diff --git a/common/tailscale.nix b/common/tailscale.nix
index 16cffcd..2614612 100644
--- a/common/tailscale.nix
+++ b/common/tailscale.nix
@@ -18,4 +18,6 @@
       ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
     '';
   };
+  
+  networking.domain = "birdsong.network";
 }
diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index 8417425..2ff3476 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -12,7 +12,6 @@ in
   nixpkgs.hostPlatform = "aarch64-linux";
   networking.hostName = "kalessin";
   networking.hostId = "534b538e";
-  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.users.randomcat.enable = true;
diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix
index ce4c125..31c990b 100644
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@@ -9,7 +9,6 @@
   nixpkgs.hostPlatform = "x86_64-linux";
   networking.hostName = "orm";
   networking.hostId = "00000000";
-  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
diff --git a/hosts/tehanu/default.nix b/hosts/tehanu/default.nix
index 14b4151..fc1ecad 100644
--- a/hosts/tehanu/default.nix
+++ b/hosts/tehanu/default.nix
@@ -9,7 +9,6 @@
   nixpkgs.hostPlatform = "aarch64-linux";
   networking.hostName = "tehanu";
   networking.hostId = "8e1185ab";
-  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix
index 1545c62..6834203 100644
--- a/hosts/yevaud/default.nix
+++ b/hosts/yevaud/default.nix
@@ -5,14 +5,12 @@
     ./hardware-configuration.nix
     ./networking.nix
 
-    # TODO: this breaks external IPv6 somehow
-    # ./experiments/pennykettle.nix
+    ./experiments/pennykettle.nix
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   networking.hostName = "yevaud";
   networking.hostId = "09673d65";
-  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
@@ -47,16 +45,5 @@
     };
   };
 
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "birdsong.network" = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/";
-      };
-    };
-  };
-
   system.stateVersion = "23.11";
 }
diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 98e84c6..53f7661 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -2,15 +2,30 @@
 
 {
   networking.nat.enable = true;
+  networking.nat.enableIPv6 = true;
   networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
   networking.nat.externalInterface = "ens3";
   networking.firewall.allowedUDPPorts = [ 51821 ];
+  
+  # RA = Router Advertisement (how a host finds a gateway IPv6 address for
+  # SLAAC or DHCPv6).
+  # networkd usually defaults this to true, but instead defaults it to false
+  # for ALL networks if ANY network has IPv6Forwarding enabled, on the
+  # (reasonable) assumption that a host doing IP forwarding is probably a
+  # network bridge.
+  # The kernel's RA implementation does this too, and the NixOS networking.nat
+  # module explicitly overrides that with sysctl, but networkd doesn't pay
+  # attention to that.
+  # We thus explicitly enable it, as otherwise external IPv6 is broken.
+  systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
 
   containers."pennykettle1" = {
     privateNetwork = true;
     extraVeths."ve-pennykettle1" = {
-      hostAddress = "10.235.1.1";
-      localAddress = "10.235.2.1";
+      hostAddress = "10.231.136.1";
+      localAddress = "10.231.136.2";
+      hostAddress6 = "fc00::1";
+      localAddress6 = "fc00::2";
       forwardPorts = [{ hostPort = 51821; }];
     };
     ephemeral = true;
@@ -30,13 +45,11 @@
 
         networks."10-ve" = {
           matchConfig.Name = "ve-pennykettle1";
-          networkConfig.Address = "10.235.2.1/32";
+          networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
           # linkConfig.RequiredForOnline = "routable";
           routes = [{
-            routeConfig = {
-              Gateway = "10.235.1.1";
-              Destination = "217.138.216.162/32";
-            };
+            Gateway = [ "10.231.136.1" "fc00::1" ];
+            Destination = "217.138.216.162";
           }];
         };
 
@@ -64,12 +77,10 @@
             PrivateKeyFile = "/run/secrets/wg-key";
           };
           wireguardPeers = [{
-            wireguardPeerConfig = {
-              PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
-              AllowedIPs = "0.0.0.0/0";
-              Endpoint = "217.138.216.162:51820";
-              PersistentKeepalive = 5;
-            };
+            PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
+            AllowedIPs = "0.0.0.0/0";
+            Endpoint = "217.138.216.162:51820";
+            PersistentKeepalive = 5;
           }];
         };
       };
@@ -82,4 +93,4 @@
     group = "systemd-network";
     mode = "640";
   };
-}
\ No newline at end of file
+}
diff --git a/services/headscale.nix b/services/headscale.nix
index eeae58c..d5f2fe9 100644
--- a/services/headscale.nix
+++ b/services/headscale.nix
@@ -39,7 +39,10 @@ in
       settings = {
         server_url = "https://${cfg.domain}:443";
         prefixes.allocation = "random";
-        dns.magic_dns = false;
+        dns = {
+          magic_dns = true;
+          base_domain = "birdsong.network";
+        };
 
         # disable built-in ACME client
         tls_cert_path = null;