diff --git a/.envrc b/.envrc
index 4d19475..c150a02 100644
--- a/.envrc
+++ b/.envrc
@@ -15,9 +15,10 @@ if ! test -s .direnv/pull-date || test "$now" != "$(cat .direnv/pull-date)"; the
   echo "$now" > .direnv/pull-date
 fi
 
-use flake .#envrc
 
-if test -s .remote.toml; then
+if ! test -s .remote.toml; then
+  use flake .#envrc-local
+else
   use flake .#envrc-remote
   echo
   echo "Current remote: $(remote-host)"
diff --git a/base.nix b/base.nix
index 876accc..09641a4 100644
--- a/base.nix
+++ b/base.nix
@@ -15,42 +15,15 @@
     )
   ];
 
+  # TODO: selectively whitelist?
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowUnfreePredicate = (pkg: true);
   nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
 
-  # 'nixos-rebuild switch --upgrade', by default daily with no reboot
-  system.autoUpgrade.enable = true;
-  #system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
-  /** /
-  # TODO: this doesn't work during 'nix eval' on a non-nixos machine
-  system.autoUpgrade.flake = "/etc/nixos";
-  system.autoUpgrade.flags = [
-    "--recreate-lock-file" # fetch new inputs
-    #"--commit-lock-file"   # commit new lock to local git repo
-    # TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
-    "-L"                   # print build logs
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
   ];
-  #assertions = [
-  #  { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
-  #];
-  /**/
-  # TODO: make /etc/nixos a symlink to the in-store flake? - bad idea, horrible error recovery
-  # TODO: make /etc/nixos a checkout of repo?
-  # TODO: update only nixpkgs and unstable
-  system.autoUpgrade.flake = inputs.self.outPath; # a nix store path
-  #system.autoUpgrade.flake = "github:pbsds/nix-config"; # TODO: use this instead?
-  system.autoUpgrade.flags = [
-    "--recreate-lock-file" # fetch new inputs
-    "--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
-    "-L"                   # print build logs
-  ];
-  environment.etc."current-system-flake".source = inputs.self; # the plan was to allow me to locate the new flake.lock, but alas https://github.com/NixOS/nix/issues/6895
-  /**/
-
-  environment.shells = with pkgs; [ bashInteractive zsh ]; # TODO: needed?
-  programs.zsh.enable = true;
-
   nix.settings.allowed-users = [ "*" ]; # default
   #nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
   nix.settings.trusted-users = [ "root" "@wheel" ];
@@ -59,13 +32,8 @@
   nix.gc.automatic = true;
   nix.gc.dates     = "weekly";
   nix.gc.options   = "--delete-older-than 30d";
-  # TODO: can i make this non-string?
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
 
-  # TODO: only if x86_64?
-  services.thermald.enable = true;
+  services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true;
 
   # firewall
   services.fail2ban.enable = config.services.openssh.enable;
diff --git a/flake.nix b/flake.nix
index 70d4062..dbb144f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -106,7 +106,7 @@
       # TODO: move nixos-hardware imports to the nixos configs?
       noximilien = mkConfig "noximilien" "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel ]);
       bolle      = mkConfig "bolle"      "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel ]);
-      nord       = mkConfig "nord"       "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel-cpu-only common-gpu-amd common-hidpi ]);
+      nord       = mkConfig "nord"       "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel-cpu-only common-cpu-intel-sandy-bridge common-gpu-amd common-hidpi ]);
       sopp       = mkConfig "sopp"       "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel common-gpu-nvidia-nonprime ]);
     };
 
@@ -125,24 +125,24 @@
     });
 
     devShells = forAllSystems ({ system, pkgs, ... }: let
-      inherit (self.packages.${system}) remote-exec;
       mkShell = packages: pkgs.mkShell { inherit packages; };
       nixos-rebuild-nom = pkgs.writeScriptBin "nixos-rebuild" ''
         exec ${pkgs.nixos-rebuild}/bin/nixos-rebuild "$@" |& ${pkgs.nix-output-monitor}/bin/nom
       '';
-    in {
-      remoteenv = mkShell [
-          nixos-rebuild-nom
-      ];
-      envrc = mkShell [
+      envrc-pkgs = [
           nixos-rebuild-nom
           pkgs.home-manager
           pkgs.nix-output-monitor
           pkgs.cachix
       ];
-      envrc-remote = mkShell [
-          remote-exec
+    in {
+      envrc-local  = mkShell envrc-pkgs;
+      envrc-remote = mkShell(envrc-pkgs ++ [
+          self.packages.${system}.remote-exec
           pkgs.yq
+      ]);
+      remoteenv = mkShell [
+          nixos-rebuild-nom
       ];
     });
 
diff --git a/hardware/gpu/cuda.nix b/hardware/gpu/cuda.nix
index 7a70e37..188f538 100644
--- a/hardware/gpu/cuda.nix
+++ b/hardware/gpu/cuda.nix
@@ -6,7 +6,7 @@
   # https://nixos.wiki/wiki/Nvidia
 
   #nixpkgs.config.cudaSupport = true; # TODO: TOO SLOW, BREAKS
-  #nixpkgs.config.nvidiaSupport = true; # TODO: used only by zenith
+  #nixpkgs.config.nvidiaSupport = true; # TODO: slow? used only by zenith
   nixpkgs.config.allowUnfreePredicate = pkg: lib.any (x: x) [
     (lib.hasInfix "nvidia"  (lib.toLower (lib.getName pkg)))
     (lib.hasInfix "cuda"    (lib.toLower (lib.getName pkg)))
@@ -21,12 +21,11 @@
     libvdpau-va-gl
   ];
 
-  hardware.nvidia.modesetting.enable = true; # needed for most wayland compositors
+  hardware.nvidia.modesetting.enable = lib.mkDefault true; # needed for most wayland compositors
   hardware.nvidia.nvidiaSettings = true;
   #hardware.nvidia.open = true; # open source version of kernel module, only on driver 515.43.04+
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
-  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable;
-  #hardware.nvidia.powerManagement.enable = true; # Fix graphical corruption on suspend/resume
+  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; # only do this per-host
+  hardware.nvidia.powerManagement.enable = true; # Fix graphical corruption on suspend/resume
 
   # add this to the host in question:
   #hardware.nvidia.prime = {
@@ -40,7 +39,7 @@
   environment.systemPackages = with pkgs; ([
     nvtop-nvidia
 
-  ] ++ lib.optional config.hardware.nvidia.prime.offload.enable [
+  ] ++ lib.optionals config.hardware.nvidia.prime.offload.enable [
     (writeShellScriptBin "prime-run" ''
       export __NV_PRIME_RENDER_OFFLOAD=1
       export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
diff --git a/hosts/bolle/default.nix b/hosts/bolle/default.nix
index b5d154d..63a6b22 100644
--- a/hosts/bolle/default.nix
+++ b/hosts/bolle/default.nix
@@ -8,6 +8,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../hardware/opengl-intel.nix
+    ../../profiles/auto-upgrade.nix
 
     ../../users # home-manager
     ../../users/pbsds
@@ -22,7 +23,7 @@
     #../../profiles/remote-builders
     #../../profiles/autossh-reverse-tunnels
   ];
-  #services.domeneshop-updater.target = "bolle.pbsds.net"; # default?
+  #services.domeneshop-updater.target = [ "bolle.pbsds.net" ]; # TODO: secrets
 
   services.thermald.enable = true;
 
diff --git a/hosts/nord/default.nix b/hosts/nord/default.nix
index bfe927c..f14c3d6 100644
--- a/hosts/nord/default.nix
+++ b/hosts/nord/default.nix
@@ -17,6 +17,7 @@
     ./hardware-configuration.nix
     ../../hardware/gpu/rocm.nix
     ../../hardware/gpu/intel.nix
+    ../../profiles/auto-upgrade.nix
 
     ../../users # home-manager
     ../../users/pbsds
diff --git a/hosts/noximilien/default.nix b/hosts/noximilien/default.nix
index 67d4fd3..2ad23e9 100644
--- a/hosts/noximilien/default.nix
+++ b/hosts/noximilien/default.nix
@@ -7,6 +7,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../hardware/gpu/intel.nix
+    ../../profiles/auto-upgrade.nix
 
     ../../users # home-manager
     ../../users/pbsds
diff --git a/hosts/sopp/default.nix b/hosts/sopp/default.nix
index 00c14d5..ea19b40 100644
--- a/hosts/sopp/default.nix
+++ b/hosts/sopp/default.nix
@@ -10,12 +10,19 @@
   systemd.services."getty@tty1".enable = false;
   systemd.services."autovt@tty1".enable = false;
 
-  #boot.kernelPackages = pkgs.linuxPackages_latest; # amdgpu audio fix when at 4k@60fps
+  #boot.kernelPackages = pkgs.linuxPackages_latest;
+  #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
+  #hardware.nvidia.modesetting.enable = false; # makes atom behave, but mpv refuses to start
+
+  # PRIME:
+  #hardware.nvidia.prime.intelBusId  = "PCI:0:02:0";
+  #hardware.nvidia.prime.nvidiaBusId = "PCI:1:00:0";
 
   imports = [
     ./hardware-configuration.nix
     ../../hardware/gpu/cuda.nix
     ../../hardware/gpu/intel.nix
+    ../../profiles/auto-upgrade.nix
 
     ../../users # home-manager
     ../../users/pbsds
diff --git a/profiles/auto-upgrade.nix b/profiles/auto-upgrade.nix
new file mode 100644
index 0000000..9cde7d9
--- /dev/null
+++ b/profiles/auto-upgrade.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  # 'nixos-rebuild switch --upgrade', by default daily with no reboot
+  system.autoUpgrade.enable = true;
+  #system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
+
+  /** /
+  # TODO: this doesn't work during 'nix eval' on a non-nixos machine
+  system.autoUpgrade.flake = "/etc/nixos";
+  system.autoUpgrade.flags = [
+    "--recreate-lock-file" # fetch new inputs
+    #"--commit-lock-file"   # commit new lock to local git repo
+    # TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
+    "-L"                   # print build logs
+  ];
+  #assertions = [
+  #  { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
+  #];
+  /**/
+
+  /**/
+  # TODO: make /etc/nixos a symlink to the in-store flake? - bad idea, horrible error recovery
+  # TODO: make /etc/nixos a checkout of repo?
+  # TODO: update only nixpkgs and unstable
+  system.autoUpgrade.flake = inputs.self.outPath; # a nix store path
+  #system.autoUpgrade.flake = "github:pbsds/nix-config"; # TODO: use this instead?
+  system.autoUpgrade.flags = [
+    "--recreate-lock-file" # fetch new inputs
+    "--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
+    "-L"                   # print build logs
+  ];
+  environment.etc."current-system-flake".source = inputs.self; # the plan was to allow me to locate the new flake.lock, but alas https://github.com/NixOS/nix/issues/6895
+  /**/
+
+}
diff --git a/profiles/remote-builders/default.nix b/profiles/remote-builders/default.nix
index d4de3e6..afc7a47 100644
--- a/profiles/remote-builders/default.nix
+++ b/profiles/remote-builders/default.nix
@@ -9,7 +9,7 @@ let
   # find 'publicKey' with `ssh-keyscan`
 
   remotes = [
-    /**/
+    /** /
     {
       systems     = [ "x86_64-linux" "wasm32-wasi" "wasm64-wasi" "x86_64-windows" "aarch64-linux" "riscv64-linux" ];
       hostName    = "bolle.pbsds.net";