diff --git a/Makefile b/Makefile
index f4bb098..8482ac0 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,10 @@ ifeq ($(IP),)
 endif
 ifeq ($(HOST),)
 	$(error HOST not set)
+endif
+ifneq ($(shell git diff),)
+	git add .
+	git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`"
 endif
 	rsync -azr ./ crown@$(IP):~/flake-config
 	ssh crown@$(IP) "sudo nixos-rebuild switch --flake ~/flake-config#$(HOST)"
diff --git a/README.md b/README.md
index 639c747..39094d6 100644
--- a/README.md
+++ b/README.md
@@ -38,3 +38,4 @@ time.
     - [ ] ff sync server
 - [ ] crayon
     - [ ] find a way to make my site deploy declaratively
+    - [ ] use snm flake instead of fetching the tarball
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..16d09e0
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,142 @@
+{
+  "nodes": {
+    "declarative-jellyfin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1761143269,
+        "narHash": "sha256-pebbh3IEl8crA9g0fbHeUvNyawAvhO2kNq8klpUWyk0=",
+        "owner": "Sveske-Juice",
+        "repo": "declarative-jellyfin",
+        "rev": "740743deba3de6bc227d9769adb94d4a14a3f25c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Sveske-Juice",
+        "repo": "declarative-jellyfin",
+        "type": "github"
+      }
+    },
+    "nid": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762660502,
+        "narHash": "sha256-C9F1C31ys0V7mnp4EcDy7L1cLZw/sCTEXqqTtGnvu08=",
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "rev": "15c5451c63f4c612874a43846bfe3fa828b03eee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1762498405,
+        "narHash": "sha256-Zg/SCgCaAioc0/SVZQJxuECGPJy+OAeBcGeA5okdYDc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6faeb062ee4cf4f105989d490831713cc5a43ee1",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-25.05",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "declarative-jellyfin": "declarative-jellyfin",
+        "nid": "nid",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
+        "unstable": "unstable"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762659808,
+        "narHash": "sha256-2Kv2mANf+FRisqhpfeZ8j9firBxb23ZvEXwdcunbpGI=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "524312bc62e3f34bd9231a2f66622663d3355133",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "declarative-jellyfin",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749194973,
+        "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1762596750,
+        "narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/hosts/crayon/git.nix b/hosts/crayon/git.nix
index ef05b6d..d020b9a 100644
--- a/hosts/crayon/git.nix
+++ b/hosts/crayon/git.nix
@@ -27,6 +27,10 @@ in {
         REGISTER_MANUAL_CONFIRM = true; # all new users must be approved by me
       };
       ui.DEFAULT_THEME = "gitea-dark";
+      repository = {
+        DEFAULT_PUSH_CREATE_PRIVATE = false;
+        ENABLE_PUSH_CREATE_USER = true;
+      };
     };
   };
 }
diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix
new file mode 100644
index 0000000..9d13305
--- /dev/null
+++ b/modules/fail2ban.nix
@@ -0,0 +1,3 @@
+{
+  services.fail2ban.enable = true;
+}
diff --git a/modules/os.nix b/modules/os.nix
index c1d5a86..5b49310 100644
--- a/modules/os.nix
+++ b/modules/os.nix
@@ -9,6 +9,7 @@
       dates = "weekly";
       automatic = true;
       randomizedDelaySec = "45min";
+      options = "--delete-older-than 30d";
     };
   };