diff --git a/flake.lock b/flake.lock
index 222391d..632d531 100644
--- a/flake.lock
+++ b/flake.lock
@@ -433,11 +433,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729321331,
-        "narHash": "sha256-KVyQq+ez/oB30/WbdNgVD8g/bda34z8NiU187QKQb74=",
+        "lastModified": 1728791962,
+        "narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "122f70545b29ccb922e655b08acfe05bfb44ec68",
+        "rev": "64c6325b28ebd708653dd41d88f306023f296184",
         "type": "github"
       },
       "original": {
@@ -540,11 +540,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729394935,
-        "narHash": "sha256-2ntUG+NJKdfhlrh/tF+jOU0fOesO7lm5ZZVSYitsvH8=",
+        "lastModified": 1728790083,
+        "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "04f8a11f247ba00263b060fbcdc95484fd046104",
+        "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22",
         "type": "github"
       },
       "original": {
@@ -564,11 +564,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729389220,
-        "narHash": "sha256-vHCkVYWrw03vn48Yihor5PXiSuxDSF1TcyO2kAs1Ehg=",
+        "lastModified": 1728179514,
+        "narHash": "sha256-mOGZFPYm9SuEXnYiXhgs/JmLu7RofRaMpAYyJiWudkc=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "f4dd6d6b728a61095b944de1fbc58c5bbdc87320",
+        "rev": "018196c371073d669510fd69dd2f6dc0ec608c41",
         "type": "github"
       },
       "original": {
@@ -579,11 +579,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1729333370,
-        "narHash": "sha256-NU+tYe3QWzDNpB8RagpqR3hNQXn4BNuBd7ZGosMHLL8=",
+        "lastModified": 1728729581,
+        "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "38279034170b1e2929b2be33bdaedbf14a57bfeb",
+        "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
         "type": "github"
       },
       "original": {
@@ -623,11 +623,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729181673,
-        "narHash": "sha256-LDiPhQ3l+fBjRATNtnuDZsBS7hqoBtPkKBkhpoBHv3I=",
+        "lastModified": 1728740863,
+        "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
+        "rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077",
         "type": "github"
       },
       "original": {
@@ -639,11 +639,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1729357638,
-        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
+        "lastModified": 1728156290,
+        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
+        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
         "type": "github"
       },
       "original": {
@@ -713,11 +713,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1729400812,
-        "narHash": "sha256-9o1t9ZOK9TH0N8HhoBzJ5jbg8jy72qM45xJ4QyffBvM=",
+        "lastModified": 1728878648,
+        "narHash": "sha256-JYNGkY30+zGclR1zebnyHOtRhWKfKHLw6T4IoqhmJFs=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "a05b041fff7a2e4872d361dc03025d0f4cadb2f6",
+        "rev": "23d88faa35dc9de0e35fc3dc2a863c4cf451a8f8",
         "type": "github"
       },
       "original": {
@@ -774,11 +774,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1729394972,
-        "narHash": "sha256-fADlzOzcSaGsrO+THUZ8SgckMMc7bMQftztKFCLVcFI=",
+        "lastModified": 1728345710,
+        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c504fd7ac946d7a1b17944d73b261ca0a0b226a5",
+        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index e8700a4..4af8705 100644
--- a/flake.nix
+++ b/flake.nix
@@ -208,7 +208,7 @@
           { ... }:
           {
             deployment = {
-              targetHost = "raspite.coho-tet.ts.net";
+              targetHost = "raspite.local";
               buildOnTarget = false;
             };
             nixpkgs.system = "aarch64-linux";
diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix
index 234d0e9..049e67e 100644
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@@ -8,10 +8,7 @@
 {
   imports = [ ./hass.nix ];
 
-  commonSettings = {
-    nix.enableMirrors = true;
-    auth.enable = true;
-  };
+  commonSettings.nix.enableMirrors = true;
 
   nixpkgs.overlays = [
     # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
@@ -36,15 +33,25 @@
 
   # boot.kernelPackages = pkgs.linuxPackages_stable;
 
+  custom.kanidm-client = {
+    enable = true;
+    uri = "https://auth.xinyang.life";
+    asSSHAuth = {
+      enable = true;
+      allowedGroups = [ "linux_users" ];
+      hardening = true;
+    };
+    sudoers = [ "xin@auth.xinyang.life" ];
+  };
+
+  security.sudo = {
+    execWheelOnly = true;
+    wheelNeedsPassword = false;
+  };
+
   # fileSystems."/".fsType = lib.mkForce "btrfs";
   boot.supportedFilesystems.zfs = lib.mkForce false;
 
-  services.dae.enable = true;
+  services.dae.enable = false;
   services.dae.configFile = "/var/lib/dae/config.dae";
-
-  services.tailscale = {
-    enable = true;
-    permitCertUid = config.services.caddy.user;
-    openFirewall = true;
-  };
 }
diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix
index f7b682e..68d161b 100644
--- a/machines/raspite/hass.nix
+++ b/machines/raspite/hass.nix
@@ -2,21 +2,22 @@
 {
   services.home-assistant = {
     enable = true;
+    extraComponents = [
+      "default_config"
+      "esphome"
+      "met"
+      "radio_browser"
+    ];
     openFirewall = false;
     config = {
       default_config = { };
       http = {
-        server_host = "127.0.0.1";
-        use_x_forwarded_for = true;
-        trusted_proxies = [ "127.0.0.1" ];
+        server_host = "::1";
+        base_url = "raspite.local:1000";
+        use_x_forward_for = true;
+        trusted_proxies = [ "::1" ];
       };
     };
-    extraPackages =
-      python3Packages: with python3Packages; [
-        # speed up aiohttp
-        isal
-        zlib-ng
-      ];
   };
 
   services.esphome = {
@@ -26,28 +27,23 @@
 
   users.groups.dialout.members = config.users.groups.wheel.members;
 
-  services.mosquitto = {
-    enable = true;
-  };
+  environment.systemPackages = with pkgs; [ zigbee2mqtt ];
 
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      home-assistant = config.services.home-assistant.enable;
-      permit_join = true;
-      serial = {
-        port = "/dev/ttyUSB0";
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 ];
+  networking.firewall.allowedTCPPorts = [
+    1000
+    1001
+  ];
 
   services.caddy = {
     enable = true;
     virtualHosts = {
-      "raspite.coho-tet.ts.net".extraConfig = ''
-        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
+      # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
+      "raspite.local:1000".extraConfig = ''
+        reverse_proxy http://[::1]:8123
+      '';
+
+      "raspite.local:1001".extraConfig = ''
+        reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port}
       '';
     };
   };