diff --git a/lyrathorpe/home/git.nix b/lyrathorpe/home/git.nix
index ae11c7f..9300ecf 100644
--- a/lyrathorpe/home/git.nix
+++ b/lyrathorpe/home/git.nix
@@ -77,12 +77,14 @@ in
         cc = "!cz commit";
       };
 
-      # SSH commit signing on personal hosts too (the work module sets the same
-      # on the work host). mkDefault so a host without the key in its ssh-agent
-      # can override to false -- otherwise commits there would fail. Reuses the
-      # existing ssh key; a dedicated personal key can be swapped in later.
+      # SSH commit signing. This personal key is the default; the work module
+      # (work.nix) overrides it with the work key on the EDaaS host, the same way
+      # user.email is overridden -- so mkDefault here lets that plain definition
+      # win instead of conflicting. gpgsign is mkDefault too, so a host without
+      # the key in its ssh-agent can override it to false rather than fail every
+      # commit.
       gpg.format = "ssh";
-      user.signingkey = "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJMVgeRKnfX1G8coU3nAobI485aeUpGTMqH7+zbKI8o emma.thorpe@cloud.com";
+      user.signingkey = lib.mkDefault "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA";
       commit.gpgsign = lib.mkDefault true;
       tag.gpgsign = lib.mkDefault true;
     };
diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index 72a66f5..6d363b6 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -203,12 +203,15 @@ in
     flake = "$HOME/code/nixfiles";
   };
 
-  # GitHub CLI. Prefer SSH for any git operations it drives, matching the
-  # ssh-based remotes used elsewhere.
-  programs.gh = {
-    enable = true;
-    settings.git_protocol = "ssh";
-  };
+  # GitHub CLI. `programs.gh.settings` is deliberately unset: home-manager renders
+  # ~/.config/gh/config.yml as a read-only /nix/store symlink whenever the module
+  # is enabled, but gh must rewrite that file on `gh auth login` and `gh config
+  # set`, which then fail with a permission error. Suppress the managed config.yml
+  # (below) and let gh own it. The token lives in hosts.yml, which is never
+  # Nix-managed. Set the SSH protocol once at runtime: `gh config set git_protocol
+  # ssh` (it can't be declarative here without recreating the immutable file).
+  programs.gh.enable = true;
+  xdg.configFile."gh/config.yml".enable = lib.mkForce false;
 
   programs.tmux = {
     enable = true;
@@ -345,6 +348,60 @@ in
   # enables this in the work module; both being true merges cleanly.
   services.ssh-agent.enable = lib.mkIf pkgs.stdenv.hostPlatform.isLinux true;
 
+  # Classic process viewer (complements btop). htop has no custom-theme support
+  # -- only a handful of built-in color schemes -- so it can't be hex-themed like
+  # btop/bat/fzf. color_scheme = 0 (Default) draws from the terminal's ANSI
+  # palette, which is Catppuccin Mocha (foot/iTerm2), so it matches by deferring
+  # to the terminal rather than vendoring a theme.
+  programs.htop = {
+    enable = true;
+    settings = {
+      color_scheme = 0; # Default -> uses the terminal's Catppuccin palette
+      delay = 15; # refresh every 1.5s
+      cpu_count_from_one = 1;
+      show_cpu_frequency = 1;
+      show_cpu_usage = 1; # per-core usage shown in the CPU bars
+      highlight_base_name = 1; # highlight the program name within the path
+      highlight_megabytes = 1;
+      highlight_threads = 1;
+      hide_kernel_threads = 1;
+      show_program_path = 0; # show just the command, not the full path
+      tree_view = 1; # start in process-tree mode
+      tree_view_always_by_pid = 0;
+      account_guest_in_cpu_meter = 0;
+      fields = with config.lib.htop.fields; [
+        PID
+        USER
+        PRIORITY
+        NICE
+        M_SIZE
+        M_RESIDENT
+        M_SHARE
+        STATE
+        PERCENT_CPU
+        PERCENT_MEM
+        TIME
+        COMM
+      ];
+    }
+    // (
+      with config.lib.htop;
+      leftMeters [
+        (bar "AllCPUs2")
+        (bar "Memory")
+        (bar "Swap")
+      ]
+    )
+    // (
+      with config.lib.htop;
+      rightMeters [
+        (text "Tasks")
+        (text "LoadAverage")
+        (text "Uptime")
+      ]
+    );
+  };
+
   # Drop the zsh completion dump on every activation. A stale .zcompdump caches
   # /nix/store paths to completion functions; once a rebuild or a manual GC
   # removes them, compinit fails with "_git: function definition file not found"
diff --git a/system/machine/EDaaS/configuration.nix b/system/machine/EDaaS/configuration.nix
index 600d786..32ba7f9 100644
--- a/system/machine/EDaaS/configuration.nix
+++ b/system/machine/EDaaS/configuration.nix
@@ -43,6 +43,11 @@
     autoPrune.enable = true;
   };
 
+  # Match the flake's nixosConfigurations attribute name so `nh os switch`
+  # (which selects by the local hostname) resolves without an explicit
+  # -H/--hostname flag. The default would otherwise be the stock NixOS "nixos".
+  networking.hostName = "emmathorpe-edaas";
+
   networking.resolvconf.enable = false;
 
   # Drop the systemd-ssh-proxy Include from the generated /etc/ssh/ssh_config.