diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix
index df732f5..8ff2a38 100644
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@@ -4,11 +4,9 @@ in {
   microvm.mem = 1024 * 16;
   microvm.vcpu = 20;
 
-  wireguard.proxy-home = {
-    client.via = "ward";
-    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
-      config.services.open-webui.port
-    ];
+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.open-webui.port];
   };
 
   networking.firewall.allowedTCPPorts = [config.services.ollama.port];
@@ -42,7 +40,7 @@ in {
       WEBUI_AUTH = "False";
       ENABLE_SIGNUP = "False";
 
-      OLLAMA_BASE_URL = "http://localhgost:11434";
+      OLLAMA_BASE_URL = "http://localhost:11434";
       TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
 
       WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
@@ -65,7 +63,7 @@ in {
         oauth2 = {
           enable = true;
           allowedGroups = ["access_openwebui"];
-          X-Email = "\${upstream_http_x_auth_request_email}@local";
+          X-Email = "\${upstream_http_x_auth_request_email}@${config.repo.secrets.global.domains.personal}";
         };
         # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index d2a7955..1c4d2f1 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -92,7 +92,6 @@ in {
           globals.services.influxdb.domain
           globals.services.loki.domain
           globals.services.paperless.domain
-          globals.services.open-webui.domain
           "home.${config.repo.secrets.global.domains.me}"
           "fritzbox.${config.repo.secrets.global.domains.me}"
         ];
diff --git a/secrets/rekeyed/sentinel/4cff83edc1d2b2ca516f8cb63fb06782-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age b/secrets/rekeyed/sentinel/4cff83edc1d2b2ca516f8cb63fb06782-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age
new file mode 100644
index 0000000..dc35959
--- /dev/null
+++ b/secrets/rekeyed/sentinel/4cff83edc1d2b2ca516f8cb63fb06782-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA dgbLVhH6YDLeLmrOOasvIhuknfgfLOS+akmDka/tlC0
+Xjire4VON0/X6hdkBlGE0ithtaE5R+nV/O+wF7QHgrw
+-> rM_"d!6-grease ( Lrm6}R$' p-;N
+Wz7nuz35agyIS+Br7snkV3nmUAYT3bgwPTZTHBDHXeAwfvNSdaPovC9o8jNNrhuM
+zdPqY5p9E3ytlaosQ8Tqwff/GrrGb9TUUQ
+--- NgSDbER4QRFN2lbic7IuZKrcvi1ffJBuQrgcut6fsDc
+Â¨)`S9w˜˜Œ8ÛgJÃsvÐiâilî§Ïƒ	
+aŠÜ&©ãlª‚ßm*ÓÚ¶³$\“EÚÑ´ÇÁ?»ó72)Ñ¹*åòø˜9W
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ai/89b98207bb1577a81049b4ce319739bf-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age b/secrets/rekeyed/sire-ai/89b98207bb1577a81049b4ce319739bf-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age
new file mode 100644
index 0000000..898d615
--- /dev/null
+++ b/secrets/rekeyed/sire-ai/89b98207bb1577a81049b4ce319739bf-wireguard-proxy-sentinel-psks-sentinel+sire-ai.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 vhmDsA KWeO3Be+gkSPD9LfWvmcdlaYDAbFyRN4K7F7EfwqIgg
+cAFnWvJJ/G6dme0dl02J894/qArsqS0beqU+AzwD1+o
+-> #1V}iM=x-grease aa},EP2g
+WqXnjOoLDNOeW4gTnEvipyPvOA2/2PnDjf6vw13ReOlCSCgGYETdFJ5hrWyVhPbG
+zH/NWp8G21UgKUo
+--- EM6RpMXpWmiosw/Plq3LAYBeVMpcs9dsuufL/4buhGk
+eÜ!IÃüDò¼€ÁS b†]õ¹­î}Á”ŽÈj!µýö‹z®üã#{¸ö£ã¿{B@…öVÜƒ“ÉÏÕjUÖŽƒªu¥Nˆ
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ai/9341385afdc96bb54570bceb6808df74-wireguard-proxy-home-psks-sire-ai+ward.age b/secrets/rekeyed/sire-ai/9341385afdc96bb54570bceb6808df74-wireguard-proxy-home-psks-sire-ai+ward.age
deleted file mode 100644
index 5b1f15d..0000000
Binary files a/secrets/rekeyed/sire-ai/9341385afdc96bb54570bceb6808df74-wireguard-proxy-home-psks-sire-ai+ward.age and /dev/null differ
diff --git a/secrets/rekeyed/sire-ai/b106bbbb9f3c987e555b49df7263512d-wireguard-proxy-sentinel-priv-sire-ai.age b/secrets/rekeyed/sire-ai/b106bbbb9f3c987e555b49df7263512d-wireguard-proxy-sentinel-priv-sire-ai.age
new file mode 100644
index 0000000..3ae3d9f
--- /dev/null
+++ b/secrets/rekeyed/sire-ai/b106bbbb9f3c987e555b49df7263512d-wireguard-proxy-sentinel-priv-sire-ai.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 vhmDsA BuD+lFk4AT6HbasiK2B/s548l/084zHr2TVfTOr/HxM
+hrDRQLYsv/2rMbHD7devlax1KPMooNtQXzm8O1L91FU
+-> @*7:rQ}e-grease n2 gUD +it{\z# M!{:.W-)
+HOSZdaDG5UrpLYhL0/w
+--- dzhayN6ZYK73imRCl22mEQlmKZig2RAfbRPECcQkLAg
+‰˜ÒGêgP '´ZÊ›W…à:.à—°Äl‘ž'”:)šä‹×*Z=Ú+!‹½è;ðKVäüæº¯‘=	Yþn)hIcÈS=‡åccÒt
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ai/b52800d176723e270d8c6f4720913cd2-wireguard-proxy-home-priv-sire-ai.age b/secrets/rekeyed/sire-ai/b52800d176723e270d8c6f4720913cd2-wireguard-proxy-home-priv-sire-ai.age
deleted file mode 100644
index b9eaa35..0000000
Binary files a/secrets/rekeyed/sire-ai/b52800d176723e270d8c6f4720913cd2-wireguard-proxy-home-priv-sire-ai.age and /dev/null differ
diff --git a/secrets/rekeyed/ward/b3ad9024ec69682628580e4dd4d5396b-wireguard-proxy-home-psks-sire-ai+ward.age b/secrets/rekeyed/ward/b3ad9024ec69682628580e4dd4d5396b-wireguard-proxy-home-psks-sire-ai+ward.age
deleted file mode 100644
index 8bc7865..0000000
Binary files a/secrets/rekeyed/ward/b3ad9024ec69682628580e4dd4d5396b-wireguard-proxy-home-psks-sire-ai+ward.age and /dev/null differ