diff --git a/system-nix/configuration.nix b/system-nix/configuration.nix
index a396f3d..74ea0c6 100755
--- a/system-nix/configuration.nix
+++ b/system-nix/configuration.nix
@@ -74,23 +74,26 @@ with lib;
     # have the job run this shell script
     script = ''
       # wait for tailscaled to settle
-      sleep 5
+      sleep 2
       # check if we are already authenticated to tailscale
       status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
       if [ $status = "Running" ]; then # if so, then do nothing
         exit 0
       fi
-      # otherwise authenticate with tailscale
-      ${pkgs.tailscale}/bin/tailscale up -authkey tskey-examplekeyhere
+
+      # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url
+      # This time, configure device auth so that we authenticate from portal
+      # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network 
+      ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW
     '';
   };
   # Don't touch networking.firewall.enable, just configure everything else.
   # inherit networking;
   networking = networking // {
     firewall = {
-      checkReversePath = "loose";
-      trustedInterfaces = [ "tailscale0" ];
-      allowedUDPPorts = [ config.services.tailscale.port ];
+      trustedInterfaces = networking.firewall.trustedInterfaces or [] ++ [ "tailscale0" ];
+      allowedUDPPorts = networking.firewall.allowedUDPPorts or [] ++ [ config.services.tailscale.port ];
+      allowedTCPPorts = networking.firewall.allowedTCPPorts or [] ++ [ 22 ];
     };
   };
 
diff --git a/system-nix/flake.nix b/system-nix/flake.nix
index 96d342d..ae76989 100644
--- a/system-nix/flake.nix
+++ b/system-nix/flake.nix
@@ -5,101 +5,105 @@
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, ... }: {
-    # Windows with NixOS WSL
-    nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./wsl-configuration.nix
-      ];
-      specialArgs = {
-        # includeHardware = false;
-        hostname = "Felia";
+  outputs = { self, nixpkgs, ... }:
+    let lib = nixpkgs.lib; in
+    {
+      # Windows with NixOS WSL
+      nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./wsl-configuration.nix
+        ];
+        specialArgs = {
+          # includeHardware = false;
+          hostname = "Felia";
+        };
       };
-    };
-    # Generic machine
-    nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./configuration.nix
-      ];
-      specialArgs = {
-        hostname = "lizzi";
-        networking = {
-          interfaces.eth1.ipv4.addresses = [{
-            address = "71.0.0.1";
-            prefixLength = 24;
-          }];
-          firewall.enable = false;
-          useDHCP = false;
-          interfaces.eth0.useDHCP = true;
-        };
-        boot.loader.grub.enable = true;
-        boot.loader.grub.version = 2;
-        services.openssh = {
-          permitRootLogin = "no";
-          enable = true;
-        };
-        services.gitea = {
-          enable = true;
-          stateDir = "/gitea";
-          rootUrl = "https://git.pegasust.com";
-          settings = {
-            repository = {
-              "ENABLE_PUSH_CREATE_USER" = true;
-              "ENABLE_PUSH_CREATE_ORG" = true;
+      # Generic machine
+      nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./configuration.nix
+        ];
+        specialArgs = {
+          hostname = "lizzi";
+          networking = {
+            interfaces.eth1.ipv4.addresses = [{
+              address = "71.0.0.1";
+              prefixLength = 24;
+            }];
+            firewall.enable = false;
+            useDHCP = false;
+            interfaces.eth0.useDHCP = true;
+          };
+          boot.loader.grub.enable = true;
+          boot.loader.grub.version = 2;
+          services.openssh = {
+            permitRootLogin = "no";
+            enable = true;
+          };
+          services.gitea = {
+            enable = true;
+            stateDir = "/gitea";
+            rootUrl = "https://git.pegasust.com";
+            settings = {
+              repository = {
+                "ENABLE_PUSH_CREATE_USER" = true;
+                "ENABLE_PUSH_CREATE_ORG" = true;
+              };
+            };
+          };
+          services.nginx = {
+            enable = true;
+            clientMaxBodySize = "100m";
+            recommendedGzipSettings = true;
+            recommendedOptimisation = true;
+            recommendedProxySettings = true;
+            recommendedTlsSettings = true;
+            virtualHosts."git.pegasust.com" = {
+              # Gitea hostname
+              sslCertificate = "/var/lib/acme/git.pegasust.com/fullchain.pem";
+              sslCertificateKey = "/var/lib/acme/git.pegasust.com/key.pem";
+              forceSSL = true; # Runs on port 80 and 443
+              locations."/".proxyPass = "http://localhost:3000/"; # Proxy to Gitea
             };
           };
         };
-        services.nginx = {
-          enable = true;
-          clientMaxBodySize = "100m";
-          recommendedGzipSettings = true;
-          recommendedOptimisation = true;
-          recommendedProxySettings = true;
-          recommendedTlsSettings = true;
-          virtualHosts."git.pegasust.com" = {
-            # Gitea hostname
-            sslCertificate = "/var/lib/acme/git.pegasust.com/fullchain.pem";
-            sslCertificateKey = "/var/lib/acme/git.pegasust.com/key.pem";
-            forceSSL = true; # Runs on port 80 and 443
-            locations."/".proxyPass = "http://localhost:3000/"; # Proxy to Gitea
+      };
+      nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./configuration.nix
+        ];
+        specialArgs = {
+          hostname = "nyx";
+          networking = {
+            interfaces.eth1.ipv4.addresses = [{
+              address = "71.0.0.2";
+              prefixLength = 24;
+            }];
+            firewall.enable = true;
+            firewall.allowedTCPPorts = [ 22 ];
+            firewall.allowedUDPPorts = lib.range 60000 61000; # mosh
+            useDHCP = false;
+            interfaces.eth0.useDHCP = true;
+          };
+          boot.loader.grub.enable = true;
+          boot.loader.grub.version = 2;
+          services.openssh = {
+            permitRootLogin = "no";
+            enable = true;
           };
         };
       };
-    };
-    nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./configuration.nix
-      ];
-      specialArgs = {
-        hostname = "nyx";
-        networking = {
-          interfaces.eth1.ipv4.addresses = [{
-            address = "71.0.0.2";
-            prefixLength = 24;
-          }];
-          firewall.enable = false;
-          useDHCP = false;
-          interfaces.eth0.useDHCP = true;
-        };
-        boot.loader.grub.enable = true;
-        boot.loader.grub.version = 2;
-        services.openssh = {
-          permitRootLogin = "no";
-          enable = true;
+      nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./configuration.nix
+        ];
+        specialArgs = {
+          hostname = "nixos";
         };
       };
     };
-    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./configuration.nix
-      ];
-      specialArgs = {
-        hostname = "nixos";
-      };
-    };
-  };
 }