diff --git a/configs/client.nix b/configs/client.nix
index 730791d..6a7a098 100644
--- a/configs/client.nix
+++ b/configs/client.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ pkgs, config, ... }:
 {
   imports = [
     ./common.nix
@@ -15,7 +15,8 @@
       nixd
     ];
 
-    variables.SSH_ASKPASS_REQUIRE = "prefer";
+    # fix for wsl, `prefer` does not work if your SSH_ASKPASS is empty/unset
+    variables.SSH_ASKPASS_REQUIRE = if config.programs.ssh.enableAskPassword then "prefer" else "never";
   };
 
   networking = {
@@ -29,11 +30,7 @@
 
   programs = {
     nix-ld.enable = true;
-    ssh = {
-      startAgent = true;
-      enableAskPassword = true;
-      askPassword = lib.mkDefault "${pkgs.curses-ssh-askpass}"; # see exprs/curses-ssh-askpass.nix
-    };
+    ssh.startAgent = true;
   };
 
   virtualisation.docker.enable = true;
diff --git a/exprs/curses-ssh-askpass.nix b/exprs/curses-ssh-askpass.nix
deleted file mode 100644
index 653500b..0000000
--- a/exprs/curses-ssh-askpass.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  lib,
-  pinentry-curses,
-  writeShellScript,
-}:
-writeShellScript "curses-ssh-askpass" ''
-  if [ -z ''${1+x} ]; then
-    prompt="GETPIN"
-  else
-    prompt="SETDESC $1\nGETPIN"
-  fi
-
-  pin=$(echo -e "$prompt" | ${lib.getExe pinentry-curses} -T /dev/pts/0 | grep D | tr -d '\n')
-  echo "''${pin:2}"
-''
diff --git a/exprs/overlay.nix b/exprs/overlay.nix
index 1d457c2..f961905 100644
--- a/exprs/overlay.nix
+++ b/exprs/overlay.nix
@@ -1,6 +1,5 @@
 inputs: final: prev: {
   idea-ultimate-fixed = prev.callPackage ./idea-fixed.nix { };
-  curses-ssh-askpass = prev.callPackage ./curses-ssh-askpass.nix { };
 
   vencord = prev.vencord.overrideAttrs (old: rec {
     version = "${old.version}+git.${inputs.vencord.shortRev}";
diff --git a/global/utils.nix b/global/utils.nix
index d89af09..4981e97 100644
--- a/global/utils.nix
+++ b/global/utils.nix
@@ -84,16 +84,4 @@
 
       systemd.services."${backend}-mc-${name}".serviceConfig.TimeoutSec = "300";
     };
-
-  mkFrpPassthrough = name: port: {
-    services.frp.settings.proxies = [
-      {
-        inherit name;
-        type = "tcp";
-        localIp = "localhost";
-        localPort = port;
-        remotePort = port;
-      }
-    ];
-  };
 }
diff --git a/systems/etna/immich.nix b/systems/etna/immich.nix
index ececb10..7063a31 100644
--- a/systems/etna/immich.nix
+++ b/systems/etna/immich.nix
@@ -1,9 +1,6 @@
-{ config, _utils, ... }:
-let
-  frp = _utils.mkFrpPassthrough "immich" config.services.immich.port;
-in
+{ config, ... }:
 {
-  imports = [ frp ];
+  cfTunnels."im.uku.moe" = "http://localhost:${builtins.toString config.services.immich.port}";
 
   services.immich = {
     enable = true;
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 3ebeff1..7c06490 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -4,7 +4,6 @@
     ./certificates.nix
     ./frp.nix
     ./hetzner.nix
-    ./nginx.nix
   ];
 
   environment.systemPackages = with pkgs; [
diff --git a/systems/vesuvio/nginx.nix b/systems/vesuvio/nginx.nix
deleted file mode 100644
index 8b0f506..0000000
--- a/systems/vesuvio/nginx.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  services.nginx.virtualHosts = {
-    # immich
-    "im.uku.moe" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:2283";
-        proxyWebsockets = true;
-      };
-
-      extraConfig = ''
-        client_max_body_size 5000M;
-        proxy_read_timeout 600s;
-        proxy_send_timeout 600s;
-        send_timeout 600s;
-      '';
-    };
-  };
-}