diff --git a/common/tailscale.nix b/common/tailscale.nix
index 2614612..16cffcd 100644
--- a/common/tailscale.nix
+++ b/common/tailscale.nix
@@ -18,6 +18,4 @@
       ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
     '';
   };
-  
-  networking.domain = "birdsong.network";
 }
diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index 2ff3476..8417425 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -12,6 +12,7 @@ in
   nixpkgs.hostPlatform = "aarch64-linux";
   networking.hostName = "kalessin";
   networking.hostId = "534b538e";
+  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.users.randomcat.enable = true;
diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix
index 31c990b..ce4c125 100644
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@@ -9,6 +9,7 @@
   nixpkgs.hostPlatform = "x86_64-linux";
   networking.hostName = "orm";
   networking.hostId = "00000000";
+  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
diff --git a/hosts/tehanu/default.nix b/hosts/tehanu/default.nix
index fc1ecad..14b4151 100644
--- a/hosts/tehanu/default.nix
+++ b/hosts/tehanu/default.nix
@@ -9,6 +9,7 @@
   nixpkgs.hostPlatform = "aarch64-linux";
   networking.hostName = "tehanu";
   networking.hostId = "8e1185ab";
+  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix
index 6834203..1545c62 100644
--- a/hosts/yevaud/default.nix
+++ b/hosts/yevaud/default.nix
@@ -5,12 +5,14 @@
     ./hardware-configuration.nix
     ./networking.nix
 
-    ./experiments/pennykettle.nix
+    # TODO: this breaks external IPv6 somehow
+    # ./experiments/pennykettle.nix
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   networking.hostName = "yevaud";
   networking.hostId = "09673d65";
+  networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
   fountain.admins = [ "qenya" ];
@@ -45,5 +47,16 @@
     };
   };
 
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "birdsong.network" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/";
+      };
+    };
+  };
+
   system.stateVersion = "23.11";
 }
diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 53f7661..98e84c6 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -2,30 +2,15 @@
 
 {
   networking.nat.enable = true;
-  networking.nat.enableIPv6 = true;
   networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
   networking.nat.externalInterface = "ens3";
   networking.firewall.allowedUDPPorts = [ 51821 ];
-  
-  # RA = Router Advertisement (how a host finds a gateway IPv6 address for
-  # SLAAC or DHCPv6).
-  # networkd usually defaults this to true, but instead defaults it to false
-  # for ALL networks if ANY network has IPv6Forwarding enabled, on the
-  # (reasonable) assumption that a host doing IP forwarding is probably a
-  # network bridge.
-  # The kernel's RA implementation does this too, and the NixOS networking.nat
-  # module explicitly overrides that with sysctl, but networkd doesn't pay
-  # attention to that.
-  # We thus explicitly enable it, as otherwise external IPv6 is broken.
-  systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
 
   containers."pennykettle1" = {
     privateNetwork = true;
     extraVeths."ve-pennykettle1" = {
-      hostAddress = "10.231.136.1";
-      localAddress = "10.231.136.2";
-      hostAddress6 = "fc00::1";
-      localAddress6 = "fc00::2";
+      hostAddress = "10.235.1.1";
+      localAddress = "10.235.2.1";
       forwardPorts = [{ hostPort = 51821; }];
     };
     ephemeral = true;
@@ -45,11 +30,13 @@
 
         networks."10-ve" = {
           matchConfig.Name = "ve-pennykettle1";
-          networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
+          networkConfig.Address = "10.235.2.1/32";
           # linkConfig.RequiredForOnline = "routable";
           routes = [{
-            Gateway = [ "10.231.136.1" "fc00::1" ];
-            Destination = "217.138.216.162";
+            routeConfig = {
+              Gateway = "10.235.1.1";
+              Destination = "217.138.216.162/32";
+            };
           }];
         };
 
@@ -77,10 +64,12 @@
             PrivateKeyFile = "/run/secrets/wg-key";
           };
           wireguardPeers = [{
-            PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
-            AllowedIPs = "0.0.0.0/0";
-            Endpoint = "217.138.216.162:51820";
-            PersistentKeepalive = 5;
+            wireguardPeerConfig = {
+              PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
+              AllowedIPs = "0.0.0.0/0";
+              Endpoint = "217.138.216.162:51820";
+              PersistentKeepalive = 5;
+            };
           }];
         };
       };
@@ -93,4 +82,4 @@
     group = "systemd-network";
     mode = "640";
   };
-}
+}
\ No newline at end of file
diff --git a/services/headscale.nix b/services/headscale.nix
index d5f2fe9..eeae58c 100644
--- a/services/headscale.nix
+++ b/services/headscale.nix
@@ -39,10 +39,7 @@ in
       settings = {
         server_url = "https://${cfg.domain}:443";
         prefixes.allocation = "random";
-        dns = {
-          magic_dns = true;
-          base_domain = "birdsong.network";
-        };
+        dns.magic_dns = false;
 
         # disable built-in ACME client
         tls_cert_path = null;