diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix
index d0196449..c79e53a0 100644
--- a/nix/configurations/hydrogen.nix
+++ b/nix/configurations/hydrogen.nix
@@ -57,11 +57,8 @@ in
       ./hydrogen/nixos/misc.nix
       ./hydrogen/nixos/programs.nix
       ./hydrogen/nixos/connectivity.nix
+      ./hydrogen/nixos/secure_dns.nix
 
-      # QUIRK:
-      # Had issue when building the installer as it fails to bootstrap itself
-      # Might be useful to disable for the first build.
-      ../nixosModules/extra/secure_dns.nix
       ../nixosModules/common/disable-command-not-found.nix
       ../nixosModules/common/network.nix
       ../nixosModules/common/sudo-conf.nix
@@ -101,7 +98,6 @@ in
           ../homeModules/common/btop
           ../homeModules/common/fish
           ../homeModules/common/starship
-          ../homeModules/common/fzf.nix
           ../homeModules/common/tmux
           ../homeModules/common/vim
           ../homeModules/common/direnv.nix
diff --git a/nix/configurations/hydrogen/home/programs.nix b/nix/configurations/hydrogen/home/programs.nix
index bfe508c8..32ed2b56 100644
--- a/nix/configurations/hydrogen/home/programs.nix
+++ b/nix/configurations/hydrogen/home/programs.nix
@@ -53,6 +53,9 @@
     ripgrep.enable = true;
 
     btop.enable = true;
+
+    # OCaml fails to build on aarch64-linux
+    git.patdiff.enable = lib.mkForce false;
   };
 
   services = {
diff --git a/nix/configurations/hydrogen/nixos/connectivity.nix b/nix/configurations/hydrogen/nixos/connectivity.nix
index a71fc30c..c07dac6b 100644
--- a/nix/configurations/hydrogen/nixos/connectivity.nix
+++ b/nix/configurations/hydrogen/nixos/connectivity.nix
@@ -3,6 +3,11 @@
   lib,
   ...
 }: {
+  # https://unix.stackexchange.com/questions/592775/how-can-i-enable-apple-ios-fast-charge-support
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'"
+  '';
+
   users.users.root.openssh.authorizedKeys.keys = let
     ids = import ../../../identities.nix;
   in
diff --git a/nix/configurations/hydrogen/nixos/programs.nix b/nix/configurations/hydrogen/nixos/programs.nix
index 5f281024..0e605d66 100644
--- a/nix/configurations/hydrogen/nixos/programs.nix
+++ b/nix/configurations/hydrogen/nixos/programs.nix
@@ -13,7 +13,4 @@
 
     git.enable = true;
   };
-
-  # Helps with kitty when ssh from remote
-  environment.enableAllTerminfo = true;
 }
diff --git a/nix/nixosModules/extra/secure_dns.nix b/nix/configurations/hydrogen/nixos/secure_dns.nix
similarity index 98%
rename from nix/nixosModules/extra/secure_dns.nix
rename to nix/configurations/hydrogen/nixos/secure_dns.nix
index f662db89..1aeeff7f 100644
--- a/nix/nixosModules/extra/secure_dns.nix
+++ b/nix/configurations/hydrogen/nixos/secure_dns.nix
@@ -1,5 +1,9 @@
 # https://nixos.wiki/wiki/Encrypted_DNS
-{pkgs, ...}: {
+{
+  lib,
+  pkgs,
+  ...
+}: {
   networking = {
     nameservers = ["127.0.0.1" "::1"];
     dhcpcd.extraConfig = "nohook resolv.conf";
diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix
index 0e72a47e..1ed762c7 100644
--- a/nix/configurations/vanadium.nix
+++ b/nix/configurations/vanadium.nix
@@ -90,6 +90,7 @@ in
 
       ./vanadium/nixos/audio.nix
       ./vanadium/nixos/connectivity.nix
+      ./vanadium/nixos/secure_dns.nix
       ./vanadium/nixos/input.nix
 
       ./vanadium/nixos/misc.nix
@@ -107,7 +108,6 @@ in
       ../nixosModules/common/system-nixconf.nix
       ../nixosModules/common/xscreensaver.nix
 
-      ../nixosModules/extra/secure_dns.nix
       ../nixosModules/extra/zram.nix
       ../nixosModules/extra/leana.nix
 
diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix
new file mode 100644
index 00000000..1aeeff7f
--- /dev/null
+++ b/nix/configurations/vanadium/nixos/secure_dns.nix
@@ -0,0 +1,57 @@
+# https://nixos.wiki/wiki/Encrypted_DNS
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  networking = {
+    nameservers = ["127.0.0.1" "::1"];
+    dhcpcd.extraConfig = "nohook resolv.conf";
+    # networkmanager.dns = "none";
+  };
+
+  services.resolved.enable = false;
+
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # Settings reference:
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    settings = {
+      listen_addresses = ["127.0.0.1:53"];
+      ipv4_servers = true;
+
+      require_dnssec = true;
+      require_nolog = true;
+      require_nofilter = true;
+
+      lb_strategy = "p2";
+      lb_estimator = true;
+
+      # Blocklists are made of one pattern per line.
+      # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
+      blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [
+        # Prevent building up reliance on chatbots
+        # Gotta preserve that thinking ability of my smoof bwain
+        pkgs.ai_blocklist
+        pkgs.hategroup_blocklist
+
+        # Gotta purify my smoos brain for a while
+        (pkgs.writeText "extra_dns_blocklist" ''
+          instagram.com
+          youtube.com
+        '')
+      ];
+
+      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
+      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+    };
+  };
+}
diff --git a/nix/homeModules/common/git.nix b/nix/homeModules/common/git.nix
index 68f151c6..a50ba2a5 100644
--- a/nix/homeModules/common/git.nix
+++ b/nix/homeModules/common/git.nix
@@ -1,22 +1,12 @@
 {
   lib,
   config,
-  pkgs,
   ...
 }: {
   # git plugins
   programs.git = {
     lfs.enable = true;
-    patdiff.enable = lib.mkMerge [
-      # known to fail on aarch64-linux
-      (lib.mkIf (pkgs.system == "aarch64-linux") (
-        # TODO: investigate this
-        lib.warn "patdiff has been forcibly disabled because it has previously failed to build"
-        lib.mkForce
-        false
-      ))
-      (lib.mkDefault true)
-    ];
+    patdiff.enable = true;
   };
 
   # 懶惰鬼賴皮
diff --git a/nix/nixosModules/common/sudo-conf.nix b/nix/nixosModules/common/sudo-conf.nix
index ad4c6a6a..b2b66182 100644
--- a/nix/nixosModules/common/sudo-conf.nix
+++ b/nix/nixosModules/common/sudo-conf.nix
@@ -1,18 +1,8 @@
 {pkgs, ...}: {
+  security.doas.enable = true;
   security.sudo.enable = false;
 
   environment.systemPackages = [
     pkgs.doas-sudo-shim
   ];
-  security.doas = {
-    enable = true;
-    extraRules = [
-      {
-        # invoke just with doas directly as a nixos-rebuild helper
-        users = [":wheel"];
-        setEnv = ["PATH"];
-        cmd = "just";
-      }
-    ];
-  };
 }
diff --git a/nix/overlays/lix.nix b/nix/overlays/lix.nix
index 6be56324..0c47da25 100644
--- a/nix/overlays/lix.nix
+++ b/nix/overlays/lix.nix
@@ -1,3 +1,10 @@
 final: _: {
   nix = final.lixPackageSets.stable.lix;
+  inherit
+    (final.lixPackageSets.stable)
+    nixpkgs-review
+    nix-eval-jobs
+    nix-fast-build
+    colmena
+    ;
 }