diff --git a/flake.nix b/flake.nix
index 4af8705..e8700a4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -208,7 +208,7 @@
           { ... }:
           {
             deployment = {
-              targetHost = "raspite.local";
+              targetHost = "raspite.coho-tet.ts.net";
               buildOnTarget = false;
             };
             nixpkgs.system = "aarch64-linux";
diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix
index 049e67e..234d0e9 100644
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@@ -8,7 +8,10 @@
 {
   imports = [ ./hass.nix ];
 
-  commonSettings.nix.enableMirrors = true;
+  commonSettings = {
+    nix.enableMirrors = true;
+    auth.enable = true;
+  };
 
   nixpkgs.overlays = [
     # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
@@ -33,25 +36,15 @@
 
   # boot.kernelPackages = pkgs.linuxPackages_stable;
 
-  custom.kanidm-client = {
-    enable = true;
-    uri = "https://auth.xinyang.life";
-    asSSHAuth = {
-      enable = true;
-      allowedGroups = [ "linux_users" ];
-      hardening = true;
-    };
-    sudoers = [ "xin@auth.xinyang.life" ];
-  };
-
-  security.sudo = {
-    execWheelOnly = true;
-    wheelNeedsPassword = false;
-  };
-
   # fileSystems."/".fsType = lib.mkForce "btrfs";
   boot.supportedFilesystems.zfs = lib.mkForce false;
 
-  services.dae.enable = false;
+  services.dae.enable = true;
   services.dae.configFile = "/var/lib/dae/config.dae";
+
+  services.tailscale = {
+    enable = true;
+    permitCertUid = config.services.caddy.user;
+    openFirewall = true;
+  };
 }
diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix
index 68d161b..f7b682e 100644
--- a/machines/raspite/hass.nix
+++ b/machines/raspite/hass.nix
@@ -2,22 +2,21 @@
 {
   services.home-assistant = {
     enable = true;
-    extraComponents = [
-      "default_config"
-      "esphome"
-      "met"
-      "radio_browser"
-    ];
     openFirewall = false;
     config = {
       default_config = { };
       http = {
-        server_host = "::1";
-        base_url = "raspite.local:1000";
-        use_x_forward_for = true;
-        trusted_proxies = [ "::1" ];
+        server_host = "127.0.0.1";
+        use_x_forwarded_for = true;
+        trusted_proxies = [ "127.0.0.1" ];
       };
     };
+    extraPackages =
+      python3Packages: with python3Packages; [
+        # speed up aiohttp
+        isal
+        zlib-ng
+      ];
   };
 
   services.esphome = {
@@ -27,23 +26,28 @@
 
   users.groups.dialout.members = config.users.groups.wheel.members;
 
-  environment.systemPackages = with pkgs; [ zigbee2mqtt ];
+  services.mosquitto = {
+    enable = true;
+  };
 
-  networking.firewall.allowedTCPPorts = [
-    1000
-    1001
-  ];
+  services.zigbee2mqtt = {
+    enable = true;
+    settings = {
+      home-assistant = config.services.home-assistant.enable;
+      permit_join = true;
+      serial = {
+        port = "/dev/ttyUSB0";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
 
   services.caddy = {
     enable = true;
     virtualHosts = {
-      # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
-      "raspite.local:1000".extraConfig = ''
-        reverse_proxy http://[::1]:8123
-      '';
-
-      "raspite.local:1001".extraConfig = ''
-        reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port}
+      "raspite.coho-tet.ts.net".extraConfig = ''
+        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
       '';
     };
   };