diff --git a/flake.nix b/flake.nix
index cecc4c2..72439fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -210,8 +210,23 @@
         };
       };
 
-      modifications = final: prev: {
-        final.helix = helix.outputs.packages.${prev.system}.helix;
+      modifications = final: prev: rec {
+        helix = helix.outputs.packages.${prev.system}.helix;
+        final.helix = helix;
+        # TODO: would love to use a current wezterm build so I can make use of ssh/mux functionality without breakage
+        # source: https://github.com/wez/wezterm/issues/3771
+        # wezterm = prev.wezterm.overrideAttrs rec {
+        #   version = "56a27e93a9ee50aab50ff4d78308f9b3154b5122";
+        #   src = prev.fetchFromGitHub {
+        #     owner = "wez";
+        #     repo = "wezterm";
+        #     rev = version;
+        #     fetchSubmodules = true;
+        #     hash = "sha256-zl0Me24ncrpXUCvkQHlbgUucf0zrkhFFI242wsSQKLw=";
+        #   };
+        #   cargoLockFile = null;
+        #   cargoHash = "";
+        # };
       };
 
       unstable-packages = final: _prev: {
@@ -407,7 +422,7 @@
                 cargo
                 firefox-no-tabs
                 linux-desktop-environment-config
-                slippi.homeManagerModules.default
+                # slippi.homeManagerModules.default
               ];
             };
           }
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 1d64f83..62c9a22 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -250,7 +250,7 @@
           "https://cache.nixos.org/"
           "https://helix.cachix.org"
           "https://nix-community.cachix.org"
-          # "https://nix.h.lyte.dev"
+          "https://nix.h.lyte.dev"
           "https://hyprland.cachix.org"
         ];
         trusted-public-keys = [
diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index 0583aea..9c8b3cd 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -447,7 +447,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
       users.groups.daniel.members = ["daniel"];
       users.groups.nixadmin.members = ["daniel"];
       users.users.daniel = {
-        packages = [pkgs.weechat];
         extraGroups = [
           "nixadmin" # write access to /etc/nixos/ files
           "wheel" # sudo access
@@ -778,6 +777,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
             gitMinimal
             gnused
             nodejs
+            gnutar # needed for cache action
             wget
           ];
         };
@@ -999,6 +999,46 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
         26966
       ];
     }
+    {
+      # kanidm
+      services.kanidm = {
+        enableClient = true;
+        enablePam = true;
+        enableServer = true;
+
+        serverSettings = {
+          bindaddress = "[::]:8443";
+          # ldapbindaddress
+          # TODO: these will need permissions?
+          tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.crt";
+          tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.key";
+          domain = "idm.h.lyte.dev";
+          origin = "https://idm.h.lyte.dev";
+          # log_level
+
+          online_backup = {
+            path = "/storage/kanidm/backups/";
+            schedule = "00 22 * * *";
+            # versions = 7;
+          };
+        };
+
+        unixSettings = {
+          uri = "https://idm.h.lyte.dev";
+          pam_allowed_login_groups = [];
+          # ca_path = "/path/to/ca.pem";
+        };
+
+        clientSettings = {
+          uri = "https://idm.h.lyte.dev";
+          # ca_path = "/tmp/cert.pem";
+        };
+      };
+
+      services.caddy.virtualHosts."idm.h.lyte.dev" = {
+        extraConfig = ''reverse_proxy :8443'';
+      };
+    }
   ];
 
   # TODO: non-root processes and services that access secrets need to be part of
diff --git a/nixos/router.nix b/nixos/router.nix
index 1931dad..f1c7cd1 100644
--- a/nixos/router.nix
+++ b/nixos/router.nix
@@ -46,6 +46,7 @@
       additionalHosts = [
         ".beefcake.lan"
         "nix.h.lyte.dev"
+        "idm.h.lyte.dev"
         "git.lyte.dev"
         "video.lyte.dev"
         "a.lyte.dev"
diff --git a/safe-remote-upgrade.bash b/safe-remote-upgrade.bash
index d620fe6..530ca3d 100755
--- a/safe-remote-upgrade.bash
+++ b/safe-remote-upgrade.bash
@@ -30,9 +30,9 @@ git add -A
 
 ssh "root@$target_host" "bash -c '
   set -m
-  # sleep 5 mins
+  # sleep 15 mins
   echo \"Starting background reboot job...\"
-  (sleep 300; reboot;) &
+  (sleep 900; reboot;) &
   jobs -p
   disown
 '" &
diff --git a/templates/rust/flake.nix b/templates/rust/flake.nix
index f7c6efa..d1b1f18 100644
--- a/templates/rust/flake.nix
+++ b/templates/rust/flake.nix
@@ -52,6 +52,8 @@
         src = ./.;
         hash = pkgs.lib.fakeHash;
         cargoHash = "sha256-W7VQlMktGsRPQL9VGVmxYV6C5u2eJ48S7eTpOM+3n8U=";
+
+        RUSTFLAGS = pkgs.lib.optionalString pkgs.stdenv.isLinux "-C link-arg=-fuse-ld=mold";
       };
 
       default = outputs.packages.${pkgs.system}.my-package;