diff --git a/flake.lock b/flake.lock
index 43bf480..3e769b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -29,7 +29,6 @@
       "locked": {
         "lastModified": 1777364820,
         "narHash": "sha256-XHxV1V62RJlU/Y49WD6fNIyESJCHKMVwuoN+WIa3gLg=",
-        "ref": "refs/heads/main",
         "rev": "1cc9dbf2a47b7b329507cc4ddc970e10b968121c",
         "revCount": 6618,
         "type": "git",
diff --git a/flake.nix b/flake.nix
index bae9a27..05116dd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
           ./services/borgbackup.nix
+          ./services/gotosocial.nix
           # ./services/akkoma.nix
         ];
       };
@@ -96,6 +97,7 @@
           ./hosts/vps/disko-config.nix
           ./services/nginx.nix
           ./services/blog.nix
+          ./services/phanpy.nix
           ./services/coturn.nix
           ./services/livekit.nix
           ./services/lk-jwt.nix
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 0009360..0ffb849 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -21,4 +21,12 @@
       SSH_LISTEN_PORT = 2222;
     };
   };
+
+  # Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
+  # ordering, forgejo races wireguard at boot, fails to bind, and stays up
+  # only on its all-interfaces SSH listener — leaving the web UI 502'd.
+  systemd.services.forgejo = {
+    after = [ "wireguard-wg0.service" ];
+    requires = [ "wireguard-wg0.service" ];
+  };
 }
diff --git a/services/gotosocial.nix b/services/gotosocial.nix
new file mode 100644
index 0000000..4d5f548
--- /dev/null
+++ b/services/gotosocial.nix
@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8080 ];
+
+  services.gotosocial = {
+    enable = true;
+
+    settings = {
+      application-name = "gotosocial";
+      host = "fedi.ellie.town";
+      protocol = "https";
+
+      bind-address = "10.10.0.2";
+      port = 8080;
+
+      trusted-proxies = [ "10.10.0.1/32" ];
+
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/database.sqlite";
+
+      storage-backend = "local";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+
+      letsencrypt-enabled = false;
+
+      accounts-registration-open = false;
+      accounts-approval-required = true;
+      accounts-reason-required = false;
+      accounts-allow-custom-css = false;
+
+      instance-languages = [ "en" ];
+      instance-expose-public-timeline = true;
+      instance-expose-peers = false;
+      instance-deliver-to-shared-inboxes = true;
+      instance-federation-mode = "blocklist";
+
+      media-image-strip-metadata = true;
+      media-local-max-size = "40MiB";
+      media-remote-max-size = "40MiB";
+      media-cleanup-from = "00:00";
+      media-cleanup-every = "24h";
+
+      smtp-host = "";
+    };
+  };
+}
diff --git a/services/phanpy.nix b/services/phanpy.nix
new file mode 100644
index 0000000..c78609f
--- /dev/null
+++ b/services/phanpy.nix
@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+let
+  phanpy = pkgs.stdenv.mkDerivation rec {
+    pname = "phanpy";
+    version = "2026.02.24.48b2cf7";
+
+    src = pkgs.fetchzip {
+      url = "https://github.com/cheeaun/phanpy/releases/download/${version}/phanpy-dist.zip";
+      hash = "sha256-55DI7tr3wvf/jC9S/J71I2YgIKqyPXODKSkZo5SqJM8=";
+      stripRoot = false;
+    };
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out
+      cp -r * $out/
+
+      runHook postInstall
+    '';
+  };
+in
+{
+  services.nginx.virtualHosts."phanpy.ellie.town" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "${phanpy}";
+
+    locations."/" = {
+      tryFiles = "$uri $uri/ /index.html";
+    };
+  };
+}
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index b6f148f..a4bd435 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -88,28 +88,20 @@
       };
     };
 
-    # virtualHosts."akkoma.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     proxyWebsockets = true;
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
-
-    # virtualHosts."media.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
+    virtualHosts."fedi.ellie.town" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /".extraConfig = ''
+        return 302 /@ellie;
+      '';
+      locations."/" = {
+        proxyPass = "http://10.10.0.2:8080";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 40m;
+        '';
+      };
+    };
 
     virtualHosts."forgejo.ellie.town" = {
       enableACME = true;