diff --git a/README.md b/README.md
index 9a33301..7fecd12 100644
--- a/README.md
+++ b/README.md
@@ -1,43 +1,45 @@
-# How to start up a mastodon VM
+# Fediverse VMs
+
+This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. This is in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver).
+
+Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs.
+
+## Running the VMs
+
+you can build a VM using
 
 ```bash
-nixos-rebuild build-vm --flake .#mastodon 
+nixos-rebuild build-vm --flake .#<vm_name>
+```
+
+where `<vm_name>` is one of `mastodon`, `peertube`, `pixelfed`, or `all`
+
+and then run it with
+```bash
 ./result/bin/run-nixos-vm
 ```
 
-Now you can access mastodon at <https://mastodon.localhost:55001>
+You can then access the apps on your local machine (using the magic of port forwarding) at the following addresses
 
-- You will have to "accept the security risk".
-- It may take a minute for the webpage to come online. Until then you will see 502 Bad Gateway
+- Mastodon: <https://mastodon.localhost:55001>
+  - You will have to "accept the security risk"
+  - It may take a minute for the webpage to come online. Until then you will see "502 Bad Gateway"
+  - (NOTE: currently broken) email sent from the mastodon instance (e.g. for setting up an account) will be accessible at <https://mastodon.localhost:55001/letter_opener>
 
-Remember that if you want to clear the state from one launch to the next, you should delete the `nixos.qcow2` file that is created.
+- PeerTube: <http://peertube.localhost:9000>
+  - The root account can be accessed with username "root". The password can be obtained by running the following command on the VM:
+    ```bash
+    journalctl -u peertube | perl -ne '/password: (.*)/ && print $1'
+    ```
+  - Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account.
 
-- email, when it works, will be accessible at <https://mastodon.localhost:55001/letter_opener>
-
-## peertube
-
-```bash
-nixos-rebuild build-vm --flake .#peertube 
-./result/bin/run-nixos-vm
-```
-
-Now you can access peertube at <https://peertube.localhost:9000>
-
-The root account can be logged in with username "root". The password can be obtained with the command 
-```bash
-journalctl -u peertube | perl -ne '/password: (.*)/ && print $1'
-```
-
-or just
-
-```bash
-journalctl -u peertube | grep password
-```
-
-and look at the end of the line.
-
-Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account.
+## debugging notes
 
+- it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded)
+- relevant systemd services:
+  - mastodon-web.service
+  - peertube.service
+  - unclear yet which pixelfed services are useful
 
 # TODOs
 
@@ -57,6 +59,7 @@ Creating other accounts has to be enabled via the admin interface. `Administrati
 - [x] don't require proxy server
   - either forward 443 directly, or get mastodon to accept connections on a different port (maybe 3000? see development environment documentation)
 - [ ] get letter_opener working
+- [ ] share resources (e.g. s3 storage) between the services
 
 # resources
 
diff --git a/common.nix b/common.nix
index 1ec8c20..e3ac132 100644
--- a/common.nix
+++ b/common.nix
@@ -32,6 +32,13 @@
         "-mon chardev=char0,mode=readline"
         "-device virtconsole,chardev=char0,nr=0"
       ];
+      # forwardPorts = [
+      #   {
+      #     from = "host";
+      #     host.port = 2222;
+      #     guest.port = 22;
+      #   }
+      # ];
     };
   };
 }
diff --git a/flake.nix b/flake.nix
index a002450..d381e12 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,6 +21,16 @@
         inherit system;
         modules = [ ./common.nix ./peertube.nix ];
       };
+
+      pixelfed = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [ ./common.nix ./pixelfed.nix ];
+      };
+
+      all = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [ ./common.nix ./mastodon.nix ./peertube.nix ./pixelfed.nix ];
+      };
     };
 
     devShells.${system}.default = pkgs.mkShell {
diff --git a/mastodon.nix b/mastodon.nix
index 6a80420..77546d8 100644
--- a/mastodon.nix
+++ b/mastodon.nix
@@ -67,17 +67,13 @@
           host.port = 44443;
           guest.port = 443;
         }
-        {
-          from = "host";
-          host.port = 2222;
-          guest.port = 22;
-        }
       ];
     };
   }
 
   # mastodon development environment
   {
+    networking.firewall.allowedTCPPorts = [ 55001 ];
     virtualisation.vmVariant = { config, ... }: {
       services.mastodon = {
         # needed so we can directly access mastodon at port 55001
@@ -85,7 +81,7 @@
         enableUnixSocket = false;
         extraConfig = {
           RAILS_ENV = "development";
-          # for letter_opener
+          # for letter_opener (still doesn't work though)
           REMOTE_DEV = "true";
         };
       };
@@ -123,7 +119,7 @@
             # rails db:migrate
           fi
       '';
-      virtualisation.forwardPorts = lib.mkForce [
+      virtualisation.forwardPorts = [
         {
           from = "host";
           host.port = 55001;
diff --git a/peertube.nix b/peertube.nix
index 195832c..3eb6d45 100644
--- a/peertube.nix
+++ b/peertube.nix
@@ -13,11 +13,11 @@
         instance.name = "PeerTube Test VM";
       };
       # TODO: use agenix
-      secrets.secretsFile = pkgs.runCommand "secret-gen" {
-        nativeBuildInputs = [ pkgs.openssl ];
-      } ''
-        openssl rand -hex 32 > $out
+      secrets.secretsFile = pkgs.writeText "secret" ''
+        574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
       '';
+
+      # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
       redis.createLocally = true;
       database.createLocally = true;
       configureNginx = true;
diff --git a/pixelfed.nix b/pixelfed.nix
new file mode 100644
index 0000000..186fc8b
--- /dev/null
+++ b/pixelfed.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }: {
+  virtualisation.vmVariant = {
+    networking.firewall.allowedTCPPorts = [ 80 ];
+    services.pixelfed = {
+      enable = true;
+      domain = "pixelfed.localhost";
+      secretFile = pkgs.writeText "secrets.env" ''
+        APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+      '';
+      settings = {
+        OPEN_REGISTRATION = true;
+        FORCE_HTTPS_URLS = false;
+      };
+      # TODO: I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options here
+      nginx = {};
+    };
+    virtualisation.forwardPorts = [
+      {
+        from = "host";
+        host.port = 8000;
+        guest.port = 80;
+      }
+    ];
+  };
+}