diff --git a/applications/skynet.ie.nix b/applications/skynet.ie.nix
index 172f739..6008bdb 100644
--- a/applications/skynet.ie.nix
+++ b/applications/skynet.ie.nix
@@ -25,6 +25,7 @@
       # the root one is already covered by teh certificate
       "2016.skynet.ie"
       "discord.skynet.ie"
+      "ext.skynet.ie"
     ];
 
     skynet_dns.records = [
@@ -49,6 +50,14 @@
           # skynet.ie/~username
           enableUserDir = true;
         };
+        "ext.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          documentRoot = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
+          # only on skynet.ie
+          # skynet.ie/~username
+          enableUserDir = true;
+        };
 
         # archive of teh site as it was ~2012 to 2016
         "2016.skynet.ie" = {
diff --git a/machines/skynet.nix b/machines/skynet.nix
index 44643cb..4ad175f 100644
--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@@ -36,9 +36,10 @@ in {
   # it has two network devices so two
   skynet_dns.records = [
     #{record=name;          r_type="A"; value=ip_pub;  server=true;}
-    {record=name;          r_type="A"; value=ip_priv;  server=true;}
-    {record="${name}.int"; r_type="A"; value=ip_priv; server=true;}
+    {record=name;  r_type="A"; value=ip_priv; server=true; }
+    {record="ext"; r_type="A"; value=ip_pub;  server=false;}
 
+    {record="${name}.int"; r_type="A"; value=ip_priv; server=true;}
     {record=ip_priv; r_type="PTR"; value=hostname_int;}
   ];
 
@@ -59,12 +60,20 @@ in {
 
   proxmoxLXC.manageNetwork = true;
   networking.hostName = name;
-  networking.interfaces.eth0.ipv4.addresses = [
-    {
-      address = ip_priv;
-      prefixLength = 26;
-    }
-  ];
+  networking.interfaces = {
+    eth0.ipv4.addresses = [
+      {
+        address = ip_priv;
+        prefixLength = 26;
+      }
+    ];
+    eth1.ipv4.addresses = [
+      {
+        address = ip_pub;
+        prefixLength = 28;
+      }
+    ];
+  };
 
   services.skynet = {
     host = {