diff --git a/flake.lock b/flake.lock
index 88c5383..18ba42e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746413188,
-        "narHash": "sha256-i6BoiQP0PasExESQHszC0reQHfO6D4aI2GzOwZMOI20=",
+        "lastModified": 1748737919,
+        "narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8a318641ac13d3bc0a53651feaee9560f9b2d89a",
+        "rev": "5675a9686851d9626560052a032c4e14e533c1fa",
         "type": "github"
       },
       "original": {
@@ -22,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746328495,
-        "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
+        "lastModified": 1748460289,
+        "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
+        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
         "type": "github"
       },
       "original": {
diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 4876a16..c48d659 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-# New TODO: 
+# New TODO:
 # - investigate tmux-session-wizard, and tpm
 # - see if zoxide can import .z file (from z.sh)
 # - so far, have added aliases and bashrc directly, along with bin folder and ssh setup.
@@ -17,7 +17,7 @@
       inputs.home-manager.nixosModules.default
       ./main-user.nix
     ];
-  
+
   boot.initrd.luks.devices."nvme2n1p2_oldcrypt".device = "/dev/disk/by-uuid/44235dca-99e8-4ea8-9516-97d9f5a2d702";
   boot.initrd.luks.devices."altssd".device = "/dev/disk/by-partuuid/c0500656-1527-a84d-82f0-8ad764dddc92";
 
@@ -47,7 +47,7 @@
     { device = "/dev/disk/by-partuuid/8a735e2c-01";
       fsType = "ext4";
     };
-  
+
   # Add flakes
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
@@ -55,13 +55,13 @@
   # Temporarily pin to 6.12 to fix llvm/rocm build
   # https://github.com/NixOS/nixpkgs/issues/368672#issuecomment-2608697421
   # boot.kernelPackages = pkgs.linuxPackages_6_12;
-  boot.kernelPackages = pkgs.linuxPackages_zen;
+  # boot.kernelPackages = pkgs.linuxPackages_zen;
   # nct6775 - for monitoring functions on ASUS ROG STRIX B550-F GAMING WIFI II
   # kvm-amd - AMD virtualization support
   boot.kernelModules = [ "kvm-amd" "nct6775" ];
 
   # Direct patching for enabling for async reprojection (for SteamVR) on AMD
-  #boot.kernelPatches = [
+  # boot.kernelPatches = [
   #  {
   #    name = "amdgpu-ignore-ctx-privileges";
   #    patch = pkgs.fetchpatch {
@@ -70,7 +70,7 @@
   #      hash = "sha256-Y3a0+x2xvHsfLax/uwycdJf3xLxvVfkfDVqjkxNaYEo=";
   #    };
   #  }
-  #];
+  # ];
   services.fwupd.enable = true;
   services.hardware.openrgb.enable = true;
 
@@ -174,7 +174,7 @@
       "wolcen" = import ./home.nix;
     };
   };
-  
+
   # Install firefox.
   programs.firefox.enable = true;
 
@@ -195,6 +195,11 @@
     # if packets are still dropped, they will show up in dmesg
     logReversePathDrops = true;
     checkReversePath = "loose";
+    extraCommands = ''
+      # Enable connections to Ollama for VPN users:
+      iptables -t filter -I INPUT --protocol TCP --source 10.40.4.2/32 --destination 10.40.4.2 --dport 11434 -j ACCEPT
+      iptables -t filter -I INPUT --protocol TCP --source 10.0.7.0/24 --destination 10.40.4.2 --dport 11434 -j ACCEPT
+    '';
     # wireguard trips rpfilter up
     #extraCommands = ''
     #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
@@ -257,7 +262,7 @@
     pigz # muti-treaded replacement for gzip
     unzip # old standard zip handler
     rpi-imager # rasbperry pi os burner util
-    screenkey # broadcast key presses 
+    # screenkey # broadcast key presses
     superfile # cli file manager
     mpv # movie player
     #obs-studio # open broadcast studio
@@ -341,7 +346,7 @@
   services.openssh.settings.LogLevel = "VERBOSE"; # required for fail2ban to work properly
   services.fail2ban.enable = true; # by default, the SSH jail enabled
   # Enable mobile shell (for roaming, intermittent connectivity, etc)
-  programs.mosh.enable = true;
+  # programs.mosh.enable = true;
   # Enable remote desktop access via rustdesk
   #services.rustdesk-server.enable = false;
   #services.rustdesk-server.openFirewall = false;
@@ -375,6 +380,7 @@
     #environmentVariables = {
     #  HCC_AMDGPU_TARGET = "gfx1031"; # used to be necessary, but doesn't seem to anymore
     #};
+    host = "10.40.4.2"; # See also ip46tables update in firewall extracommands
     rocmOverrideGfx = "10.3.0";
   };
   system.activationScripts = {
@@ -395,8 +401,8 @@
 
             environment = {
               "TZ" = "America/New York";
-              "OLLAMA_API_BASE_URL" = "http://127.0.0.1:11434/api";
-              "OLLAMA_BASE_URL" = "http://127.0.0.1:11434";
+              "OLLAMA_API_BASE_URL" = "http://10.40.4.2:11434/api";
+              "OLLAMA_BASE_URL" = "http://10.40.4.2:11434";
               "WEBUI_URL" = "http://127.0.0.1:8080/";
             };
 
diff --git a/hosts/default/main-user.nix b/hosts/default/main-user.nix
index d860345..2c4ad3f 100644
--- a/hosts/default/main-user.nix
+++ b/hosts/default/main-user.nix
@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }:
 
-let 
+let
   cfg = config.main-user;
   # Create a customized version of logseq
 #  logseq-patch = pkgs.logseq.override {
@@ -28,35 +28,38 @@ in
       packages = with pkgs; [
         #kdePackages.kate # ... why did I add this?
         mkcert
+        prismlauncher # minecraft launcher/manager
         thunderbird # email client
         keepassxc # passwords!
         macchina # like *fetch - display basics
         z-lua # jump around directories (be careful with same-named ones!)
         logseq # logs in sequence note keeping
         signal-desktop-bin # messaging
-        ddev # local docker dev awesome
+        ddev # local docker dev awesomeness
         vscodium # vs code editor, but free
         #yubikey-manager-qt # yubi key mgmgt - more needed
         yubioath-flutter # replacement manager for deprecated manager-qt
         #pavucontrol # pulse audio vol control
         # go to 2.17 when no more servers w/python issues (elizabeth)
-        ansible_2_16 # deployment/automation
+        # ansible_2_16 # deployment/automation - removed, use docker!
         #python311Full # troubleshooting ansible things.
         #python311Packages.ansible
         # php added for ansible composer build temporarily
         # switch to an ansible build environment instead.
-        php81
-        php81Packages.composer
-        php81Extensions.zip
-        php81Extensions.xml
-        php81Extensions.dom
-        php81Extensions.bz2
-        #php81Extensions.yaml
-        php81Extensions.zlib
-        php81Extensions.zstd
-        php81Extensions.intl
-        php81Extensions.curl
-        php81Extensions.posix
+
+        # compose didn't work anyway...shut it down!
+        # php81
+        # php81Packages.composer
+        # php81Extensions.zip
+        # php81Extensions.xml
+        # php81Extensions.dom
+        # php81Extensions.bz2
+        # #php81Extensions.yaml
+        # php81Extensions.zlib
+        # php81Extensions.zstd
+        # php81Extensions.intl
+        # php81Extensions.curl
+        # php81Extensions.posix
       ];
       shell = pkgs.zsh;
     };