diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix
index c79e53a0..d0196449 100644
--- a/nix/configurations/hydrogen.nix
+++ b/nix/configurations/hydrogen.nix
@@ -57,8 +57,11 @@ in
       ./hydrogen/nixos/misc.nix
       ./hydrogen/nixos/programs.nix
       ./hydrogen/nixos/connectivity.nix
-      ./hydrogen/nixos/secure_dns.nix
 
+      # QUIRK:
+      # Had issue when building the installer as it fails to bootstrap itself
+      # Might be useful to disable for the first build.
+      ../nixosModules/extra/secure_dns.nix
       ../nixosModules/common/disable-command-not-found.nix
       ../nixosModules/common/network.nix
       ../nixosModules/common/sudo-conf.nix
@@ -98,6 +101,7 @@ in
           ../homeModules/common/btop
           ../homeModules/common/fish
           ../homeModules/common/starship
+          ../homeModules/common/fzf.nix
           ../homeModules/common/tmux
           ../homeModules/common/vim
           ../homeModules/common/direnv.nix
diff --git a/nix/configurations/hydrogen/home/programs.nix b/nix/configurations/hydrogen/home/programs.nix
index 32ed2b56..bfe508c8 100644
--- a/nix/configurations/hydrogen/home/programs.nix
+++ b/nix/configurations/hydrogen/home/programs.nix
@@ -53,9 +53,6 @@
     ripgrep.enable = true;
 
     btop.enable = true;
-
-    # OCaml fails to build on aarch64-linux
-    git.patdiff.enable = lib.mkForce false;
   };
 
   services = {
diff --git a/nix/configurations/hydrogen/nixos/connectivity.nix b/nix/configurations/hydrogen/nixos/connectivity.nix
index c07dac6b..a71fc30c 100644
--- a/nix/configurations/hydrogen/nixos/connectivity.nix
+++ b/nix/configurations/hydrogen/nixos/connectivity.nix
@@ -3,11 +3,6 @@
   lib,
   ...
 }: {
-  # https://unix.stackexchange.com/questions/592775/how-can-i-enable-apple-ios-fast-charge-support
-  services.udev.extraRules = ''
-    SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'"
-  '';
-
   users.users.root.openssh.authorizedKeys.keys = let
     ids = import ../../../identities.nix;
   in
diff --git a/nix/configurations/hydrogen/nixos/programs.nix b/nix/configurations/hydrogen/nixos/programs.nix
index 0e605d66..5f281024 100644
--- a/nix/configurations/hydrogen/nixos/programs.nix
+++ b/nix/configurations/hydrogen/nixos/programs.nix
@@ -13,4 +13,7 @@
 
     git.enable = true;
   };
+
+  # Helps with kitty when ssh from remote
+  environment.enableAllTerminfo = true;
 }
diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix
index 1ed762c7..0e72a47e 100644
--- a/nix/configurations/vanadium.nix
+++ b/nix/configurations/vanadium.nix
@@ -90,7 +90,6 @@ in
 
       ./vanadium/nixos/audio.nix
       ./vanadium/nixos/connectivity.nix
-      ./vanadium/nixos/secure_dns.nix
       ./vanadium/nixos/input.nix
 
       ./vanadium/nixos/misc.nix
@@ -108,6 +107,7 @@ in
       ../nixosModules/common/system-nixconf.nix
       ../nixosModules/common/xscreensaver.nix
 
+      ../nixosModules/extra/secure_dns.nix
       ../nixosModules/extra/zram.nix
       ../nixosModules/extra/leana.nix
 
diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix
deleted file mode 100644
index 1aeeff7f..00000000
--- a/nix/configurations/vanadium/nixos/secure_dns.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-# https://nixos.wiki/wiki/Encrypted_DNS
-{
-  lib,
-  pkgs,
-  ...
-}: {
-  networking = {
-    nameservers = ["127.0.0.1" "::1"];
-    dhcpcd.extraConfig = "nohook resolv.conf";
-    # networkmanager.dns = "none";
-  };
-
-  services.resolved.enable = false;
-
-  services.dnscrypt-proxy2 = {
-    enable = true;
-    # Settings reference:
-    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
-    settings = {
-      listen_addresses = ["127.0.0.1:53"];
-      ipv4_servers = true;
-
-      require_dnssec = true;
-      require_nolog = true;
-      require_nofilter = true;
-
-      lb_strategy = "p2";
-      lb_estimator = true;
-
-      # Blocklists are made of one pattern per line.
-      # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
-      blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [
-        # Prevent building up reliance on chatbots
-        # Gotta preserve that thinking ability of my smoof bwain
-        pkgs.ai_blocklist
-        pkgs.hategroup_blocklist
-
-        # Gotta purify my smoos brain for a while
-        (pkgs.writeText "extra_dns_blocklist" ''
-          instagram.com
-          youtube.com
-        '')
-      ];
-
-      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
-      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
-      sources.public-resolvers = {
-        urls = [
-          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
-        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
-        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-      };
-    };
-  };
-}
diff --git a/nix/homeModules/common/git.nix b/nix/homeModules/common/git.nix
index a50ba2a5..68f151c6 100644
--- a/nix/homeModules/common/git.nix
+++ b/nix/homeModules/common/git.nix
@@ -1,12 +1,22 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }: {
   # git plugins
   programs.git = {
     lfs.enable = true;
-    patdiff.enable = true;
+    patdiff.enable = lib.mkMerge [
+      # known to fail on aarch64-linux
+      (lib.mkIf (pkgs.system == "aarch64-linux") (
+        # TODO: investigate this
+        lib.warn "patdiff has been forcibly disabled because it has previously failed to build"
+        lib.mkForce
+        false
+      ))
+      (lib.mkDefault true)
+    ];
   };
 
   # 懶惰鬼賴皮
diff --git a/nix/nixosModules/common/sudo-conf.nix b/nix/nixosModules/common/sudo-conf.nix
index b2b66182..ad4c6a6a 100644
--- a/nix/nixosModules/common/sudo-conf.nix
+++ b/nix/nixosModules/common/sudo-conf.nix
@@ -1,8 +1,18 @@
 {pkgs, ...}: {
-  security.doas.enable = true;
   security.sudo.enable = false;
 
   environment.systemPackages = [
     pkgs.doas-sudo-shim
   ];
+  security.doas = {
+    enable = true;
+    extraRules = [
+      {
+        # invoke just with doas directly as a nixos-rebuild helper
+        users = [":wheel"];
+        setEnv = ["PATH"];
+        cmd = "just";
+      }
+    ];
+  };
 }
diff --git a/nix/configurations/hydrogen/nixos/secure_dns.nix b/nix/nixosModules/extra/secure_dns.nix
similarity index 98%
rename from nix/configurations/hydrogen/nixos/secure_dns.nix
rename to nix/nixosModules/extra/secure_dns.nix
index 1aeeff7f..f662db89 100644
--- a/nix/configurations/hydrogen/nixos/secure_dns.nix
+++ b/nix/nixosModules/extra/secure_dns.nix
@@ -1,9 +1,5 @@
 # https://nixos.wiki/wiki/Encrypted_DNS
-{
-  lib,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
   networking = {
     nameservers = ["127.0.0.1" "::1"];
     dhcpcd.extraConfig = "nohook resolv.conf";
diff --git a/nix/overlays/lix.nix b/nix/overlays/lix.nix
index 0c47da25..6be56324 100644
--- a/nix/overlays/lix.nix
+++ b/nix/overlays/lix.nix
@@ -1,10 +1,3 @@
 final: _: {
   nix = final.lixPackageSets.stable.lix;
-  inherit
-    (final.lixPackageSets.stable)
-    nixpkgs-review
-    nix-eval-jobs
-    nix-fast-build
-    colmena
-    ;
 }