diff --git a/common/default.nix b/common/default.nix
index 5118c86..c60088e 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -14,6 +14,5 @@
     ./sanoid.nix
     ./security.nix
     ./steam.nix
-    ./tailscale.nix
   ];
 }
diff --git a/common/tailscale.nix b/common/tailscale.nix
deleted file mode 100644
index a6337d6..0000000
--- a/common/tailscale.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
-    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually
-    extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
-  };
-}
diff --git a/common/users/default.nix b/common/users/default.nix
index d063db5..2a4c5b3 100644
--- a/common/users/default.nix
+++ b/common/users/default.nix
@@ -27,6 +27,7 @@ in
     users.users = genAttrs cfg.admins
       (name: {
         extraGroups = [ "wheel" ];
-      });
+      }
+      );
   };
 }
diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index 7150e5a..2b80d96 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -15,9 +15,9 @@ in
   networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
+  fountain.admins = [ "qenya" ];
   fountain.users.randomcat.enable = true;
   fountain.users.trungle.enable = true;
-  fountain.admins = [ "qenya" "randomcat" ];
 
   qenya.base-server.enable = true;
 
@@ -28,7 +28,6 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
-    "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; };
     "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; };
   };
 
@@ -44,11 +43,5 @@ in
     dataDir = "/var/lib/owncast";
   };
 
-  qenya.services.headscale = {
-    enable = true;
-    domain = "headscale.unspecified.systems";
-    dataDir = "/var/lib/headscale";
-  };
-
   system.stateVersion = "23.11";
 }
diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix
index 6019108..a9c34da 100644
--- a/services/audiobookshelf.nix
+++ b/services/audiobookshelf.nix
@@ -21,7 +21,11 @@ in
           enableACME = true;
           locations."/" = {
             proxyPass = "http://127.0.0.1:8234/";
-            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
           };
         };
       };
diff --git a/services/default.nix b/services/default.nix
index 194eb43..927886c 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -4,7 +4,6 @@
     ./audiobookshelf.nix
     ./distributed-builds.nix
     ./forgejo.nix
-    ./headscale.nix
     ./jellyfin.nix
     ./navidrome.nix
     ./owncast.nix
diff --git a/services/headscale.nix b/services/headscale.nix
deleted file mode 100644
index eeae58c..0000000
--- a/services/headscale.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib) mkIf mkOption mkEnableOption types;
-  cfg = config.qenya.services.headscale;
-in
-{
-  options.qenya.services.headscale = {
-    enable = mkEnableOption "Headscale";
-    domain = mkOption {
-      type = types.str;
-    };
-    dataDir = mkOption {
-      type = types.str;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.nginx = {
-      enable = true;
-      virtualHosts = {
-        ${cfg.domain} = {
-          forceSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:32770/";
-            proxyWebsockets = true;
-          };
-        };
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    services.headscale = {
-      enable = true;
-      address = "0.0.0.0"; # required to disable built-in ACME client for some reason
-      port = 32770;
-      settings = {
-        server_url = "https://${cfg.domain}:443";
-        prefixes.allocation = "random";
-        dns.magic_dns = false;
-
-        # disable built-in ACME client
-        tls_cert_path = null;
-        tls_key_path = null;
-      };
-    };
-  };
-}
diff --git a/services/owncast.nix b/services/owncast.nix
index 47173d0..aa60223 100644
--- a/services/owncast.nix
+++ b/services/owncast.nix
@@ -22,7 +22,7 @@ in
         ${cfg.domain} = {
           forceSSL = true;
           enableACME = true;
-          locations."/".proxyPass = "http://127.0.0.1:32769/";
+          locations."/".proxyPass = "http://127.0.0.1:8080/";
         };
       };
     };
@@ -30,7 +30,6 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp
 
     services.owncast.enable = true;
-    services.owncast.port = 32769;
     services.owncast.dataDir = cfg.dataDir;
   };
 }