diff --git a/networking/firewall.mod.nix b/networking/firewall.mod.nix
index ddec8a3..7541c82 100644
--- a/networking/firewall.mod.nix
+++ b/networking/firewall.mod.nix
@@ -8,10 +8,10 @@
       networking.firewall.interfaces.wg0 = {
         # TODO: set up prometheus authentication, perhaps with a certificate. not *that* urgent because it's only on the wireguard netwrok, maybe it's not even needed at all -e
         allowedTCPPorts = [
-          6703
+          6703 # prometheus node exporter
         ];
         allowedUDPPorts = [
-          6703
+          6703 # prometheus node exporter
         ];
       };
     }
@@ -22,7 +22,8 @@
       networking.firewall = {
         allowedUDPPorts = [];
         allowedTCPPorts = [
-          3000 # forgejo http
+          3000 # forgejo web
+          8080 # gotosocial web
           222 # forgejo ssh
         ];
       };
@@ -34,13 +35,13 @@
       networking.firewall = {
         allowedTCPPorts = [
           64738 # murmur tcp
-          6700 # grafana
+          6700 # grafana web
           6750 # prometheus
         ];
         allowedUDPPorts = [
           64738 # murmur udp
-          6700 # grafana
-          6750 # prometheus
+          6700 # grafana web
+          6750 # prometheus data ap
         ];
       };
     }
diff --git a/services/caddy/Caddyfile b/services/caddy/Caddyfile
index ddcd352..ef4c927 100644
--- a/services/caddy/Caddyfile
+++ b/services/caddy/Caddyfile
@@ -38,7 +38,7 @@ https://gts.collective-conciousness.monster {
     encode zstd gzip
 
     # The actual proxy configuration to port 8080 (unless you've chosen another port number)
-    reverse_proxy 127.0.0.1:8080 {
+    reverse_proxy 10.24.1.9:8080 {
         # Flush immediately, to prevent buffered response to the client
         flush_interval -1
     }
diff --git a/services/social/gts.mod.nix b/services/social/gts.mod.nix
index 9d5f953..1910969 100644
--- a/services/social/gts.mod.nix
+++ b/services/social/gts.mod.nix
@@ -1,5 +1,5 @@
 {
-  aspartame.modules = [
+  fructose.modules = [
     (
       {
         pkgs,
@@ -24,16 +24,17 @@
             host = "gts.collective-conciousness.monster";
             account-domain = "";
             protocol = "https";
-            bind-address = "127.0.0.1";
+            bind-address = "0.0.0.0";
             port = 8080;
             trusted-proxies = [
+              "10.24.1.16/32"
               "127.0.0.1/32"
               "::1"
             ];
 
             ### Database config - still have to set this up.
             db-type = "postgres";
-            db-address = "10.24.1.9";
+            db-address = "127.0.0.1";
             db-port = "5432";
             #            db-password = ""; # commented out because it is being passed through env files. # GTS_DB_PASSWORD
             db-database = "gtsdb";
@@ -84,7 +85,7 @@
 
             ### Storage config
             storage-backend = "local";
-            storage-local-base-path = "/var/gts/storage";
+            storage-local-base-path = "/var/services/gts/storage";
             # ommited settings related to s3
 
             ### Statuses config
diff --git a/sops.mod.nix b/sops.mod.nix
index e46ab03..582a33d 100644
--- a/sops.mod.nix
+++ b/sops.mod.nix
@@ -20,16 +20,8 @@
       sops.secrets.remote-build-ssh-privkey = {};
     }
   ];
-  aspartame.modules = [
-    (
-      {config, ...}: {
-        sops.secrets.gts_db_pass = {};
-        sops.templates."gts.env.secrets.yaml".content = ''
-          GTS_DB_PASSWORD=${config.sops.placeholder."gts_db_pass"}
-        '';
-      }
-    )
-  ];
+ /* aspartame.modules = [
+  ]; */
   sucrose.modules = [
     (
       {config, ...}: {
@@ -93,6 +85,15 @@
         '';
       }
     )
+    (
+      {config, ...}: {
+        sops.secrets.gts_db_pass = {};
+        sops.secrets.gts_db_pass.owner = "gotosocial";
+        sops.templates."gts.env.secrets.yaml".content = ''
+          GTS_DB_PASSWORD=${config.sops.placeholder."gts_db_pass"}
+        '';
+      }
+    )
   ];
   personal.modules = [
     (