diff --git a/README.md b/README.md
index 286fbb9..6c6a002 100644
--- a/README.md
+++ b/README.md
@@ -2,21 +2,47 @@
 
 This is my personal nix config. It's still in the making, but this is what I got so far:
 
-- Log and system monitoring via loki, telegraf, influxdb, promtail and grafana
-- Single-Sign-On for all services using oauth2 via kanidm
-- Automatic wireguard mesh generation
-- Full disk encryption using [disko](https://github.com/nix-community/disko), remotely unlockable via ssh
-- Zoned nftables firewall via [nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall)
-- Service isolation using [microvms](https://github.com/astro/microvm.nix) instead of containers
 - Secret rekeying, generation and bootstrapping using [agenix-rekey](https://github.com/oddlama/agenix-rekey)
+<!-- - Secure boot using [lanzaboote](https://github.com/nix-community/lanzaboote) -->
+- Remote-unlockable full disk encryption using ZFS on LUKS <!-- with automatic snapshots and backups -->
+- Automatic disk partitioning via [disko](https://github.com/nix-community/disko)
 - Support for repository-wide secrets at evaluation time (hides PII like MACs)
+- Automatic static wireguard mesh generation <!-- plus netbird for dynamic meshing -->
+- Opt-in persistence with [impermanence](https://github.com/nix-community/impermanence)
+
+<!--
+Desktop machines:
+
+- [Secondary neovim instance](./users/modules/config/manpager/default.nix) as a better manpager
+- System-wide theme using [stylix](https://github.com/danth/stylix)
+-->
+
+<!--
+XXX: todo, use details summary to show gallery of programs
+
+- aa
+-->
+
+Servers:
+
+- Log and system monitoring through [grafana](https://github.com/grafana/grafana) using
+  - [influxdb2](https://github.com/influxdata/influxdb) and [telegraf](https://github.com/influxdata/telegraf) for metrics
+  - [loki](https://github.com/grafana/loki) and [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) for logs
+- Single-Sign-On for all services using oauth2 via [kanidm](https://github.com/kanidm/kanidm)
+- Zoned nftables firewall via [nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall)
+- Service isolation using [microvms](https://github.com/astro/microvm.nix) <!-- XXX: where possible, otherwise oci-containers -->
+<!--
+XXX: todo, use details summary to show gallery of services
+
+- aa
+-->
 
 ## Hosts
 
 |  | Name | Type | Purpose
 ---|---|---|---
 💻 | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine <sub>Framework when?</sub>
-🖥️ | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine
+🖥️ | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming
 🖥️ | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using microvms.
 🥔 | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
 ☁️  | envoy | Hetzner Cloud server | Mailserver
@@ -32,10 +58,27 @@ not yet nixified: my main development machine, the powerful home server, and som
 
 |   |   |
 |---|---|
-**Shell** | [nushell](https://github.com/nushell/nushell)
+**Shell** | zsh <!--& [nushell](https://github.com/nushell/nushell)--> with [starship](https://github.com/starship/starship), fzf plugins and sqlite history
 **Terminal** | [kitty](https://github.com/kovidgoyal/kitty)
 **Editor** | [neovim](https://github.com/neovim/neovim)
-**WM** | [sway](https://github.com/swaywm/sway)
+**WM** | [sway](https://github.com/swaywm/sway) & [i3](https://github.com/i3/i3) (still need X11 for gaming)
+
+<!-- XXX: add icons
+
+## Self-hosted Services
+
+|   |   |
+|---|---|
+- Vaultwarden
+- Adguard Home
+- Forgjeo
+- Grafana
+- Immich
+- Kanidm
+- Loki
+- Paperless
+- Influxdb
+-->
 
 ## Structure
 
@@ -67,7 +110,7 @@ but here's a quick breakdown of the what you will find where.
 - Add <name> to `hosts` in `flake.nix`
 - Create hosts/<name>
 - Fill net.nix
-- Fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
+- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
 - Run generate-secrets
 
 #### Initial deploy
@@ -100,21 +143,14 @@ then select the host in the fzf menu
 
 ## Stuff
 
-- Secrets can be created/edited by running `nix run .#edit-secret some/secret.age`
-- Secrets can be rekeyed by running `nix run .#rekey` (you will also be prompted to do so in an error message if neccessary)
+- Generate, edit and rekey secrets with `agenix <generate|edit|rekey>`
 
-To be able to decrypt the repository-wide secrets transparently on a host that
-is _not_ managed by this config, you will need to <sub>(be me and)</sub> run
-all commands using these extra parameters, or permanently add the following the system's `nix.conf`:
+To be able to decrypt the repository-wide secrets (files that contain my PII and are thus hidden from public view),
+you will need to <sub>(be me and)</sub> add nix-plugins and point it to `./nix/extra-builtins.nix`.
+The devshell will do this for you automatically. If this doesn't work for any reason, this can also be done manually:
 
 1. Get nix-plugins: `NIX_PLUGINS=$(nix build --print-out-paths --no-link nixpkgs#nix-plugins)`
 2. Run all commands with `--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix`
-   or permantently
-
-  ```ini
-  plugin-files = <copy path from $NIX_PLUGINS>/lib/nix/plugins
-  extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix
-  ```
 
 ## Misc