diff --git a/cloud/graduated/aws_route53/reeselink.json b/cloud/graduated/aws_route53/reeselink.json
index c6ab7b4..ddb6b7f 100644
--- a/cloud/graduated/aws_route53/reeselink.json
+++ b/cloud/graduated/aws_route53/reeselink.json
@@ -113,7 +113,7 @@
                 "TTL": 300,
                 "ResourceRecords": [
                     {
-                        "Value": "2603:6013:3140:103:7656:3cff:febd:1df8"
+                        "Value": "2603:6013:3140:100:7656:3cff:febd:1df8"
                     }
                 ]
             }
diff --git a/infrastructure/graduated/arch/README.md b/infrastructure/graduated/arch/README.md
index 9a97a5a..e163606 100644
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -257,11 +257,17 @@ after we finish the install.
 Don't set a password for single-user systems. We're using full-disk encryption.
 This will let you login with just a fingerprint.
 
+1. Install `seahorse` if you haven't already
+2. Open the `Passwords and Keys` apps
+3. Create a new Password keyring called "Login"
+4. Do not enter a password
+5. Set it as default
+
 ### Base Tools
 
 ```bash
 # gvfs and gvfs-dnssd are for webdav support
-pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db
+pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db net-tools
 ```
 
 ### ZSH
@@ -661,11 +667,39 @@ You can create chroot environments to run firejails or just use for testing purp
 4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
 
 In order to use fingerprint auth with gnome for privileged system stuff with gdm,
-edit `/etc/pam.d/system-auth` and add the following to the top of the file:
+edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
 
 ```conf
-auth        sufficient      pam_fprintd_grosshack.so
-auth        sufficient      pam_unix.so try_first_pass nullok
+#%PAM-1.0
+
+auth       required                    pam_shells.so # User must have shell in /etc/shells
+auth       requisite                   pam_nologin.so # Prevents users from loging in if /etc/nologin exists
+auth       required                    pam_faillock.so      preauth # Timeout after certain number of fails
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+auth       sufficient                  pam_fprintd_grosshack.so
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so
 ```
 
 ##### Turn Off Fingerprint When Laptop Lid Closed
diff --git a/infrastructure/graduated/arch/workstation.md b/infrastructure/graduated/arch/workstation.md
index de027d8..2e5465c 100644
--- a/infrastructure/graduated/arch/workstation.md
+++ b/infrastructure/graduated/arch/workstation.md
@@ -2,6 +2,7 @@
 
 - [Workstation](#workstation)
   - [SSH](#ssh)
+  - [Templates](#templates)
   - [Toolbox](#toolbox)
   - [Podman](#podman)
   - [Docker](#docker)
@@ -70,6 +71,16 @@ Host my-host
 
 You can ssh to that host with `ssh my-host` after adding a config entry.
 
+## Templates
+
+You can add files in `~/Templates` to give yourself quick-create options in the gnome
+file browser context menu.
+
+```bash
+mkdir ~/Templates
+touch ~/Templates/text.txt
+```
+
 ## Toolbox
 
 <https://wiki.archlinux.org/title/Toolbox>
@@ -135,6 +146,14 @@ systemctl enable --now libvirtd
 virsh net-autostart default
 ```
 
+Then edit `/etc/libvirt/network.conf` and add:
+
+```conf
+firewall_backend="iptables"
+```
+
+Make sure to restart libvirtd with `systemctl restart libvirtd`.
+
 If you get a blank screen when launching a VM check that you've used the correct bios -
 either secboot or not secboot. This is the most common problem.
 
diff --git a/infrastructure/graduated/qemu/README.md b/infrastructure/graduated/qemu/README.md
index 7f4a9c3..6315c98 100644
--- a/infrastructure/graduated/qemu/README.md
+++ b/infrastructure/graduated/qemu/README.md
@@ -5,6 +5,7 @@
     - [Restore qcow snapshots](#restore-qcow-snapshots)
     - [Convert qcow to bootable drive](#convert-qcow-to-bootable-drive)
     - [Convert bootable drive to qcow](#convert-bootable-drive-to-qcow)
+  - [ISO](#iso)
 
 ## QCOW2
 
@@ -44,3 +45,10 @@ qemu-img convert -f raw -O qcow2 -p /dev/sdd /var/lib/libvirt/images/toshiba.qco
 If you need to resize a windows partition to non-continuous space simply grow the
 last partition, shrink it to the end of the drive, then grow the windows partition
 with gparted.
+
+## ISO
+
+```bash
+pacman -S cdrtools
+mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
+```
\ No newline at end of file
diff --git a/infrastructure/graduated/unifi/README.md b/infrastructure/graduated/unifi/README.md
index 3831710..1e94a3b 100644
--- a/infrastructure/graduated/unifi/README.md
+++ b/infrastructure/graduated/unifi/README.md
@@ -5,6 +5,8 @@
   - [Route53](#route53)
   - [IPV6 EUI64 Address Generation](#ipv6-eui64-address-generation)
     - [NetworkManager](#networkmanager)
+  - [VPN](#vpn)
+    - [IPv6 leak prevention](#ipv6-leak-prevention)
 
 ## IP Addresses
 
@@ -45,3 +47,21 @@ nmcli con mod <connection> ipv6.addr-gen-mode eui64
 systemctl restart NetworkManager
 nmcli -f ipv6.addr-gen-mode connection show <connection>
 ```
+
+## VPN
+
+### IPv6 leak prevention
+
+Add the following to the exported wireguard config to block ipv6
+
+```conf
+[Interface]
+PrivateKey = 
+Address = 192.168.4.2/32, fd00::1/128
+DNS = 192.168.4.1
+
+[Peer]
+PublicKey = 
+AllowedIPs = 192.168.4.1/32,192.168.4.2/32,0.0.0.0/0,::0/0
+Endpoint = ipv4.reeseapps.com:51831
+```
\ No newline at end of file
diff --git a/systemd/graduated/ipv4-proxy/vars.yaml b/systemd/graduated/ipv4-proxy/vars.yaml
index d29f2d3..521f67c 100644
--- a/systemd/graduated/ipv4-proxy/vars.yaml
+++ b/systemd/graduated/ipv4-proxy/vars.yaml
@@ -8,7 +8,7 @@ stream_ssl:
   - external:
       domain: gitea.reeseapps.com
     internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
       port: 443
       protocol: https
   - external:
@@ -20,24 +20,24 @@ stream_ssl:
   - external:
       domain: jellyfin.reeseapps.com
     internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
       port: 443
       protocol: https
   - external:
       domain: snapdrop.reeseapps.com
     internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
       port: 443
       protocol: https
   - external:
       domain: bitwarden.reeseapps.com
     internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
       port: 443
       protocol: https
 
 stream_ports:
   - external: 2222
-    internal: git.reeselink.com:22
+    internal: git.reeseapps.com:22
   - external: 3478
     internal: nextcloud.reeselink.com:3478
\ No newline at end of file