diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix
index 2bef84f..e81acc0 100644
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@@ -351,11 +351,8 @@ in
           ];
         };
 
-        config.resource.spam-filter = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
-        config.resource.webadmin = builtins.trace "remove when stalwart 0.11" "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
-        # FIXME: 1.11+
-        # spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
-        # webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
+        spam-filter.resource = "file://${config.services.stalwart-mail.package}/etc/stalwart/spamfilter.toml";
+        webadmin.resource = "file://${config.services.stalwart-mail.package.webadmin}/webadmin.zip";
         webadmin.path = "/var/cache/stalwart-mail";
 
         certificate.default = {
@@ -364,8 +361,8 @@ in
           default = true;
         };
 
-        lookup.default.hostname = stalwartDomain;
         server = {
+          hostname = stalwartDomain;
           tls = {
             certificate = "default";
             ignore-client-order = true;
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index 3ffe7cf..249ee6c 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -28,6 +28,11 @@ in
 {
   age.secrets.firezone-smtp-password.generator.script = "alnum";
 
+  # NOTE: state: this token is from a manually created service account
+  age.secrets.firezone-relay-token = {
+    rekeyFile = config.node.secretsDir + "/firezone-relay-token.age";
+  };
+
   # Mirror the original oauth2 secret
   age.secrets.firezone-oauth2-client-secret = {
     inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile;
@@ -137,6 +142,16 @@ in
     web.externalUrl = "https://${firezoneDomain}/";
   };
 
+  services.firezone.relay = {
+    enable = true;
+    name = "sentinel";
+    apiUrl = "wss://${firezoneDomain}/api/";
+    tokenFile = config.age.secrets.firezone-relay-token.path;
+    publicIpv4 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv4;
+    publicIpv6 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv6;
+    openFirewall = true;
+  };
+
   services.nginx = {
     upstreams.firezone = {
       servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };
diff --git a/hosts/sentinel/secrets/firezone-relay-token.age b/hosts/sentinel/secrets/firezone-relay-token.age
new file mode 100644
index 0000000..f8b6943
Binary files /dev/null and b/hosts/sentinel/secrets/firezone-relay-token.age differ
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 30f147f..f5ed3ec 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -58,6 +58,18 @@
     };
   };
 
+  # NOTE: state: this token is from a manually created service account
+  age.secrets.firezone-gateway-token = {
+    rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
+  };
+
+  services.firezone.gateway = {
+    enable = true;
+    name = "ward";
+    apiUrl = "wss://${globals.services.firezone.domain}/api/";
+    tokenFile = config.age.secrets.firezone-gateway-token.path;
+  };
+
   guests =
     let
       mkGuest = guestName: {
diff --git a/hosts/ward/secrets/firezone-gateway-token.age b/hosts/ward/secrets/firezone-gateway-token.age
new file mode 100644
index 0000000..cff2ce4
Binary files /dev/null and b/hosts/ward/secrets/firezone-gateway-token.age differ