diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 6c79bdc..2320b54 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -116,7 +116,7 @@ in {
       };
       virtualHosts.${auth.domain} = {
         forceSSL = true;
-        useACMEHost = config.lib.matchingWildcardCert auth.domain;
+        useACMEHost = config.lib.extra.matchingWildcardCert auth.domain;
         locations."/".proxyPass = "https://kanidm";
         # Allow using self-signed certs to satisfy kanidm's requirement
         # for TLS connections. (This is over wireguard anyway)
diff --git a/modules/extra.nix b/modules/extra.nix
index 80e0988..b777871 100644
--- a/modules/extra.nix
+++ b/modules/extra.nix
@@ -30,7 +30,7 @@ in {
   };
 
   config = {
-    lib = {
+    lib.extra = {
       # For a given domain, this searches for a matching wildcard acme domain that
       # would include the given domain. If no such domain is defined in
       # extra.acme.wildcardDomains, an assertion is triggered.
diff --git a/modules/microvms.nix b/modules/microvms.nix
index cad6958..b9a1104 100644
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@@ -198,7 +198,7 @@
               then "${config.networking.hostName}.local"
               else config.networking.fqdn;
             inherit (cfg.networking.wireguard) port;
-            openFirewallRules = ["untrusted"];
+            openFirewallRules = ["untrusted-to-local"];
           };
           linkName = "local-vms";
           ipv4 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4;