diff --git a/default.nix b/default.nix
index 465ddb6..c6e0ae6 100755
--- a/default.nix
+++ b/default.nix
@@ -7,13 +7,32 @@ in {
     [ inputs.home-manager.nixosModules.home-manager ]
     ++ _.mapModulesRec' ./modules import;
 
+  nix = {
+  	settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+      keep-outputs = true;
+      keep-derivations = true;
+      substituters = [ 
+        "https://nix-community.cachix.org" 
+      ];
+      trusted-public-keys = [
+      	"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+  	};
+  };
+
   environment.systemPackages = with pkgs; [
-    curl git
+    unrar unzip
+    curl wget
+    # hello! if you remove this, good luck
+    # ever rebuilding your system using flakes!
+    git
   ];
 
-  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = lib.mkDefault "America/Los_Angeles";
+
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  
   system.stateVersion = lib.mkDefault "23.11";
 }
diff --git a/hosts/server/default.nix b/hosts/server/default.nix
index b2a06d8..431ca38 100755
--- a/hosts/server/default.nix
+++ b/hosts/server/default.nix
@@ -10,13 +10,6 @@ in {
     ./webapps/default.nix
   ];
 
-  user = {
-    packages = with pkgs; [
-      git
-      curl
-    ];
-  };
-
   users.groups.dotfiles = {};
 
   normalUsers = {
@@ -57,7 +50,7 @@ in {
       mosh.enable = true;
     };
 
-    security.enable = true;
+    security.useDoas = true;
   };
 
   time.timeZone = "America/Los_Angeles";
diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix
index c85749d..26b43b7 100755
--- a/hosts/server/webapps/default.nix
+++ b/hosts/server/webapps/default.nix
@@ -12,10 +12,17 @@ in {
           port = 3000;
         };
 
+        # you should probably keep this on
+        # configures acme, gzip, optimization, proxy, and ssl config
+        # opens ports and adds some Headers
         nginx-config = {
           enable = true;
           defaultLuaPackagePath = /var/www/reidlab.online/lua;
         };
+
+        staticSites = {
+          "v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";	
+        };
       };
     };
 
diff --git a/modules/security.nix b/modules/security.nix
index 4dc2268..a00b377 100755
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -5,33 +5,43 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    enable = mkOption {
-      type = types.bool;
-      default = true;
-    };
+    useDoas = mkEnableOption "use doas instead of sudo";
   };
 
   config = mkIf cfg.enable {
-    security.rtkit.enable = true;
+	boot = {
+		tmp.useTmpfs = lib.mkDefault true;
+		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+		
+    	kernel.sysctl = {
+      	  "kernel.sysrq" = 0;
 
-    boot.kernel.sysctl = {
-      "kernel.sysrq" = 0;
+          "net.ipv4.conf.all.accept_source_code" = 0;
+          "net.ipv6.conf.all.accept_source_code" = 0;
+          "net.ipv4.conf.default.send_redirects" = 0;
+          "net.ipv4.conf.all.send_redirects" = 0;
+          "net.ipv4.conf.default.accept_redirects" = 0;
+          "net.ipv4.conf.all.accept_redirects" = 0;
+          "net.ipv6.conf.default.accept_redirects" = 0;
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.tcp_syncookies" = 1;
+          "net.ipv4.tcp_rfc1337" = 1;
+          "net.ipv4.tcp_fastopen" = 3;
+          "net.ipv4.tcp_conjestion_control" = "bbr";
+          "net.core.default_qdisc" = "cake";
+        };
+      };
 
-      "net.ipv4.conf.all.accept_source_code" = 0;
-      "net.ipv6.conf.all.accept_source_code" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.tcp_syncookies" = 1;
-      "net.ipv4.tcp_rfc1337" = 1;
-      "net.ipv4.tcp_fastopen" = 3;
-      "net.ipv4.tcp_conjestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
-    };
-  };
+      security = {
+      	protectKernelImage = true;
+      	polkit.enable = true;
+      	rtkit.enable = true;
+      };
+    } // (mkIf cfg.useDoas {
+    	security.sudo.enable = false;
+    	security.doas.enable = true;
+    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
+    });
 }
diff --git a/modules/services/staticSites.nix b/modules/services/staticSites.nix
new file mode 100755
index 0000000..b6abee0
--- /dev/null
+++ b/modules/services/staticSites.nix
@@ -0,0 +1,88 @@
+{ pkgs, lib, config, options, ... }:
+
+with lib;
+let
+  sites = config.modules.services.staticSites;
+  staticSiteModule.options = {
+    dataDir = mkOption {
+      type = types.oneOf [ types.str types.path ];
+      default = null;
+    };
+
+    auth = mkOption {
+      type = types.attrsOf types.str;
+      description = "Basic authentication options. Defines a set of user = password pairs.";
+      example = literalExpr ''
+        {
+          user = "password";
+          anotherUser = "anotherPassword";
+          /* ... */
+        }
+      '';
+      default = {};
+    };
+
+    disableLogsForMisc = mkOption {
+      type = types.bool;
+      description = "Disables access logs for /favicon.ico and /robots.txt";
+      default = true;
+    };
+
+    denySensitivePaths = mkOption {
+      type = types.bool;
+      description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
+      default = true;
+    };
+
+    forceSSL = mkOption {
+      type = types.bool;
+      description = "Redirects HTTP requests to HTTPS.";
+      default = true;
+    };
+  };
+in {
+  options.modules.services.staticSites = mkOption {
+    type = types.attrsOf (types.submodule staticSiteModule);
+    example = literalExpression ''
+      {
+        "goop.network".dataDir = /var/www/goop.network;
+        "reidlab.online".dataDir = /etc/secret/private/reidlab-online;
+      }
+    '';
+    default = {};
+  };
+
+  config = {
+    assertions = mapAttrsToList (domain: _@{dataDir, ...}:
+      { assertion = dataDir != null;
+        description = "${domain} must specify a dataDir.";
+      }) sites;
+
+    services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: {
+      ${domain} = {
+        locations = mkMerge [
+          { "/".basicAuth = site.auth; }
+
+          ( mkIf site.disableLogsForMisc {
+            "= /favicon.ico".extraConfig = ''
+              access_log off;
+              log_not_found off;
+            '';
+            "= /robots.txt".extraConfig = ''
+              access_log off;
+              log_not_found off;
+            '';
+          })
+
+          ( mkIf site.denySensitivePaths {
+            "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
+          })
+        ];
+        forceSSL = site.forceSSL;
+        addSSL = !site.forceSSL;
+        enableACME = true;
+        root = site.dataDir;
+      };
+    }) sites);
+  };
+}
diff --git a/readme.md b/readme.md
index ee86baf..a0fc4d7 100755
--- a/readme.md
+++ b/readme.md
@@ -15,3 +15,11 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"`
 please periodically run `nix flake update` to make sure we arent slacking on package versions
 
 before committing, please run `nix flake check` and make sure everything is ok
+
+## todo
+
+- analytics using matomo
+- php support in staticsites
+- no more luapackagepath. please stop.
+- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
+- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz