diff --git a/nixos/base/system.nix b/nixos/base/system.nix
index f391af2c..0f9dd861 100644
--- a/nixos/base/system.nix
+++ b/nixos/base/system.nix
@@ -6,7 +6,7 @@
   ...
 }: let
   inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
-  inherit (lib.modules) mkDefault;
+  inherit (lib.modules) mkIf mkDefault;
 in {
   hardware.enableRedistributableFirmware = mkDefault true;
   boot.zfs.package = mkDefault pkgs.zfs_unstable;
@@ -29,4 +29,8 @@ in {
     useTmpfs = mkAlmostOptionDefault true;
     tmpfsSize = mkAlmostOptionDefault "80%";
   };
+  system.switch.enableNg = mkIf (config.boot.supportedFilesystems.nfs or false) (
+    # XXX: workaround for nixos switch bug
+    mkAlmostOptionDefault false
+  );
 }
diff --git a/nixos/netboot/kyuuto.nix b/nixos/netboot/kyuuto.nix
index 53e38475..d9ccfccd 100644
--- a/nixos/netboot/kyuuto.nix
+++ b/nixos/netboot/kyuuto.nix
@@ -7,7 +7,7 @@
   ...
 }: let
   inherit (lib.options) mkOption mkEnableOption mkPackageOption;
-  inherit (lib.modules) mkIf mkDefault mkMerge;
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault;
   cfg = config.gensokyo-zone.netboot;
   nfsEnabled = config.boot.initrd.supportedFilesystems.nfs or config.boot.initrd.supportedFilesystems.nfs4 or false;
   defaultCacheTimeoutMax = 60 * 60; # 1h
@@ -20,6 +20,9 @@ in {
       package = mkPackageOption pkgs "nfs-utils" {
         example = "pkgs.mkinitcpio-nfs-utils";
       };
+      host = mkOption {
+        type = str;
+      };
       security = mkOption {
         type = str;
         default = "sys";
@@ -39,6 +42,20 @@ in {
     };
   };
   config = {
+    gensokyo-zone.netboot = {
+      nfs = {
+        host = let
+          nfsUrl = access.proxyUrlFor {
+            serviceName = "nfs";
+            scheme = "";
+            defaultPort = 2049;
+            # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
+            getAddressFor = "getAddress4For";
+          };
+        in
+          mkOptionDefault nfsUrl;
+      };
+    };
     boot = {
       initrd = {
         network = {
@@ -75,15 +92,7 @@ in {
       };
     };
     fileSystems = let
-      nfsUrl =
-        access.proxyUrlFor {
-          serviceName = "nfs";
-          scheme = "";
-          defaultPort = 2049;
-          # XXX: consider using dns hostname here instead? (does this require the dns_resolver kernel module?)
-          getAddressFor = "getAddress4For";
-        }
-        + ":/srv/fs/kyuuto/systems/${systemConfig.name}";
+      nfsUrl = "${cfg.nfs.host}:/srv/fs/kyuuto/systems/${systemConfig.name}";
       nfsOpts =
         [
           "sec=${cfg.nfs.security}"
@@ -101,5 +110,8 @@ in {
         options = nfsOpts;
       };
     };
+    systemd.services.systemd-remount-fs = mkIf (config.fileSystems."/".fsType == "nfs") {
+      unitConfig.ConditionPathExists = "/tmp/systemd-remount-fs-broken";
+    };
   };
 }
diff --git a/nixos/nfs.nix b/nixos/nfs.nix
index a112543e..d3f5c466 100644
--- a/nixos/nfs.nix
+++ b/nixos/nfs.nix
@@ -107,6 +107,10 @@ in {
         ];
         adminClients = [
           "@admin"
+          # TODO: "@personal-admin" host group too...
+          # shanghai.tail:
+          "fd7a:115c:a1e0::4e01:2d2c/128"
+          "100.107.45.44/32"
           # XXX: include tailscale addresses of trusted machines here too?
         ];
         tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
diff --git a/systems/gengetsu/hardware-configuration.nix b/systems/gengetsu/hardware-configuration.nix
index db8e8352..c5396e9a 100644
--- a/systems/gengetsu/hardware-configuration.nix
+++ b/systems/gengetsu/hardware-configuration.nix
@@ -7,14 +7,14 @@
     inherit (meta) nixos;
   in [
     nixos.hw.c4130
-    #nixos.netboot.kyuuto
+    nixos.netboot.kyuuto
   ];
 
   fileSystems = {
-    "/" = {
+    "/mnt/root-old" = {
       device = "/dev/disk/by-uuid/bf317f5d-ffc2-45fd-9621-b645ff7223fc";
       fsType = "xfs";
-      options = ["lazytime" "noatime"];
+      options = ["x-systemd.automount" "lazytime" "noatime" "noauto" "nofail"];
     };
     "/boot" = {
       device = "/dev/disk/by-label/boot";
diff --git a/systems/gengetsu/nixos.nix b/systems/gengetsu/nixos.nix
index 6582f479..6dbf0701 100644
--- a/systems/gengetsu/nixos.nix
+++ b/systems/gengetsu/nixos.nix
@@ -1,4 +1,11 @@
-{meta, ...}: {
+{
+  config,
+  gensokyo-zone,
+  meta,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) domain;
+in {
   imports = let
     inherit (meta) nixos;
   in [
@@ -7,5 +14,17 @@
     nixos.base
   ];
 
+  fileSystems = let
+    inherit (config.gensokyo-zone) netboot;
+    #nfsHost = netboot.nfs.host;
+    nfsHost = "nfs.local.${domain}";
+  in {
+    "/mnt/goliath/boot" = {
+      device = "${nfsHost}:/srv/fs/kyuuto/systems/goliath/boot";
+      options = ["sec=sys" "nofail"] ++ netboot.nfs.flags;
+      fsType = "nfs";
+    };
+  };
+
   system.stateVersion = "24.05";
 }