diff --git a/flake.nix b/flake.nix
index 714a3e7..754b25e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -156,6 +156,7 @@
     inputs-2003 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2003; };
     inputs-1909 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-1909; };
     inputs-test = inputs-edge // { nixpkgs = inputs'.nixpkgs-test; unstable = inputs'.nixpkgs-test; };
+    inputs-241T = inputs-2411 // { unstable = inputs'.nixpkgs-test; };
 
     forSystems = systems: f: inputs-edge.nixpkgs.lib.genAttrs systems (system: f rec {
       inherit system;
diff --git a/justfile b/justfile
index c60f1fe..20ef2e4 100644
--- a/justfile
+++ b/justfile
@@ -16,10 +16,10 @@ repl $hostname=`just _a_host`:
   NIX_NO_NOM=1 nixos-rebuild --flake .#"$hostname" repl
 
 report hostname=`just _a_host`:
-  nix eval .#nixosReports."{{hostname}}" --json | yq . --yaml-output | bat --language yaml --style plain --paging never
+  nix eval .#nixosReports."{{hostname}}" --json --show-trace | yq . --yaml-output --width=999999 | bat --language yaml --style plain --paging never
 
 reports:
-  nix eval .#nixosReports --json | yq . --yaml-output | bat --language yaml --style plain --paging never
+  nix eval .#nixosReports --json --show-trace | yq . --yaml-output --width=999999 | bat --language yaml --style plain --paging never
 
 update:
   git reset flake.lock
@@ -80,6 +80,7 @@ inspect-config host=`just _a_host` prefix="":
 
 @_a_host:
   hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json 2>/dev/null | jq '.[]' -r)"; \
+  if test "$(grep <<<"$hostnames" "^$(just remote-current)$" | wc -l)" -eq 1; then hostnames="$(just remote-current; grep <<<"$hostnames" -v "^$(just remote-current)$")"; fi; \
   if test "$(grep <<<"$hostnames" "^$(hostname)$" | wc -l)" -eq 1; then hostnames="$(hostname; grep <<<"$hostnames" -v "^$(hostname)$")"; fi; \
   gum <<<"$hostnames" filter --placeholder "Pick a host..."
 
@@ -105,8 +106,9 @@ inspect-config host=`just _a_host` prefix="":
   gum <<<"$hostnames" filter --placeholder "Pick a host..." --no-limit
 
 @remote-current:
-  # printf "%s\n" "Current remote: $(remote-host)" # slow
-  printf "%s\n" "Current remote: $(tomlq <.remote.toml '.hosts | to_entries[] | select(.value.default==true) | .value.host' -r)"
+  # remote-host # slow
+  test ! -s .remote.toml || \
+  printf "%s\n" "$(tomlq <.remote.toml '.hosts | to_entries[] | select(.value.default==true) | .value.host' -r)"
 
 @remote-list:
   tomlq <.remote.toml '.hosts | to_entries[] | "remote-set \(.key+1) # -> \(.value.host)"' -r
@@ -114,7 +116,9 @@ inspect-config host=`just _a_host` prefix="":
 @remote-set remote=`just remote-current >&2 && just _a_remote_label`:
   remote-set "{{remote}}"
 
-@motd: remote-current remote-list
+@motd:
+  printf "%s\n" "Current remote: $(just remote-current)"
+  just remote-list
   printf "\n"; \
   todos=$(rg 'TODO' | wc -l); \
   if [[ "$todos" -gt 10 ]]; then \
diff --git a/profiles/http/default.nix b/profiles/http/default.nix
index d539cd7..39c5767 100644
--- a/profiles/http/default.nix
+++ b/profiles/http/default.nix
@@ -17,6 +17,16 @@ in
       (lib.sort (x: y: x<y))
     ];
   };
+  options.pbsds.nginx.allowList.extraConfig = lib.mkOption {
+    visible = false; internal = true; readOnly = true;
+    default = ''
+     # home https://ipinfo.io/ips/193.71.0.0/16
+     allow 193.71.0.0/16;
+     # ntnu https://ipinfo.io/ips/129.241.0.0/16
+     allow 129.241.0.0/16;
+     deny all;
+    '';
+  };
 
 
   config = {
diff --git a/profiles/http/services/cryptpad.nix b/profiles/http/services/cryptpad.nix
index da6d198..c526a15 100644
--- a/profiles/http/services/cryptpad.nix
+++ b/profiles/http/services/cryptpad.nix
@@ -12,7 +12,7 @@ in
   services.cryptpad = {
     #enable = true; # current node version used is marked insecure
     # reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js
-    configFile = toFile "cryptpad-config.js" ''
+    configFile = builtins.toFile "cryptpad-config.js" ''
       module.exports = {
         httpUnsafeOrigin: 'http://localhost:3457',
         httpSafeOrigin: 'https://${mkDomain "cryptpad"}',
@@ -32,7 +32,7 @@ in
 
         filePath: './datastore/',
         archivePath: './data/archive', // recovery in the event of accidental deletion
-        pinPath: './data/pins', // content stored indefinetly
+        pinPath: './data/pins', // content stored indefinitely
         taskPath: './data/tasks', // scheduled tasks
         blockPath: './block', // users' authenticated blocks
         blobPath: './blob', // uploaded encrypted blobs
diff --git a/profiles/http/services/invidious.nix b/profiles/http/services/invidious.nix
index cb6c439..98fdf52 100644
--- a/profiles/http/services/invidious.nix
+++ b/profiles/http/services/invidious.nix
@@ -42,6 +42,7 @@ in
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
       proxyWebsockets = true;
+      inherit (config.pbsds.nginx.allowList) extraConfig;
     };
   };
 
diff --git a/profiles/http/services/plex.nix b/profiles/http/services/plex.nix
index b97cf5c..5e3fd16 100644
--- a/profiles/http/services/plex.nix
+++ b/profiles/http/services/plex.nix
@@ -48,6 +48,7 @@ lib.mkIf (!config.virtualisation.isVmVariant)
     locations."/" = {
       proxyPass = "http://127.0.0.1:32400"; # TODO: make configurable
       proxyWebsockets = true;
+      # TODO: inherit (config.pbsds.nginx.allowList) extraConfig;
     };
     # from https://wiki.nixos.org/wiki/Plex
     extraConfig = ''
diff --git a/profiles/http/services/redlib.nix b/profiles/http/services/redlib.nix
index 9d150ce..ed8d173 100644
--- a/profiles/http/services/redlib.nix
+++ b/profiles/http/services/redlib.nix
@@ -23,6 +23,7 @@ in
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString config.services.redlib.port}";
       proxyWebsockets = true;
+      inherit (config.pbsds.nginx.allowList) extraConfig;
     };
   };
   services.nginx.virtualHosts.${mkDomain "libreddit"} = lib.mkIf config.services.redlib.enable {
diff --git a/profiles/http/services/thelounge.nix b/profiles/http/services/thelounge.nix
index b5d483c..2327f07 100644
--- a/profiles/http/services/thelounge.nix
+++ b/profiles/http/services/thelounge.nix
@@ -30,6 +30,7 @@ in
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString config.services.thelounge.port}";
       proxyWebsockets = true;
+      inherit (config.pbsds.nginx.allowList) extraConfig;
     };
   };
 }
diff --git a/profiles/http/services/webdav-zotero.nix b/profiles/http/services/webdav-zotero.nix
index 439fb5e..6844b1a 100644
--- a/profiles/http/services/webdav-zotero.nix
+++ b/profiles/http/services/webdav-zotero.nix
@@ -69,6 +69,8 @@ in
 
         proxy_request_buffering off;
         client_max_body_size 2G;
+
+        ${config.pbsds.nginx.allowList.extraConfig}
       '';
     };
   };