diff --git a/flake.lock b/flake.lock
index 9e2d7676..e267f9ec 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
     "arcexprs": {
       "flake": false,
       "locked": {
-        "lastModified": 1667597026,
-        "narHash": "sha256-XHtUQKU+w+m2/DPVlB8fmUKtSIarv/n0wOGwho/ZuCo=",
+        "lastModified": 1667844584,
+        "narHash": "sha256-YucZC6fUjAldFvCpdjjvp0H8NBIb6xwp4ITecQGG5ZU=",
         "owner": "arcnmx",
         "repo": "nixexprs",
-        "rev": "a00aaa69de023da7f1429a2bd3081b1f5400118b",
+        "rev": "ca2d7f002db8abc6133b19d9f97510364d64a377",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     "ci": {
       "flake": false,
       "locked": {
-        "lastModified": 1667599669,
-        "narHash": "sha256-0/PsJ5UoJ4Xa74vu25xoUO07JxHfK6pLhnjEglsWvFA=",
+        "lastModified": 1667932467,
+        "narHash": "sha256-LjDP5b6YvHOXjqX5JrnsKBtrZ+AOrB5icMeRlONaXto=",
         "owner": "arcnmx",
         "repo": "ci",
-        "rev": "bfb73a0a2f7daeca40f8ee73506b1c5b5b5d53dc",
+        "rev": "e744677fdde8b127cac7d6d6c7869ae1a89dd365",
         "type": "github"
       },
       "original": {
@@ -91,11 +91,11 @@
     "emacs-overlay": {
       "flake": false,
       "locked": {
-        "lastModified": 1667507825,
-        "narHash": "sha256-Tss8NXLO5HIqcY+v+lMy/tcdBKNwKxW5Lb4PkuS5rmY=",
+        "lastModified": 1668107626,
+        "narHash": "sha256-+SqPtgD0fQ/LvYxPH+1I5lR76rAqI67GcjQ1gvwUt6U=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "ccefa5f7ddbb036656d8617ed2862fe057d60fb4",
+        "rev": "a5732835d449b66324efa829e3b8be73be3d505e",
         "type": "github"
       },
       "original": {
@@ -342,11 +342,11 @@
         "ws-butler": "ws-butler"
       },
       "locked": {
-        "lastModified": 1667731647,
-        "narHash": "sha256-E/Y5yxX8u0RlLt07PJoQ+QAYMbbL19WayLU/SJDtnMw=",
+        "lastModified": 1668132183,
+        "narHash": "sha256-oHycAYbl3vU8sHQ4vwjW5SZ4T3x+B6bckSDCMjlRMdk=",
         "owner": "nix-community",
         "repo": "nix-doom-emacs",
-        "rev": "c38ccd08345f58001cac2c2578e71d3f29b59bc0",
+        "rev": "d73237307872f29f2c6492aa81dfc8be0dead7a8",
         "type": "github"
       },
       "original": {
@@ -373,11 +373,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1667629849,
-        "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
+        "lastModified": 1668087632,
+        "narHash": "sha256-T/cUx44aYDuLMFfaiVpMdTjL4kpG7bh0VkN6JEM78/E=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
+        "rev": "5f588eb4a958f1a526ed8da02d6ea1bea0047b9f",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1667742561,
-        "narHash": "sha256-lhNo7sk3eqq9SOABZYBECXlP552B1wgsLEGSQkWMM1M=",
+        "lastModified": 1668255064,
+        "narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "8aab177dc76d9b2cffe23720567ad81aaae13052",
+        "rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975",
         "type": "github"
       },
       "original": {
diff --git a/home/shell/zsh.nix b/home/shell/zsh.nix
index ad44082c..39b6a45f 100644
--- a/home/shell/zsh.nix
+++ b/home/shell/zsh.nix
@@ -72,7 +72,7 @@ xdg.configFile."kattheme_immutable.json".text = builtins.toJSON rec {
 			${lib.concatStringsSep "\n" (map (opt: "setopt ${opt}") zshOpts)}
 		bindkey '^ ' autosuggest-accept
     ${if pkgs.hostPlatform.isDarwin then ''
-export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
+    export PATH="''${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
 '' else ""
     }
 			'';
diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix
index eeb95a94..58bbfc95 100644
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -365,7 +365,11 @@
               mode = "0440";
             }
           ) (filterAttrs (_: settings: settings.create_cert) config.domains);
-          in networks // networks' // domains // domains';
+          in networks // networks' // domains // domains' // {
+            tailscale-key = {
+              text = tf.resources.tailnet_key.refAttr "key";
+            };
+          };
 
     services.nginx.virtualHosts = let
           networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) {
@@ -421,7 +425,7 @@
 
 # otherwise authenticate with tailscale
 # to-do: --advertise-exit-node
-            ${tailscale}/bin/tailscale up -authkey ${tf.resources.tailnet_key.getAttr "key"}
+            ${tailscale}/bin/tailscale up -authkey $(cat ${config.secrets.files.tailscale-key.path})
       '';
     };
   };
diff --git a/nixos/base/system.nix b/nixos/base/system.nix
index 38b173f8..d37e958d 100644
--- a/nixos/base/system.nix
+++ b/nixos/base/system.nix
@@ -6,9 +6,9 @@
   boot.tmpOnTmpfs = true;
   boot.zfs.enableUnstable = mkIf (elem "zfs" config.boot.supportedFilesystems) true;
   boot.kernel.sysctl = {
-    "fs.inotify.max_user_watches" = "524288";
-    "net.core.rmem_max" = "16777216";
-    "net.core.wmem_max" = "16777216";
+    "fs.inotify.max_user_watches" = 524288;
+    "net.core.rmem_max" = 16777216;
+    "net.core.wmem_max" = 16777216;
     "net.ipv4.tcp_rmem" = "4096 87380 16777216";
     "net.ipv4.tcp_wmem" = "4096 65536 16777216";
     "net.ipv4.ip_forward" = "1";
diff --git a/nixos/gui/nfs.nix b/nixos/gui/nfs.nix
index d9b8cf20..07bb3bcf 100644
--- a/nixos/gui/nfs.nix
+++ b/nixos/gui/nfs.nix
@@ -3,13 +3,13 @@
 {
   boot.supportedFilesystems = [ "nfs" ];
 
-  /*
+
   fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") {
-    device = "${meta.network.nodes.nixos.yukari.network.addresses.w.domain}:/mnt/zraw/media";
+    device = "yukari.inskip.me:/mnt/zraw/media";
     fsType = "nfs";
     options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
     };
-
+/*
     fileSystems."/mnt/hex-corn" = {
     device = "storah.net.lilwit.ch:/data/cornbox";
     fsType = "nfs";
diff --git a/nixos/systems/tewi/nixos.nix b/nixos/systems/tewi/nixos.nix
index daeb8813..f508200d 100644
--- a/nixos/systems/tewi/nixos.nix
+++ b/nixos/systems/tewi/nixos.nix
@@ -1,4 +1,4 @@
-{ meta, config, lib, pkgs, modulesPath, ... }:
+{ meta, tf, config, lib, pkgs, modulesPath, ... }:
 
 {
   imports = with meta; [
@@ -14,6 +14,7 @@
     ./mosquitto.nix
     ./postgres.nix
     ./nginx.nix
+    ../../gui/nfs.nix
   ];
 
   services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}";
@@ -51,6 +52,25 @@
     kernelModules = [ "kvm-intel" ];
   };
 
+  services.openiscsi = {
+    enable = true;
+    name = "";
+    discoverPortal = "shanghai.tail.cutie.moe";
+  };
+
+  environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce {
+    source = config.secrets.files.openscsi-config.path;
+  };
+
+  secrets.variables.openscsi-password = {
+    path = "gensokyo/tewi-scsi";
+    field = "password";
+  };
+
+  secrets.files.openscsi-config = {
+    text = "InitiatorName=${tf.variables.openscsi-password.ref}";
+  };
+
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
diff --git a/tf b/tf
index fcebdcb3..2fa40722 160000
--- a/tf
+++ b/tf
@@ -1 +1 @@
-Subproject commit fcebdcb305933c80bd9f8ed3bc8f9713577f2bf3
+Subproject commit 2fa407225d8e91c4dba36ac53ab75d56188c30cf