diff --git a/flake.lock b/flake.lock
index 553a9ce..e1c84df 100644
--- a/flake.lock
+++ b/flake.lock
@@ -105,14 +105,18 @@
         ]
       },
       "locked": {
-        "lastModified": 1772890888,
-        "narHash": "sha256-fJ73wGR6h71ItlUIXlHvQpGbbwE6WA5Bjjs3n4kJ6tM=",
-        "path": "/home/me/cry/mk/cerulean",
-        "type": "path"
+        "lastModified": 1772870050,
+        "narHash": "sha256-il+K3xjwpb68ojPNt5yEF+TqTHWAiIBaXU0QMhw5ek8=",
+        "owner": "cry128",
+        "repo": "cerulean",
+        "rev": "7bd81f84e6c0c47e62e3498508e018d2a1a8c7e4",
+        "type": "github"
       },
       "original": {
-        "path": "/home/me/cry/mk/cerulean",
-        "type": "path"
+        "owner": "cry128",
+        "ref": "bleeding",
+        "repo": "cerulean",
+        "type": "github"
       }
     },
     "curl-src": {
diff --git a/flake.nix b/flake.nix
index c901398..cd28d3d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,8 +16,7 @@
     nt.url = "git+https://tearforge.net/cry/nt";
 
     cerulean = {
-      # url = "github:cry128/cerulean/bleeding";
-      url = "/home/me/cry/mk/cerulean";
+      url = "github:cry128/cerulean/bleeding";
       inputs = {
         nt.follows = "nt";
         systems.follows = "systems";
diff --git a/groups/all/default.nix b/groups/all/default.nix
index 0ba6d11..fac958f 100644
--- a/groups/all/default.nix
+++ b/groups/all/default.nix
@@ -7,10 +7,9 @@
     ./modules/flatpak.nix
   ];
 
-  security.sudo-rs = {
-    enable = true;
-    wheelNeedsPassword = lib.mkOverride 200 true;
-  };
+  # NOTE: mkDefault is 1000 and mkForce is 50
+  # NOTE: so this is like a second mkDefault
+  security.sudo.wheelNeedsPassword = true;
 
   networking = {
     networkmanager.enable = true;
diff --git a/groups/cryos/default.nix b/groups/cryos/default.nix
index cadbee6..1f37683 100644
--- a/groups/cryos/default.nix
+++ b/groups/cryos/default.nix
@@ -86,7 +86,10 @@
     };
   };
 
-  security.rtkit.enable = true; # I *think* this is for pipewire
+  security = {
+    rtkit.enable = true; # I *think* this is for pipewire
+    sudo.wheelNeedsPassword = lib.mkDefault true;
+  };
 
   # ---- ENVIRONMENT VARIABLES ----
   environment = {
diff --git a/groups/server/default.nix b/groups/server/default.nix
index cb55017..18f1256 100644
--- a/groups/server/default.nix
+++ b/groups/server/default.nix
@@ -19,6 +19,10 @@
       defaults.email = "eclarkboman@gmail.com";
     };
 
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = true;
+    };
     # allow SSH keys for passwordless auth
     pam = {
       sshAgentAuth.enable = true;
diff --git a/homes/cry/default.nix b/homes/cry/default.nix
index 2403b1d..4ff9b0a 100644
--- a/homes/cry/default.nix
+++ b/homes/cry/default.nix
@@ -1,4 +1,8 @@
 {...}: {
+  nixpkgs = {
+    config.allowUnfree = false;
+  };
+
   imports = [
     ../modules/fish.nix
     ../modules/bat.nix
diff --git a/homes/me/default.nix b/homes/me/default.nix
index 835f509..32130dc 100755
--- a/homes/me/default.nix
+++ b/homes/me/default.nix
@@ -27,7 +27,16 @@
     ../modules/mako.nix
   ];
 
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.GetName pkg) [
+      # "vscode-extension-ms-dotnettools-csharp"
+      "spotify"
+    ];
+
   home = {
+    username = "me";
+    homeDirectory = "/home/me";
+
     shellAliases = {
       # rebuild = "sudo nixos-rebuild switch --flake /home/me/flake --show-trace";
       # trybuild = "sudo nixos-rebuild test --flake /home/me/flake --show-trace";
@@ -37,6 +46,10 @@
       man = "batman"; # bat + man
     };
 
+    sessionVariables = {
+      NIX_SHELL_PRESERVE_PROMPT = 1;
+    };
+
     pointerCursor = {
       gtk.enable = true;
       # x11.enable = true # dont enable since im on hyprland
@@ -86,6 +99,9 @@
   };
 
   programs = {
+    # these are both required for home-manager to work
+    home-manager.enable = true;
+
     hyfetch = {
       enable = true;
       settings = {
@@ -170,6 +186,8 @@
   };
   # the ssh-agent won't set this for itself...
   # systemd.user.sessionVariables.SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/ssh-agent";
+  # Nicely reload system units when changing configs
+  systemd.user.startServices = "sd-switch";
 
   home.stateVersion = "24.05"; # don't change this
 }
diff --git a/hosts/myputer/default.nix b/hosts/myputer/default.nix
index 1a05530..a5a28e5 100755
--- a/hosts/myputer/default.nix
+++ b/hosts/myputer/default.nix
@@ -46,7 +46,7 @@
     };
   };
 
-  security.sudo-rs.wheelNeedsPassword = lib.mkForce false;
+  security.sudo.wheelNeedsPassword = lib.mkForce false;
 
   # ---- SYSTEM PACKAGES -----
   environment.systemPackages = with pkgs; [
diff --git a/snow.nix b/snow.nix
index 07a453c..ec6e9d8 100644
--- a/snow.nix
+++ b/snow.nix
@@ -47,9 +47,8 @@
         groups = groups: [groups.server];
         deploy.ssh = {
           host = "dobutterfliescry.net";
+          user = "cry";
           port = 42069;
-          # XXX: WARNING: TEMP: this public key is temporary and used solely for debugging
-          publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJqtXaBWEM6nte+Bci/PizXvv/n8abYKUCKaS/x1st1 me@myputer"];
         };
       };
 
@@ -59,8 +58,7 @@
         groups = groups: [groups.server];
         deploy.ssh = {
           host = "hyrule.dobutterfliescry.net";
-          # XXX: WARNING: TEMP: this public key is temporary and used solely for debugging
-          publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJqtXaBWEM6nte+Bci/PizXvv/n8abYKUCKaS/x1st1 me@myputer"];
+          user = "cry";
         };
       };
 
@@ -72,8 +70,7 @@
           remoteBuild = true;
           ssh = {
             host = "192.168.88.250"; # <- DEBUG: TEMP: TODO: switch to `matcha.dobutterfliescry.net`
-            # XXX: WARNING: TEMP: this public key is temporary and used solely for debugging
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJqtXaBWEM6nte+Bci/PizXvv/n8abYKUCKaS/x1st1 me@myputer"];
+            user = "emile";
           };
         };
       };