diff --git a/lxc-ergo.nix b/lxc-ergo.nix
index 6e98ca7..1b35a9a 100644
--- a/lxc-ergo.nix
+++ b/lxc-ergo.nix
@@ -21,7 +21,7 @@
 
     networking.firewall.trustedInterfaces = [ "br-+" ];
     networking.firewall.allowedTCPPorts = [
-      6667
+      8067
       6697
       443
       80
@@ -45,24 +45,23 @@
       virtualHosts."irc.dukeceph.xyz" = {
         addSSL = true;
         enableACME = true;
-        locations."/webirc" = {
-          proxyPass = "http://unix:/run/ergo/websocket";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-            proxy_set_header X-Forwarded-For $remote_addr;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_read_timeout 10m;
-          '';
-        };
+        root = "/var/www/html";
+        locations."/webirc".extraConfig = ''
+          proxy_pass http://127.0.0.1:8067;
+          proxy_read_timeout 600s;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+        '';
       };
     };
 
-    users.groups."ergo" = {};
+    users.groups."ergo" = { };
     users.users."ergo" = {
-        group = "ergo";
-        isSystemUser = true;
+      group = "ergo";
+      isSystemUser = true;
     };
 
     services.ergochat = {
@@ -85,34 +84,41 @@
                 key = "/etc/letsencrypt/live/irc.dukeceph.xyz/privkey.pem";
               };
             };
+            ":8067" = {
+              websocket = true;
+            };
           };
+          secure-nets = [
+            "127.0.0.0/24"
+            "192.168.0.0/24"
+          ];
         };
         oper-classes = {
           chat-moderator = {
             title = "Chat Moderator";
             capabilities = [
-              "kill"      # disconnect user sessions
-              "ban"       # ban IPs, CIDRs, NUH masks, and suspend accounts (UBAN / DLINE / KLINE)
+              "kill" # disconnect user sessions
+              "ban" # ban IPs, CIDRs, NUH masks, and suspend accounts (UBAN / DLINE / KLINE)
               "nofakelag" # exempted from "fakelag" restrictions on rate of message sending
-              "relaymsg"  # use RELAYMSG in any channel (see the `relaymsg` config block)
-              "vhosts"    # add and remove vhosts from users
-              "sajoin"    # join arbitrary channels, including private channels
-              "samode"    # modify arbitrary channel and user modes
-              "snomasks"  # subscribe to arbitrary server notice masks
-              "roleplay"  # use the (deprecated) roleplay commands in any channel
+              "relaymsg" # use RELAYMSG in any channel (see the `relaymsg` config block)
+              "vhosts" # add and remove vhosts from users
+              "sajoin" # join arbitrary channels, including private channels
+              "samode" # modify arbitrary channel and user modes
+              "snomasks" # subscribe to arbitrary server notice masks
+              "roleplay" # use the (deprecated) roleplay commands in any channel
             ];
           };
           server-admin = {
             title = "Server Admin";
             extends = "chat-moderator";
             capabilities = [
-              "rehash"       # rehash the server, i.e. reload the config at runtime
-              "accreg"       # modify arbitrary account registrations
-              "chanreg"      # modify arbitrary channel registrations
-              "history"      # modify or delete history messages
-              "defcon"       # use the DEFCON command (restrict server capabilities)
-              "massmessage"  # message all users on the server
-              "metadata"     # modify arbitrary metadata on channels and users
+              "rehash" # rehash the server, i.e. reload the config at runtime
+              "accreg" # modify arbitrary account registrations
+              "chanreg" # modify arbitrary channel registrations
+              "history" # modify or delete history messages
+              "defcon" # use the DEFCON command (restrict server capabilities)
+              "massmessage" # message all users on the server
+              "metadata" # modify arbitrary metadata on channels and users
             ];
           };
         };
@@ -128,5 +134,6 @@
     systemd.services.ergochat.serviceConfig.DynamicUser = lib.mkForce false;
     systemd.services.ergochat.serviceConfig.User = "ergo";
     systemd.services.ergochat.serviceConfig.Group = "ergo";
+    systemd.services.ergochat.restartIfChanged = false;
   };
 }
diff --git a/vm-homelab.nix b/vm-homelab.nix
index 2de8bc4..b76e5ee 100644
--- a/vm-homelab.nix
+++ b/vm-homelab.nix
@@ -26,10 +26,6 @@ in
     services.caddy = {
       enable = true;
       virtualHosts = {
-        "dukeceph.xyz".extraConfig = ''
-          root * /mnt/nfs/public
-          file_server browse
-        '';
         "feed.rperce.net".extraConfig = ''
           reverse_proxy http://192.168.0.5:8080
         '';
@@ -77,9 +73,6 @@ in
         "irc.dukeceph.xyz".extraConfig = ''
           reverse_proxy 192.168.0.8
         '';
-        "irc.dukeceph.xyz/webirc".extraConfig = ''
-          reverse_proxy 192.168.0.8:8067
-        '';
       };
     };