diff --git a/flake.nix b/flake.nix
index 555483e..b4e4a5b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,14 +22,31 @@
 
     nixosConfigurations.example = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
-      modules = [ {
-        networking.hostName = "example";
-        users.users.root.initialPassword = "";
-        services.caveman.hunter = {
-          enable = true;
-          logLevel = "TRACE";
-        };
-      } self.nixosModule ];
+      modules = [
+        (nixpkgs + "/nixos/modules/virtualisation/qemu-vm.nix")
+        {
+          networking.hostName = "example";
+          users.users.root.initialPassword = "";
+          services.caveman.hunter = {
+            enable = true;
+            logLevel = "TRACE";
+          };
+          services.caveman.gatherer = {
+            enable = true;
+            logLevel = "TRACE";
+          };
+          virtualisation.forwardPorts = [ {
+            # proto = "tcp";
+            from = "host";
+            # host.address = "0.0.0.0";
+            host.port = 8000;
+            # guest.address = "10.0.2.15";
+            guest.port = 8000;
+          } ];
+          networking.firewall.allowedTCPPorts = [ 8000 ];
+        }
+        self.nixosModule
+      ];
     };
   } //
   utils.lib.eachSystem (with utils.lib.system; [ x86_64-linux aarch64-linux ]) (system: let
diff --git a/gatherer/src/http_server.rs b/gatherer/src/http_server.rs
index 2a0a27e..bc655e9 100644
--- a/gatherer/src/http_server.rs
+++ b/gatherer/src/http_server.rs
@@ -231,7 +231,7 @@ pub async fn start(
         .merge(SpaRouter::new("/assets", "assets"));
 
     // run it
-    let addr = SocketAddr::from(([127, 0, 0, 1], listen_port));
+    let addr = SocketAddr::from(([0, 0, 0, 0], listen_port));
     axum::Server::bind(&addr)
         .serve(app.into_make_service())
         .await
diff --git a/nixos-module.nix b/nixos-module.nix
index f69b748..a0e7e0b 100644
--- a/nixos-module.nix
+++ b/nixos-module.nix
@@ -138,7 +138,7 @@ in
     # redis restore can be slow
     systemd.services.redis-caveman.serviceConfig.TimeoutStartSec = "infinity";
 
-    services.redis.servers.caveman = lib.mkIf cfg.hunter.enable {
+    services.redis.servers.caveman = {
       enable = true;
       port = cfg.redis.port;
       settings = {
@@ -150,7 +150,12 @@ in
       enable = true;
       ensureDatabases = [ "caveman" ];
       ensureUsers = [ {
-        name = databaseUser;
+        name = "caveman-gatherer";
+        ensurePermissions = {
+          "DATABASE caveman" = "ALL PRIVILEGES";
+        };
+      } {
+        name = "caveman-hunter";
         ensurePermissions = {
           "DATABASE caveman" = "ALL PRIVILEGES";
         };