diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index a96e2b7..bcbc89e 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -14,6 +14,4 @@
     ./net.nix
     ./nginx.nix
   ];
-
-  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
 }
diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix
index 1714055..ffeadbb 100644
--- a/hosts/sentinel/fs.nix
+++ b/hosts/sentinel/fs.nix
@@ -39,6 +39,7 @@
     };
   };
 
+  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
   boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
   fileSystems."/persist".neededForBoot = true;
 
diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix
index aa3c398..2af30c8 100644
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@@ -49,6 +49,7 @@ in {
       locations."/".proxyPass = "https://kanidm";
       # Allow using self-signed certs to satisfy kanidm's requirement
       # for TLS connections. (This is over wireguard anyway)
+      # TODO can we get rid of this?
       extraConfig = ''
         proxy_ssl_verify off;
       '';
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index f8c285c..7b3e6eb 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -76,12 +76,26 @@ in {
 
     networking.nftables.firewall = {
       zones = lib.mkForce {
-        local-vms.interfaces = ["local-vms"];
+        #local-vms.interfaces = ["local-vms"];
+        proxy-sentinel.interfaces = ["proxy-sentinel"];
+        sentinel = {
+          parent = "proxy-sentinel";
+          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+        };
       };
 
+      #rules = lib.mkForce {
+      #  local-vms-to-local = {
+      #    from = ["local-vms"];
+      #    to = ["local"];
+      #    allowedTCPPorts = [8300];
+      #  };
+      #};
+
       rules = lib.mkForce {
-        local-vms-to-local = {
-          from = ["local-vms"];
+        sentinel-to-local = {
+          from = ["sentinel"];
           to = ["local"];
           allowedTCPPorts = [8300];
         };
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 1a64367..ec7df76 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -139,6 +139,7 @@ in {
         renew-timer = 1000;
         rebind-timer = 2000;
         interfaces-config = {
+          # TODO why does this bind other macvtaps?
           interfaces = ["lan-self"];
           service-sockets-max-retries = -1;
         };