diff --git a/hosts/skydick/disko.nix b/hosts/skydick/disko.nix
index aeaf530..203faa5 100644
--- a/hosts/skydick/disko.nix
+++ b/hosts/skydick/disko.nix
@@ -49,7 +49,6 @@
       rootFsOptions = {
         compression = "lz4";
         atime = "off";
-        relatime = "on";
         xattr = "sa";
         acltype = "posixacl";
         dnodesize = "auto";
diff --git a/hosts/xlab-gateway/hardware-configuration.nix b/hosts/xlab-gateway/hardware-configuration.nix
index 561bef5..7e05cd6 100644
--- a/hosts/xlab-gateway/hardware-configuration.nix
+++ b/hosts/xlab-gateway/hardware-configuration.nix
@@ -16,6 +16,5 @@
   # Disk and filesystem declarations managed by disko.nix
   # networking.useDHCP managed by networking.nix (systemd-networkd)
 
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
diff --git a/hosts/xlab-gateway/networking.nix b/hosts/xlab-gateway/networking.nix
index f1c6ee1..853d347 100644
--- a/hosts/xlab-gateway/networking.nix
+++ b/hosts/xlab-gateway/networking.nix
@@ -36,6 +36,25 @@
           }
         }
 
+        table inet input_filter {
+          chain input {
+            type filter hook input priority filter; policy drop;
+            ct state established,related accept
+            iif lo accept
+
+            # LAN, management, and WireGuard — trust fully
+            iifname { "bond.lan254", "bond.mgmt", "wg-to-wgnet", "wg-to-skyworks" } accept
+
+            # WAN — DHCP client replies (v4 + v6)
+            iifname "wan99.0" udp sport 67 udp dport 68 accept
+            iifname "wan99.0" udp sport 547 udp dport 546 accept
+
+            # ICMP/ICMPv6 for path MTU discovery and diagnostics
+            ip protocol icmp accept
+            ip6 nexthdr icmpv6 accept
+          }
+        }
+
         table ip6 filter {
           chain forward {
             type filter hook forward priority filter; policy drop;
@@ -46,7 +65,7 @@
 
         table inet nat {
           chain postrouting {
-            type nat hook postrouting priority filter; policy accept;
+            type nat hook postrouting priority srcnat; policy accept;
             oifname "wan99.0" masquerade
             oifname "bond.mgmt" masquerade
           }
diff --git a/modules/common.nix b/modules/common.nix
index 3943b8d..d03850a 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -7,7 +7,7 @@
   nix.settings = {
     experimental-features = [ "nix-command" "flakes" ];
     auto-optimise-store = true;
-    trusted-users = [ "root" "ldx" ];
+    trusted-users = [ "root" "ldx" "ye-lw21" ];
     substituters = [
       "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
       "https://cache.nixos.org/"
diff --git a/modules/users.nix b/modules/users.nix
index d7fb8f6..cefe20c 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -22,10 +22,11 @@
   security.sudo.wheelNeedsPassword = true;
 
   # deploy-rs needs full NOPASSWD sudo — it runs activate-rs, nix-env,
-  # switch-to-configuration, and confirmation commands via non-interactive SSH
+  # switch-to-configuration, and confirmation commands via non-interactive SSH.
+  # Only ldx is the deploy user; ye-lw21 uses password sudo via wheel.
   security.sudo.extraRules = [
     {
-      users = [ "ldx" "ye-lw21" ];
+      users = [ "ldx" ];
       commands = [
         { command = "ALL"; options = [ "NOPASSWD" ]; }
       ];
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ed2afd2..ce381f5 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,21 +1,25 @@
 let
-  # Admin key (ldx's SSH key)
-  admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMNHFTC5HMO3IsggHpA+eVSCyhZSmDZz7aV62IFt7sj";
+  # Admin keys
+  ldx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMNHFTC5HMO3IsggHpA+eVSCyhZSmDZz7aV62IFt7sj";
+  # TODO: ylw to provide ed25519 SSH public key (RSA keys cannot be used with age)
+  # ylw = "ssh-ed25519 AAAA...";
+
+  admins = [ ldx ];  # Add ylw here once key is provided
 
   # Host keys
   skydick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnuvNClEXwMEP0IVNZ8GM1V93eU+QMmBqM5R8TM1Sx2";
   # xlab-gateway = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+EKDpUPWahclzYF6o26AWfrRyZ3bW7D3l9oMo2J6Eg";
   xlab-gateway = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnbHZ/dHWqeWIzTjqYTI2uCEFnEJEu4aFfd0U3KT+C0";
-  
+
 in {
-  "skydick-wg.age".publicKeys = [ admin skydick ];
-  "xlab-wg-skyworks.age".publicKeys = [ admin xlab-gateway ];
-  "xlab-wg-wgnet.age".publicKeys = [ admin xlab-gateway ];
-  "xlab-wg-wgnet-psk.age".publicKeys = [ admin xlab-gateway ];
-  "xlab-wg-warp.age".publicKeys = [ admin xlab-gateway ];
-  "influxdb-token.age".publicKeys = [ admin skydick ];
-  "skydick-ldap-bind.age".publicKeys = [ admin skydick ];
-  "skydick-samba-ldap-admin.age".publicKeys = [ admin skydick ];
+  "skydick-wg.age".publicKeys = admins ++ [ skydick ];
+  "xlab-wg-skyworks.age".publicKeys = admins ++ [ xlab-gateway ];
+  "xlab-wg-wgnet.age".publicKeys = admins ++ [ xlab-gateway ];
+  "xlab-wg-wgnet-psk.age".publicKeys = admins ++ [ xlab-gateway ];
+  "xlab-wg-warp.age".publicKeys = admins ++ [ xlab-gateway ];
+  "influxdb-token.age".publicKeys = admins ++ [ skydick ];
+  "skydick-ldap-bind.age".publicKeys = admins ++ [ skydick ];
+  "skydick-samba-ldap-admin.age".publicKeys = admins ++ [ skydick ];
 }
 
 # 重装系统一定要备份原机器的 ssh ed25519 私钥