diff --git a/TODO.md b/TODO.md
index 5fff9a2..a9f40e1 100755
--- a/TODO.md
+++ b/TODO.md
@@ -5,6 +5,9 @@
 - [ ] support hs system per dir, ie hosts/<name>/overlays or hosts/<name>/nixpkgs.nix
 
 ## Queued
+- [X] base should automatically be set as the default (dont do anything with the default)
+- [X] try to remove common foot guns, ie abort if the user provides the home-manager or microvm nixosModules
+      since cerulean ALREADY provides these
 - [ ] per node home configuration is a lil jank rn
 
 - [ ] deploy port should default to the first port given to `services.openssh`
diff --git a/cerulean/nixos/default.nix b/cerulean/nixos/default.nix
index a716c2f..664a10c 100644
--- a/cerulean/nixos/default.nix
+++ b/cerulean/nixos/default.nix
@@ -13,34 +13,29 @@
 # limitations under the License.
 {
   root,
-  system,
-  hostname,
-  node,
   pkgs,
-  lib,
+  system,
   _cerulean,
   ...
 } @ args: {
-  imports =
+  imports = with _cerulean.inputs;
     [
-      _cerulean.inputs.sops-nix.nixosModules.sops
-      # _cerulean.inputs.microvm.nixosModules.microvm
-
       # add support for `options.legacyImports`
       # ./legacy-imports.nix
 
-      # nixos options declarations
+      # user configuration
+      (import /${root}/nixpkgs.nix)
+      # options declarations
       (import ./nixpkgs.nix (args // {contextName = "hosts";}))
 
-      # user's nixpkg configuration
-      (import /${root}/nixpkgs.nix)
+      sops-nix.nixosModules.sops
+      # microvm.nixosModules.microvm
     ]
-    # homemanager options declarations
-    ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
-    # remote deployment configuration
-    ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);
-
-  networking.hostName = lib.mkDefault hostname;
+    ++ (
+      if _cerulean.homeManager != null
+      then [./home.nix]
+      else []
+    );
 
   environment.systemPackages =
     (with pkgs; [
diff --git a/cerulean/nixos/remote-deploy/default.nix b/cerulean/nixos/remote-deploy/default.nix
deleted file mode 100644
index f2f4a90..0000000
--- a/cerulean/nixos/remote-deploy/default.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{
-  config,
-  node,
-  lib,
-  pkgs,
-  hostname,
-  ...
-}: let
-  user = node.deploy.ssh.user;
-  cfg = config.users.users.${user};
-
-  DEFAULT_USER = "cerubld";
-
-  isStandardDeployUser = user == DEFAULT_USER;
-in {
-  assertions = [
-    {
-      assertion = builtins.length node.deploy.ssh.publicKeys != 0;
-      message = ''
-        The Cerulean deployment user `${user}` for node `${hostname}` must have at least
-        one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
-      '';
-    }
-    {
-      assertion = cfg.isSystemUser && !cfg.isNormalUser;
-      message = ''
-        The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
-        Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
-      '';
-    }
-  ];
-
-  warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
-    The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
-    It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
-    This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
-  '';
-
-  # prefer sudo-rs over sudo
-  security.sudo-rs = {
-    enable = true;
-    wheelNeedsPassword = true;
-
-    # allow the build user to run nix commands
-    extraRules = [
-      {
-        users = [user];
-        runAs = "${node.deploy.user}:ALL";
-        commands = [
-          "${pkgs.nix}/bin/nix"
-        ];
-      }
-    ];
-  };
-
-  # ensure deployment user has SSH permissions
-  services.openssh.settings.AllowUsers = [user];
-
-  users = lib.mkIf isStandardDeployUser {
-    groups.${user} = {};
-
-    users.${user} = {
-      enable = true;
-      isSystemUser = true;
-      group = user;
-      description = "Cerulean's user for building and remote deployment.";
-
-      shell = pkgs.bash;
-      openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
-    };
-  };
-}
diff --git a/cerulean/snow/default.nix b/cerulean/snow/default.nix
index c1199a6..bad3c1b 100644
--- a/cerulean/snow/default.nix
+++ b/cerulean/snow/default.nix
@@ -86,10 +86,9 @@ in
 
           userArgs = nodes.args // node.args;
           ceruleanArgs = {
-            inherit systems root base node;
+            inherit systems root base;
             inherit (node) system;
             inherit (this) snow;
-            hostname = name;
 
             _cerulean = {
               inherit inputs userArgs ceruleanArgs homeManager;
@@ -129,6 +128,7 @@ in
           (node.deploy)
           ssh
           user
+          sudoCmd
           interactiveSudo
           remoteBuild
           rollback
@@ -140,17 +140,14 @@ in
 
         nixosFor = system: inputs.deploy-rs.lib.${system}.activate.nixos;
       in {
-        hostname =
-          if ssh.host != null
-          then ssh.host
-          else "";
+        hostname = ssh.host;
 
         profilesOrder = ["default"]; # profiles priority
         profiles.default = {
           path = nixosFor node.system nixosConfigurations.${name};
 
           user = user;
-          sudo = "sudo -u";
+          sudo = sudoCmd;
           interactiveSudo = interactiveSudo;
 
           fastConnection = false;
diff --git a/cerulean/snow/nodes/submodule.nix b/cerulean/snow/nodes/submodule.nix
index 6b4ae05..ea30c4f 100644
--- a/cerulean/snow/nodes/submodule.nix
+++ b/cerulean/snow/nodes/submodule.nix
@@ -59,32 +59,23 @@
         default = "root";
         example = "admin";
         description = ''
-          The user that the system derivation will be built with. The command specified in
+          The user that the system derivation will be deployed to. The command specified in
           `<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the
           same as `<node>.deploy.ssh.user` the same as above).
         '';
       };
 
-      warnNonstandardDeployUser = mkOption {
-        type = types.bool;
-        default = true;
-        example = false;
+      sudoCmd = mkOption {
+        type = types.str;
+        default = "sudo -u";
+        example = "doas -u";
         description = ''
-          Disables the warning that shows when `deploy.ssh.user` is set to a non-standard value.
+          Which sudo command to use. Must accept at least two arguments:
+          1. the user name to execute commands as
+          2. the rest is the command to execute
         '';
       };
 
-      # sudoCmd = mkOption {
-      #   type = types.str;
-      #   default = "sudo -u";
-      #   example = "doas -u";
-      #   description = ''
-      #     Which sudo command to use. Must accept at least two arguments:
-      #     1. the user name to execute commands as
-      #     2. the rest is the command to execute
-      #   '';
-      # };
-
       interactiveSudo = mkOption {
         type = types.bool;
         default = false;
@@ -154,8 +145,8 @@
 
       ssh = {
         host = mkOption {
-          type = types.nullOr types.str;
-          default = null;
+          type = types.str;
+          default = "";
           example = "dobutterfliescry.net";
           description = ''
             The host to connect to over ssh during deployment
@@ -180,16 +171,6 @@
           '';
         };
 
-        publicKeys = mkOption {
-          type = types.listOf types.str;
-          default = [];
-          example = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeyZuUUmyUYrYaEJwEMvcXqZFYm1NaZab8klOyK6Imr me@puter"];
-          description = ''
-            SSH public keys that will be authorized to the deployment user.
-            This key is intended solely for deployment, allowing for fine-grained permission control.
-          '';
-        };
-
         opts = mkOption {
           type = types.listOf types.str;
           default = [];