diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet
index 44e169f..d71dd84 100644
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@@ -13,7 +13,7 @@
             enable: true,
             oauth2: {
                 clientID: "matrix",
-                clientSecret: { secretkeyref: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
+                clientSecret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
                 scope: "profile:read",
                 authorizeURL: "https://sso.hackerspace.pl/oauth/authorize",
                 tokenURL: "https://sso.hackerspace.pl/oauth/token",
diff --git a/app/matrix/wellknown/BUILD b/app/matrix/wellknown/BUILD
new file mode 100644
index 0000000..1cf4138
--- /dev/null
+++ b/app/matrix/wellknown/BUILD
@@ -0,0 +1,25 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "code.hackerspace.pl/hscloud/app/matrix/wellknown",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//go/mirko:go_default_library",
+        "@com_github_golang_glog//:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "wellknown",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["server_test.go"],
+    embed = [":go_default_library"],
+    deps = ["@com_github_go_test_deep//:go_default_library"],
+)
diff --git a/app/matrix/wellknown/README.me b/app/matrix/wellknown/README.me
new file mode 100644
index 0000000..054bde3
--- /dev/null
+++ b/app/matrix/wellknown/README.me
@@ -0,0 +1,14 @@
+matrix well-known server
+========================
+
+This is a small service that runs alongside a Matrix Synapse in order to direct traffic to it via .well-known/matrix/*.
+
+We currently satisfy two URLs formats:
+
+ - .well-known/matrix/client: [as per the client-server spec](https://matrix.org/docs/spec/client_server/latest#well-known-uri), ie. m.homeserver set.
+ - .well-known/matrix/server: [as per the federation spec](https://matrix.org/docs/spec/server_server/latest#get-well-known-matrix-server), ie. m.server set
+
+Usage
+-----
+
+This is automatically ran as part of the kubernetes machinery for Synapse. See //app/matrix/lib/matrix.libsonnet for more information.
diff --git a/app/matrix/wellknown/main.go b/app/matrix/wellknown/main.go
new file mode 100644
index 0000000..ca53641
--- /dev/null
+++ b/app/matrix/wellknown/main.go
@@ -0,0 +1,82 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"net/http"
+
+	"code.hackerspace.pl/hscloud/go/mirko"
+	"github.com/golang/glog"
+)
+
+var (
+	flagListenPublic string
+	flagDomain       string
+)
+
+type wellKnownHomeserver struct {
+	BaseURL string `json:"base_url"`
+}
+
+type wellKnown struct {
+	Homeserver wellKnownHomeserver `json:"m.homeserver"`
+	Server     string              `json:"m.server"`
+}
+
+type server struct {
+	domain string
+}
+
+func (s *server) register(mux *http.ServeMux) {
+	mux.HandleFunc("/.well-known/matrix/server", s.makeHandler(true))
+	mux.HandleFunc("/.well-known/matrix/client", s.makeHandler(false))
+}
+
+func (s *server) makeHandler(server bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		wk := wellKnown{}
+		if server {
+			wk.Server = fmt.Sprintf("%s:443", s.domain)
+		} else {
+			wk.Homeserver = wellKnownHomeserver{
+				BaseURL: fmt.Sprintf("https://%s", s.domain),
+			}
+		}
+		err := json.NewEncoder(w).Encode(wk)
+		if err != nil {
+			glog.Errorf("When handling request: %v", err)
+		}
+	}
+}
+
+func main() {
+	flag.StringVar(&flagListenPublic, "listen_public", "0.0.0.0:8080", "Address to listen at for well-known traffic")
+	flag.StringVar(&flagDomain, "domain", "matrix.hackerspace.pl", "Address to which clients and servers should connect")
+	flag.Parse()
+
+	m := mirko.New()
+	if err := m.Listen(); err != nil {
+		glog.Exitf("Listen(): %v", err)
+	}
+
+	mux := http.NewServeMux()
+	s := &server{
+		domain: flagDomain,
+	}
+	s.register(mux)
+
+	go func() {
+		glog.Infof("Listening on %s...", flagListenPublic)
+		if err := http.ListenAndServe(flagListenPublic, mux); err != nil {
+			glog.Exitf("listen failed: %v", err)
+		}
+	}()
+
+	if err := m.Serve(); err != nil {
+		glog.Exitf("Serve(): %v", err)
+	}
+
+	<-m.Done()
+}
diff --git a/app/matrix/wellknown/server_test.go b/app/matrix/wellknown/server_test.go
new file mode 100644
index 0000000..bdba93b
--- /dev/null
+++ b/app/matrix/wellknown/server_test.go
@@ -0,0 +1,44 @@
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/go-test/deep"
+)
+
+func TestServing(t *testing.T) {
+	s := server{
+		domain: "example.com",
+	}
+	mux := http.NewServeMux()
+	s.register(mux)
+
+	for i, te := range []struct {
+		url  string
+		want wellKnown
+	}{
+		{"/.well-known/matrix/client", wellKnown{
+			Homeserver: wellKnownHomeserver{"https://example.com"},
+		}},
+		{"/.well-known/matrix/server", wellKnown{
+			Server: "example.com:443",
+		}},
+	} {
+		req, _ := http.NewRequest("GET", te.url, nil)
+		rr := httptest.NewRecorder()
+		mux.ServeHTTP(rr, req)
+		if want, got := http.StatusOK, rr.Code; want != got {
+			t.Fatalf("%d: handler returned wrong status code: want %v got %v", i, want, got)
+		}
+		got := wellKnown{}
+		if err := json.Unmarshal(rr.Body.Bytes(), &got); err != nil {
+			t.Fatalf("%d: handler returned unparseable JSON: %v", i, err)
+		}
+		if diff := deep.Equal(te.want, got); diff != nil {
+			t.Errorf("%d: response diff: %s", i, diff)
+		}
+	}
+}
diff --git a/bgpwtf/machines/edge01.waw.bgp.wtf.nix b/bgpwtf/machines/edge01.waw.bgp.wtf.nix
index 0f754f1..1ff21fb 100644
--- a/bgpwtf/machines/edge01.waw.bgp.wtf.nix
+++ b/bgpwtf/machines/edge01.waw.bgp.wtf.nix
@@ -199,7 +199,7 @@
     table = "aggregate";
     filterIn = ''
       # hswaw prefix from e2-customs
-      if net ~ [ 2a0d:eb00:4242::/64+ ] then accept;
+      if net ~ [ 2a0d:eb00:4242::/48+ ] then accept;
       # e2-customs link
       if net ~ [ 2a0d:eb00:2137:1::2/127+ ] then accept;
     '';
diff --git a/go/statusz/statusz.go b/go/statusz/statusz.go
index 84f7f92..4d85477 100644
--- a/go/statusz/statusz.go
+++ b/go/statusz/statusz.go
@@ -38,6 +38,7 @@
 	"html"
 	"html/template"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"os/user"
@@ -197,9 +198,11 @@
 
 	user, err := user.Current()
 	if err != nil {
-		glog.Fatalf("user.Current: %v", err)
+		log.Printf("user.Current: %v", err)
+		username = "UNKNOWN"
+	} else {
+		username = fmt.Sprintf("%s (%s)", user.Username, user.Uid)
 	}
-	username = fmt.Sprintf("%s (%s)", user.Username, user.Uid)
 
 	exec, err := os.Executable()
 	if err == nil {