diff --git a/aws b/aws
new file mode 100755
index 0000000..c9a7416
--- /dev/null
+++ b/aws
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec nix --extra-experimental-features nix-command --extra-experimental-features flakes run nixpkgs#awscli2 -- "$@"
diff --git a/cm.yaml b/cm.yaml
index 1e2202b..4d9bf84 100644
--- a/cm.yaml
+++ b/cm.yaml
@@ -16,7 +16,7 @@ data:
 
   s3_api.s3_region: "us-east-1"
   s3_api.api_bind_addr: "[::]:3900"
-  s3_api.root_domain: ".strudelline.net"
+  s3_api.root_domain: ".s3.strudelline.net"
 
   s3_web.bind_addr: "[::]:3902"
   s3_web.root_domain: ".web.strudelline.net"
diff --git a/ingress.yaml b/ingress.yaml
index 3635e32..879b3b2 100644
--- a/ingress.yaml
+++ b/ingress.yaml
@@ -6,18 +6,15 @@ metadata:
   namespace: garage
 spec:
   ingressClassName: haproxy
+  tls:
+  - secretName: wildcard-tls
+    hosts:
+    - s3.strudelline.net
+    - '*.s3.strudelline.net'
+    - web.strudelline.net
+    - '*.web.strudelline.net'
   rules:
-  - host: 'strudelline.net'
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: garage
-            port:
-              name: s3-web
-  - host: '*.strudelline.net'
+  - host: 's3.strudelline.net'
     http:
       paths:
       - path: /
@@ -27,3 +24,33 @@ spec:
             name: garage
             port:
               name: s3-api
+  - host: '*.s3.strudelline.net'
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: garage
+            port:
+              name: s3-api
+  - host: 'web.strudelline.net'
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: garage
+            port:
+              name: s3-web
+  - host: '*.web.strudelline.net'
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: garage
+            port:
+              name: s3-web
diff --git a/tools b/tools
index 614721c..f812480 100755
--- a/tools
+++ b/tools
@@ -70,7 +70,7 @@ generate_layout() {( # generates a sample layout, (args are included verbatim, e
       $zero,
       "garage", "layout", "assign",
       "-t", .metadata.name,
-      "-c", "\(.metadata.labels["strudelline.net/garage-meta-free-bytes"]|tonumber/1024/1024/1024|floor)G"
+      "-c", "\((.metadata.labels["strudelline.net/garage-data-free-bytes"]//"10737418240")|tonumber/1024/1024/1024|floor)G"
     ]+$ARGS.positional
     | @sh' --args -- "$@" "${gnid%%@*}" | while read -r cmd;do
       eval "set $cmd"
@@ -115,14 +115,16 @@ connect() { # attempt to connect all nodes
   done
 }
 
-env() { # connect your local garage cli to a random node
-  jq -n -r \
-    --argjson secret "$(kubectl get secret -n "$GARAGE_NAMESPACE" garage-secrets -o json)" \
-    --arg gnid "$(get_ids | head -1)" \
-  '  
-    rpc_secret=\($secret.data."rpc-secret")",
-    RPC_HOST=\($gnid)"
-  '
+env() { # generate alias to use cluster garage cli.
+  case "$1" in
+  bash | sh | zsh | '' )
+    printf "\nalias garage=%q\n" "$(printf "%q garage" "$PWD/tools")"
+    ;;
+  *)
+    1>&2 echo "unknown shell"
+    exit 1
+    ;;
+  esac
 }
 
 help() {( # this help