diff --git a/base.nix b/base.nix
index 9f54fac..f237e70 100644
--- a/base.nix
+++ b/base.nix
@@ -42,6 +42,22 @@
 
   hardware.enableRedistributableFirmware = true;
 
+  boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
+  # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
+  # raise to 15 if auto upgrading
+  boot.loader.grub.configurationLimit = lib.mkDefault 5;
+  boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
+  boot.loader.raspberryPi.uboot.configurationLimit = lib.mkDefault 5;
+  boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
+
+  networking.firewall.enable = true; # default
+  #networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables
+  #networking.firewall.allowPing = false;
+  networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant
+
+  #system.switch.enable = false;
+  #system.switch.enableNg = true; # rewritten in rust
+
   sops.secrets.nix-access-tokens.mode = "0440";
   sops.secrets.nix-access-tokens.group = config.users.groups.keys.name;
   nix.extraOptions = ''
@@ -89,13 +105,4 @@
     noto-fonts-emoji
     noto-fonts-extra
   ];
-
-  networking.firewall.enable = true; # default
-
-  # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
-  # raise to 15 if auto upgrading
-  boot.loader.grub.configurationLimit = lib.mkDefault 5;
-  boot.loader.systemd-boot.configurationLimit = lib.mkDefault 5;
-  boot.loader.raspberryPi.uboot.configurationLimit = lib.mkDefault 5;
-  boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 5;
 }
diff --git a/hardware/gpu/cuda.nix b/hardware/gpu/cuda.nix
index fe699c0..01f06f6 100644
--- a/hardware/gpu/cuda.nix
+++ b/hardware/gpu/cuda.nix
@@ -33,8 +33,9 @@
   hardware.nvidia.modesetting.enable = lib.mkDefault true; # needed for most wayland compositors
   hardware.nvidia.nvidiaSettings = lib.mkDefault true;
 
-  virtualisation.docker.enableNvidia = lib.mkDefault true;
-  virtualisation.podman.enableNvidia = lib.mkDefault true;
+  /* virtualisation.docker.enableNvidia = lib.mkDefault true; */
+  /* virtualisation.podman.enableNvidia = lib.mkDefault true; */
+  hardware.nvidia-container-toolkit.enable = lib.mkDefault true;
 
   # only do these per-host
 
diff --git a/justfile b/justfile
index b42e5be..06caf8a 100644
--- a/justfile
+++ b/justfile
@@ -4,10 +4,10 @@ export GUM_FILTER_HEIGHT := "15"
   just "$(gum filter --placeholder "Pick a recipie..." $(just --summary --unsorted))"
 
 eval hostname=`just _a_host`:
-  nix eval .#nixosConfigurations.{{hostname}}.config.system.build.toplevel.outPath
+  nix eval .#nixosConfigurations."{{hostname}}".config.system.build.toplevel.outPath
 
 report hostname=`just _a_host`:
-  nix eval .#nixosReports.{{hostname}} --json | yq . --yaml-output | bat --language yaml --style plain --paging never
+  nix eval .#nixosReports."{{hostname}}" --json | yq . --yaml-output | bat --language yaml --style plain --paging never
 
 reports:
   nix eval .#nixosReports --json | yq . --yaml-output | bat --language yaml --style plain --paging never
@@ -28,8 +28,11 @@ update:
     | gum choose --no-limit --height=15 \
     | xargs nix flake update --commit-lock-file
 
-build:
-  nixos-rebuild build --accept-flake-config --show-trace --flake .
+build hostname=`just _a_host`:
+  nixos-rebuild build --accept-flake-config --show-trace --flake .#"{{hostname}}"
+
+build-vm hostname=`just _a_host`:
+  nixos-rebuild build-vm --accept-flake-config --show-trace --flake .#"{{hostname}}"
 
 test:
   sudo nixos-rebuild test --accept-flake-config --show-trace --flake .
@@ -44,9 +47,6 @@ boot-and-reboot:
   sudo nixos-rebuild boot --accept-flake-config --show-trace --flake .
   sudo reboot
 
-build-vm:
-  sudo nixos-rebuild build-vm --accept-flake-config --show-trace --flake .
-
 push hostname=`just _a_host` cmd=`gum choose test switch boot --header "Select mode..."`:
   nixos-rebuild build --flake .#{{hostname}}
   @echo pushing...
@@ -56,8 +56,18 @@ push hostname=`just _a_host` cmd=`gum choose test switch boot --header "Select m
 inspect:
   nix run -- nixpkgs#nix-inspect -p .
 
+inspect-config host=`just _a_host`:
+  nix run -- nixpkgs#nix-inspect  -e '(builtins.getFlake "'"$PWD"'").nixosConfigurations.{{host}}.config'
+
 @_a_host:
-  nix eval .#nixosConfigurations --apply builtins.attrNames --json 2>/dev/null | jq '.[]' -r | gum filter --placeholder "Pick a host..."
+  hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json 2>/dev/null | jq '.[]' -r)"; \
+  if test "$(grep <<<"$hostnames" "^$(hostname)$" | wc -l)" -eq 1; then hostnames="$(hostname; grep <<<"$hostnames" -v "^$(hostname)$")"; fi; \
+  gum <<<"$hostnames" filter --placeholder "Pick a host..."
+
+@_a_fqdn:
+  hostnames="$(nix eval .#nixosConfigurations --apply 'c: builtins.attrValues (builtins.mapAttrs (_: x: x.config.networking.fqdn) c)' --json 2>/dev/null | jq '.[]' -r)"; \
+  if test "$(grep <<<"$hostnames" "^$(hostname --fqdn)$" | wc -l)" -eq 1; then hostnames="$(hostname --fqdn; grep <<<"$hostnames" -v "^$(hostname --fqdn)$")"; fi; \
+  gum <<<"$hostnames" filter --placeholder "Pick a host..."
 
 @remote-current:
   >&2 echo Current remote: $(remote-host)
@@ -65,14 +75,24 @@ inspect:
 @remote-list:
   tomlq <.remote.toml '.hosts | to_entries[] | "remote-set \(.key+1) # -> \(.value.host)"' -r
 
+@remote-set remote=`just remote-current && just _a-remote-label`:
+  remote-set {{remote}}
+
 @_a-remote-label:
   just remote-list | gum filter --placeholder "Pick a remote..." | cut -d' ' -f2
 
 @_a-remote-fqdn:
   just remote-list | gum filter --placeholder "Pick a remote..." | cut -d' ' -f5-
 
-@remote-set remote=`just remote-current && just _a-remote-label`:
-  remote-set {{remote}}
+@_remote_ensure hostname=`just _a_fqdn`:
+  if test ! -s .remote.toml; then remote-init "{{ hostname }}"; \
+  elif tomlq <.remote.toml '.hosts | to_entries[] |.value.host' -r | grep -q "{{ hostname }}"; then true; \
+  else remote-add "{{ hostname }}"; \
+  fi
+
+@_remote_label_from_fqdn hostname=`just _a_fqdn`:
+  tomlq <.remote.toml '.hosts | to_entries[] | select(.value.host == "{{ hostname }}") | .key' -r
+
 
 # TODO: support multiple labels, run in tmux
 remote label=`just _a-remote-label` cmd=`printf "just %s\n" $(just --summary --unsorted) | gum filter --placeholder "Pick a recipie..."`:
diff --git a/profiles/desktop/gnome/default.nix b/profiles/desktop/gnome/default.nix
index e017bf8..6d4503b 100644
--- a/profiles/desktop/gnome/default.nix
+++ b/profiles/desktop/gnome/default.nix
@@ -16,6 +16,8 @@
   services.gnome.sushi.enable = true;
   services.gnome.gnome-online-accounts.enable = true;
 
+  services.gnome.gnome-browser-connector.enable  = true;
+
   environment.systemPackages = with pkgs; [
     firefox
     pavucontrol
diff --git a/profiles/desktop/sound/pipewire.nix b/profiles/desktop/sound/pipewire.nix
index d9e75a1..c8201d5 100644
--- a/profiles/desktop/sound/pipewire.nix
+++ b/profiles/desktop/sound/pipewire.nix
@@ -9,6 +9,7 @@
   services.pipewire.alsa.support32Bit = true;
   #services.pipewire.jack.enable = true;
   services.pipewire.pulse.enable = true;
+
   # use the example session manager (no others are packaged yet so this is enabled by default,
   # no need to redefine it in your config for now)
   #services.pipewire.media-session.enable = true;
diff --git a/users/pbsds/home/profiles/desktop.nix b/users/pbsds/home/profiles/desktop.nix
index b4f88d3..df9f91c 100644
--- a/users/pbsds/home/profiles/desktop.nix
+++ b/users/pbsds/home/profiles/desktop.nix
@@ -52,6 +52,8 @@
     zoom-us
   ];
 
+  programs.firefox.enableGnomeExtensions = true;
+
   home.shellAliases.eog = lib.mkIf (pkgs?loupe) "loupe";
 
   # flatpak