connections a particular storage server can accept (factoring
               # in the number of non-connection files the server needs open -