diff --git a/profiles/base/binary-caches.nix b/profiles/base/binary-caches.nix
index 816d2e5..44732f0 100644
--- a/profiles/base/binary-caches.nix
+++ b/profiles/base/binary-caches.nix
@@ -28,7 +28,7 @@ let
     ];
 
     # me!
-    # "cache-proxy.pbsds.net" = [ ];
+    # "https://cache-proxy.pbsds.net/?priority=35" = [ ];
   };
 in
 
diff --git a/profiles/tailscale/inner.nix b/profiles/tailscale/inner.nix
index ae7b3ea..7b3903c 100644
--- a/profiles/tailscale/inner.nix
+++ b/profiles/tailscale/inner.nix
@@ -8,12 +8,10 @@
 
     # https://tailscale.com/kb/1085/auth-keys
     services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
-    sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
+    sops.secrets.tailscale-authkey-inner.sopsFile = ../../secrets/tailscale-inner.yaml;
 
-    # systemd-resolved will by default read /etc/hosts
-    networking.extraHosts = [
-      # "100.113.27.44 cache-proxy.pbsds.net" # noximilien over tailscale
-    ];
+    # # systemd-resolved will by default read /etc/hosts
+    # networking.extraHosts = "100.113.27.44 cache-proxy.pbsds.net"; # noximilien over tailscale
 
   };
 }
diff --git a/profiles/tailscale/outer.nix b/profiles/tailscale/outer.nix
index 32fc865..0fa8254 100644
--- a/profiles/tailscale/outer.nix
+++ b/profiles/tailscale/outer.nix
@@ -8,7 +8,7 @@
 
     # https://tailscale.com/kb/1085/auth-keys
     services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
-    sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;
+    sops.secrets.tailscale-authkey-outer.sopsFile = ../../secrets/tailscale-outer.yaml;
 
   };
 }
diff --git a/profiles/tailscale/shared.nix b/profiles/tailscale/shared.nix
index 49ccecb..eb61b5c 100644
--- a/profiles/tailscale/shared.nix
+++ b/profiles/tailscale/shared.nix
@@ -19,13 +19,12 @@ in
 
     services.tailscale.enable = true;
 
-    networking.extraHosts = [
-      "127.0.0.2 ${config.pbsds.tailscale.fqdn}" # the entire 127.0.0.0/8 is loopback
-    ];
+    # the entire 127.0.0.0/8 is loopback, this matches nixos behavior for fqdn
+    networking.extraHosts = "127.0.0.2 ${config.pbsds.tailscale.fqdn}";
 
     # # https://tailscale.com/kb/1085/auth-keys
     # services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
-    # sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
+    # sops.secrets.tailscale-authkey-inner.sopsFile = ../../secrets/tailscale-inner.yaml;
 
     # https://wiki.nixos.org/wiki/Tailscale#DNS
     services.resolved.enable = lib.mkDefault config.networking.networkmanager.enable;