diff --git a/hosts/cube/grafana/default.nix b/hosts/cube/grafana/default.nix
index 39e6ac3..321d22e 100644
--- a/hosts/cube/grafana/default.nix
+++ b/hosts/cube/grafana/default.nix
@@ -38,7 +38,7 @@ in {
       database.user = "grafana";
 
       server.domain    = fqdn;
-      server.http_addr = "[::1]";
+      server.http_addr = "::1";
       server.http_port = port;
 
       users.default_theme = "system";
@@ -75,4 +75,3 @@ in {
     };
   };
 }
-
diff --git a/hosts/cube/matrix/default.nix b/hosts/cube/matrix/default.nix
index db6ff83..4db543a 100644
--- a/hosts/cube/matrix/default.nix
+++ b/hosts/cube/matrix/default.nix
@@ -7,29 +7,40 @@
   fqdn = "chat.${domain}";
   port = 8002;
 
-  configClient."m.homeserver".base_url        = "https://${fqdn}";
-  configServer."m.server" = "${fqdn}:443";
+  wellKnownResponse = data: /* nginx */ ''
+    ${config.services.nginx.headers}
+    add_header Access-Control-Allow-Origin * always;
 
-  configWellKnownResponse.locations = let
-    wellKnownResponse = data: ''
-      ${config.services.nginx.headers}
-      add_header Access-Control-Allow-Origin *;
+    default_type application/json;
+    return 200 '${strings.toJSON data}';
+  '';
 
-      default_type application/json;
-      return 200 '${strings.toJSON data}';
-    '';
-  in {
-    "= /.well-known/matrix/client".extraConfig = wellKnownResponse configClient;
-    "= /.well-known/matrix/server".extraConfig = wellKnownResponse configServer;
+  configWellKnownResponse.locations = {
+    "= /.well-known/matrix/client".extraConfig = wellKnownResponse {
+      "m.homeserver".base_url = "https://${fqdn}";
+    };
+
+    "= /.well-known/matrix/server".extraConfig = wellKnownResponse {
+      "m.server" = "${fqdn}:443";
+    };
   };
 
   configNotFoundLocation = {
-    locations."/".extraConfig = "return 404;";
+    extraConfig = /* nginx */ ''
+      error_page 404 /404.html;
+    '';
 
-    extraConfig                  = "error_page 404 /404.html;";
-    locations."/404".extraConfig = "internal;";
+    locations."/".extraConfig = /* nginx */ ''
+      return 404;
+    '';
 
-    locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
+    locations."/404".extraConfig = /* nginx */ ''
+      internal;
+    '';
+
+    locations."/assets/".extraConfig = /* nginx */ ''
+      return 301 https://${domain}$request_uri;
+    '';
   };
 in {
   imports = [(self + /modules/nginx.nix)];
@@ -93,7 +104,7 @@ in {
   services.nginx.virtualHosts.${domain} = configWellKnownResponse;
 
   services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate configWellKnownResponse configNotFoundLocation {
-    root = "${pathSite}";
+    root = pathSite;
 
     locations."/_matrix".proxyPass         = "http://[::1]:${toString port}";
     locations."/_synapse/client".proxyPass = "http://[::1]:${toString port}";
diff --git a/hosts/cube/nextcloud/default.nix b/hosts/cube/nextcloud/default.nix
index 6d5d2a6..1b612ed 100644
--- a/hosts/cube/nextcloud/default.nix
+++ b/hosts/cube/nextcloud/default.nix
@@ -4,7 +4,7 @@
 
   fqdn = "cloud.${domain}";
 
-  packageNextcloud = pkgs.nextcloud29;
+  packageNextcloud = pkgs.nextcloud30;
 in {
   imports = [(self + /modules/nginx.nix)];
 
@@ -35,14 +35,15 @@ in {
     after    = [ "postgresql.service" ];
     requires = [ "postgresql.service" ];
 
-    script = mkAfter ''
-      nextcloud-occ theming:config name "RGBCube's Depot"
-      nextcloud-occ theming:config slogan "RGBCube's storage of insignificant data."
+    script = mkAfter /* shell */ ''
+      # TODO: Nextcloud 30 removed these. Find another way.
+      # nextcloud-occ theming:config name "RGBCube's Depot"
+      # nextcloud-occ theming:config slogan "RGBCube's storage of insignificant data."
 
-      nextcloud-occ theming:config color "#000000"
-      nextcloud-occ theming:config background backgroundColor
+      # nextcloud-occ theming:config color "#000000"
+      # nextcloud-occ theming:config background backgroundColor
 
-      nextcloud-occ theming:config logo ${./icon.gif}
+      # nextcloud-occ theming:config logo ${./icon.gif}
     '';
   };
 
@@ -98,10 +99,8 @@ in {
     extraAppsEnable = true;
     extraApps       = {
       inherit (packageNextcloud.packages.apps)
-        bookmarks calendar contacts deck
-        forms impersonate mail # groupfolders impersonate mail
-        maps notes polls previewgenerator; # tasks;
-        # Add: files_markdown files_texteditor memories news
+        bookmarks calendar contacts deck forms
+        impersonate mail maps notes previewgenerator;
     };
 
     nginx.recommendedHttpHeaders = true;
diff --git a/hosts/cube/site.nix b/hosts/cube/site.nix
new file mode 100644
index 0000000..202e4e8
--- /dev/null
+++ b/hosts/cube/site.nix
@@ -0,0 +1,3 @@
+{ self, ... }: {
+  imports = [(self + /modules/site.nix)];
+}
diff --git a/modules/nginx.nix b/modules/nginx.nix
index beacdc1..1f9255d 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -7,23 +7,20 @@ in {
   options.services.nginx.sslTemplate = mkConst {
     forceSSL    = true;
     quic        = true;
-    useACMEHost = config.networking.domain;
+    useACMEHost = domain;
   };
 
-  options.services.nginx.headers = mkConst ''
-    # TODO: Not working for some reason.
-    add_header Access-Control-Allow-Origin $allow_origin;
-    add_header Access-Control-Allow-Methods $allow_methods;
+  options.services.nginx.headers = mkConst /* nginx */ ''
+    add_header Access-Control-Allow-Origin $allow_origin always;
+    add_header Access-Control-Allow-Methods $allow_methods always;
 
-    add_header Strict-Transport-Security $hsts_header;
+    add_header Strict-Transport-Security $hsts_header always;
 
-    add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none';" always;
 
-    add_header Referrer-Policy no-referrer;
+    add_header Referrer-Policy no-referrer always;
 
-    add_header X-Frame-Options DENY;
-
-    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY always;
   '';
 
   config.networking.firewall = {
@@ -50,7 +47,7 @@ in {
     recommendedProxySettings  = true;
     recommendedTlsSettings    = true;
 
-    commonHttpConfig = ''
+    commonHttpConfig = /* nginx */ ''
       map $scheme $hsts_header {
         https "max-age=31536000; includeSubdomains; preload";
       }
diff --git a/modules/site.nix b/modules/site.nix
index 6e61477..3a52ffa 100644
--- a/modules/site.nix
+++ b/modules/site.nix
@@ -5,8 +5,13 @@
   pathSite = "/var/www/site";
 
   configNotFoundLocation = {
-    extraConfig                  = "error_page 404 /404.html;";
-    locations."/404".extraConfig = "internal;";
+    extraConfig = /* nginx */ ''
+      error_page 404 /404.html;
+    '';
+
+    locations."/404".extraConfig = /* nginx */ ''
+      internal;
+    '';
   };
 in {
   imports = [(self + /modules/nginx.nix)];
@@ -17,11 +22,11 @@ in {
 
       locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
 
-      locations."/assets/".extraConfig = ''
+      locations."/assets/".extraConfig = /* nginx */ ''
         if ($request_method = OPTIONS) {
           ${config.services.nginx.headers}
-          add_header Content-Type text/plain;
-          add_header Content-Length 0;
+          add_header Content-Type text/plain always;
+          add_header Content-Length 0 always;
           return 204;
         }
 
@@ -30,14 +35,21 @@ in {
     };
 
     virtualHosts."www.${domain}" = merge config.services.nginx.sslTemplate {
-      locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
+      locations."/".extraConfig = /* nginx */ ''
+        return 301 https://${domain}$request_uri;
+      '';
     };
 
     virtualHosts._ = merge config.services.nginx.sslTemplate configNotFoundLocation {
       root = pathSite;
 
-      locations."/".extraConfig        = "return 404;";
-      locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
+      locations."/".extraConfig = /* nginx */ ''
+        return 404;
+      '';
+
+      locations."/assets/".extraConfig = /* nginx */ ''
+        return 301 https://${domain}$request_uri;
+      '';
     };
   };
 }
diff --git a/rebuild.nu b/rebuild.nu
index bf0e6e6..4002ef9 100755
--- a/rebuild.nu
+++ b/rebuild.nu
@@ -22,10 +22,7 @@ def main --wrapped [
 
     ssh -q -tt $host $"
       cd ncc
-      # TODO: Migration artifact. Remove.
-      nix shell github:NixOS/nix --command nu -c '
-        ./rebuild.nu ($host) ($arguments | str join ' ')
-      '
+      ./rebuild.nu ($host) ($arguments | str join ' ')
     "
 
     return
@@ -58,8 +55,7 @@ def main --wrapped [
 # the "install developer tools" popup.
 #
 # Set by default to "SplitForks" because who even uses that?
-# TODO: Migration artifact. Make const.
-let original_trigger = "/usr/bin/SplitForks"
+const original_trigger = "/usr/bin/SplitForks"
 
 # Where the symbolic links to `/usr/bin/false` will
 # be created in to shadow all popup-triggering binaries.
@@ -78,8 +74,7 @@ let original_trigger = "/usr/bin/SplitForks"
 #
 # Do NOT set this to a path that you use for other things,
 # it will get deleted if it exists to only have the shadowers.
-# TODO: Migration artifact. Make const.
-let shadow_path = "~/.local/shadow" | path expand # Did you read the comment?
+const shadow_path = "~/.local/shadow" | path expand # Did you read the comment?
 
 def darwin-shadow-xcode-popup [] {
   print "shadowing xcode popup binaries..."