diff --git a/README.md b/README.md
index d8f6210..3f0626f 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
 
-Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs.
+Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
 
 ## Running the VMs
 
@@ -76,6 +76,10 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
 When mastodon is running in production mode, we have a few problems:
 - you have to click "accept the security risk"
 - it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
+  - reverse proxy should produce a user friendly page regardless
+    - might be needed for upgrade downtime too?
+  - don't send users over until it's up
 - email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
+  - maybe the admin account should be managed entirely by fediversity anyway?
 
 
diff --git a/common.nix b/common.nix
index 150afaa..df919e1 100644
--- a/common.nix
+++ b/common.nix
@@ -1,4 +1,6 @@
 { pkgs, ... }: {
+
+  # Customize nixos-rebuild build-vm to be a bit more convenient
   virtualisation.vmVariant = {
     # let us log in
     users.mutableUsers = false;
diff --git a/garage.nix b/garage.nix
index e7ad923..ceed3a7 100644
--- a/garage.nix
+++ b/garage.nix
@@ -55,6 +55,7 @@ in
               type = types.str;
             };
             # TODO: assert at least one of these is true
+            #       currently, needs to be done in the top level module
             ensureAccess = mkOption {
               type = types.attrsOf (types.submodule {
                 options = {
@@ -106,6 +107,8 @@ in
       settings = {
         replication_mode = "none";
         # TODO: use a secret file
+        #       I'd like to have a NixOS module that declares the need for a secret file
+        #       that way, the need can be met by any secrets solution (agenix, sops-nix, colmena, a nixops4 module, ...)
         rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
         # TODO: why does this have to be set? is there not a sensible default?
         rpc_bind_addr = "[::]:3901";
@@ -133,6 +136,7 @@ in
         # also, it's crazy that we have to parse command output like this
         # TODO: talk to garage maintainer about making this nicer to work with in Nix
         # before I do that though, I should figure out how setting it up across multiple machines will work
+        # You could ask for a change or `--json` flag anyway, and maybe tell them what you're working on.
         GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
         garage layout assign -z g1 -c 1G $GARAGE_ID
         LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
@@ -151,7 +155,7 @@ in
 
             # TODO: should this --deny the website if `website` is false?
             ${lib.optionalString website ''
-              garage bucket website --allow ${bucket}
+              garage bucket website --allow ${/* more robust: */ lib.strings.escapeShellArg bucket}
             ''}
 
             ${lib.concatStringsSep "\n" (map (alias: ''
@@ -160,6 +164,8 @@ in
 
             ${lib.optionalString corsRules.enable ''
               # TODO: can i turn this whole thing into one builtins.toJSON?
+              #       why not :D
+              #       we also have `lib.strings.escapeShellArg` for the quoting
               export CORS=${lib.concatStrings [
                 "'"
                 ''{"CORSRules":[{''
@@ -175,6 +181,7 @@ in
               garage bucket deny --read --write --owner ${bucket} --key tmp
             ''}
           '') config.services.garage.ensureBuckets)
+          # probably nice to factor this out into a function
         }
         ${
           lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
diff --git a/mastodon.nix b/mastodon.nix
index 43e724f..98567a8 100644
--- a/mastodon.nix
+++ b/mastodon.nix
@@ -101,9 +101,8 @@ in
         # but it also must be a positive integer
         streamingProcesses = let
           ncores = config.virtualisation.cores;
-          max = x: y: if x > y then x else y;
         in
-          max 1 (ncores - 1);
+          lib.max 1 (ncores - 1);
       };
 
       security.acme = {
@@ -160,7 +159,10 @@ in
       };
 
       # run rails db:seed so that mastodon sets up the databases for us
+      # iirc the postgresql module can also do this kind of thing
       systemd.services.mastodon-init-db.script = lib.mkForce ''
+          # This conditional freaks me out
+          # Maybe configure psql to output in a more machine-readable format?
           if [ `psql -c \
                   "select count(*) from pg_class c \
                   join pg_namespace s on s.oid = c.relnamespace \
diff --git a/thoughts b/thoughts
new file mode 100644
index 0000000..90a693e
--- /dev/null
+++ b/thoughts
@@ -0,0 +1,12 @@
+
+# `ensureBuckets`
+
+Should be replaced by a resource that creates the bucket, so that we can manage its whole lifecycle, including updates (authz?) and deletion; possibly a generic S3 bucket resource? - we'll see.
+Fine solution for now.
+Perhaps also useful in a NixOS module, but could also be tech debt if nobody uses it.
+
+# More exploration
+
+- Use NixOS test framework?
+- Write test that upgrades garage
+