diff --git a/applications/ulfm.nix b/applications/ulfm.nix
index 3fc951f..c098f8e 100644
--- a/applications/ulfm.nix
+++ b/applications/ulfm.nix
@@ -1,37 +1,96 @@
-{ config, lib, pkgs, ... }:{
+{ config, lib, pkgs, ... }:
+  with lib;
+  let
+    cfg = config.services.skynet_ulfm;
+  in {
 
-  # shove the entire config file into secrets
-  age.secrets.ulfm.file = ../secrets/stream_ulfm.age;
+  imports = [
+    ./firewall.nix
+    ./dns.nix
 
-  ###### implementation
-  networking.firewall.allowedTCPPorts = [ 8000 ];
+    ./acme.nix
+    ./nginx.nix
+  ];
 
-  users.groups."icecast" = { };
+  options.services.skynet_ulfm = {
+     enable = mkEnableOption "ULFM service";
 
-  users.users."icecast2" = {
-    createHome = true;
-    isSystemUser = true;
-    home = "/etc/icecast2";
-    group = "icecast";
+     host = {
+       ip = mkOption {
+         type = types.str;
+       };
+
+       name = mkOption {
+         type = types.str;
+       };
+     };
+
+     domain = {
+       tld = mkOption {
+         type = types.str;
+         default = "ie";
+       };
+
+       base = mkOption {
+         type = types.str;
+         default = "skynet";
+       };
+
+       sub = mkOption {
+         type = types.str;
+         default = "ulfm";
+       };
+     };
   };
 
-  systemd.services.icecast = {
-    after = [ "network.target" ];
-    description = "Icecast Network Audio Streaming Server";
-    wantedBy = [ "multi-user.target" ];
+  config = mkIf cfg.enable {
+    # shove the entire config file into secrets
+    age.secrets.ulfm.file = ../secrets/stream_ulfm.age;
 
-    preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast";
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${pkgs.icecast}/bin/icecast -c /run/agenix/ulfm";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+      8000
+    ];
+
+    skynet_dns.records.cname = [
+      "${cfg.domain.sub}  CNAME   ${cfg.host.name}"
+    ];
+
+    skynet_firewall.forward = [
+      "ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
+      "ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
+      "ip daddr ${cfg.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
+    ];
+
+    users.groups."icecast" = {};
+
+    users.users."icecast2" = {
+      createHome = true;
+      isSystemUser = true;
+      home = "/etc/icecast2";
+      group = "icecast";
+    };
+
+    systemd.services.icecast = {
+      after = [ "network.target" ];
+      description = "Icecast Network Audio Streaming Server";
+      wantedBy = [ "multi-user.target" ];
+
+      preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast";
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.icecast}/bin/icecast -c /run/agenix/ulfm";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      };
+    };
+
+    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
+      forceSSL = true;
+      useACMEHost = "skynet";
+      locations."/".proxyPass = "http://localhost:8000";
     };
-  };
 
-  services.nginx.virtualHosts."ulfm.skynet.ie" = {
-    forceSSL = true;
-    useACMEHost = "skynet";
-    locations."/".proxyPass = "http://localhost:8000";
   };
 
 }
\ No newline at end of file
diff --git a/machines/galatea.nix b/machines/galatea.nix
index dc34e3e..b488d61 100644
--- a/machines/galatea.nix
+++ b/machines/galatea.nix
@@ -17,17 +17,10 @@ let
   ip_pub    = "193.1.99.111";
   ip_priv   = "172.20.20.6";
   hostname  = "${name}.skynet.ie";
-
-  # dosent seem to be any otehr way to have it like read from a file
-  feck = "d9J4jDsJPuMPUMAAE4J4tH37HsmxEDze";
 in {
   imports = [
     # general stuff for config
-    ../applications/firewall.nix
     ../applications/dns.nix
-    # web stuff
-    ../applications/nginx.nix
-    ../applications/acme.nix
 
     # specific to tis server
     ../applications/ulfm.nix
@@ -41,25 +34,25 @@ in {
     tags = [ "active" ];
   };
 
-  # these two are to be able to add the rules for firewall and dns
-  # open the firewall for this
-  skynet_firewall.forward = [
-    "ip daddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
-    "ip daddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
-    "ip daddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept"
-  ];
-
   skynet_dns.records = {
     external = [
       "${name}       A       ${ip_pub}"
     ];
-    cname = [
-      # this is also the stream server
-      #"stream           CNAME   ${name}"
-      "ulfm             CNAME   ${name}"
-    ];
     reverse = [
       "${builtins.substring 9 3 ip_pub}    IN     PTR    ${name}"
     ];
   };
+
+
+  services.skynet_ulfm = {
+    enable = true;
+
+    host = {
+      # pass in teh ip (used for firewall)
+      ip = ip_pub;
+
+      # the name is used for dns
+      name = name;
+    };
+  };
 }