diff --git a/DEVDOC.md b/DEVDOC.md
index 35a7e2d..4b8567e 100644
--- a/DEVDOC.md
+++ b/DEVDOC.md
@@ -21,3 +21,5 @@ Enable an ssh server on the remote host, then on the
 local machine set `.ssh/config` to have a profile for 
 your desired host and have a key pair that's authorised 
 to your desired user. 
+
+NOTE: these keys must have permission 600 (only readable/writable by you)
diff --git a/deploy-remote b/deploy-remote
index 0a4f6ae..5df3777 100755
--- a/deploy-remote
+++ b/deploy-remote
@@ -2,4 +2,4 @@
 
 # Deploy to all Colmena hives
 colmena build
-colmena apply
+colmena apply --verbose
diff --git a/flake.nix b/flake.nix
index c743676..fa20c71 100755
--- a/flake.nix
+++ b/flake.nix
@@ -48,13 +48,27 @@
       config.allowUnfree = true;
     };
 
+    # Colmena's latest stable version is
+    # unusable so get latest unstable version.
+    #pkgsColmena = import (builtins.fetchGit {
+    #  name = "nixpkgs-unstable-colmena";
+    #  url = "https://github.com/NixOS/nixpkgs/";
+    #  ref = "refs/heads/nixpkgs-unstable";
+    #  rev = "21808d22b1cda1898b71cf1a1beb524a97add2c4";
+    #}) {};
+    pkgsColmena = import (builtins.fetchTarball {
+      url = "https://github.com/NixOS/nixpkgs/archive/21808d22b1cda1898b71cf1a1beb524a97add2c4.tar.gz";
+      sha256 = "0v2z6jphhbk1ik7fqhlfnihcyff5np9wb3pv19j9qb9mpildx0cg";
+    }) {inherit system;};
+
+    # TODO: come back to this its really cool
     # this is just something I'm experimenting with
     PROJECT_ROOT = builtins.toString ./.;
   in {
-    # shell for `nix develop`
-    devShells."x86_64-linux".default = pkgs.mkShell {
-      buildInputs = with pkgs; [
-        colmena
+    # `nix develop` shell
+    devShells."x86_64-linux".default = pkgsColmena.mkShell {
+      buildInputs = [
+        pkgsColmena.colmena
       ];
     };
 
diff --git a/homes/me/default.nix b/homes/me/default.nix
index 5089d29..35f92f2 100755
--- a/homes/me/default.nix
+++ b/homes/me/default.nix
@@ -104,6 +104,8 @@
     # (all we need is hyrule, everything else is through wishlist)
     ssh = {
       enable = true;
+      addKeysToAgent = "yes"; # always add keys to ssh-agent
+
       matchBlocks = {
         hyrule = {
           hostname = "imbored.dev";
@@ -145,6 +147,9 @@
     */
   };
 
+  # enable OpenSSH private key agent
+  services.ssh-agent.enable = true;
+
   # ----- SERVICES -----
   # Nicely reload system units when changing configs
   systemd.user.startServices = "sd-switch";
diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix
index 1d5286c..04cc150 100755
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@@ -36,8 +36,17 @@ in {
   # colmena deployment configuration
   deployment = {
     targetHost = "imbored.dev";
-    targetPort = 22;
     targetUser = "ae";
+    targetPort = 22;
+    sshOptions = "-i ~/.ssh/id_hyrule";
+    #keys = {
+    #  "imbored.dev" = {
+    #    # text, keyCommand, or keyFile must be set
+    #    # text = "";
+    #    #keyCommand = [ "" ];
+    #    keyFile = "/home/me/.ssh/id_hyrule";
+    #  };
+    #};
     buildOnTarget = false; # build locally then deploy
   };
 
@@ -68,7 +77,7 @@ in {
       # primary user
       ae = {
         isNormalUser = true;
-        extraGroups = ["wheel"];
+        extraGroups = ["wheel" "networkmanager"];
         shell = pkgs.bash;
         home = "/home/ae"; # TEMP: remove and replace with home-manager
         packages = with pkgs; [