diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 6df7b4602..bd559364b 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -600,8 +600,10 @@ in
       withWebkit = false;
     });
 
-    forkstat.sandbox.method = "landlock";  #< doesn't support bwrap unless i do `--sanebox-keep-namespace pid --sanebox-keep-namespace net`
+    forkstat.sandbox.method = "bunpen";
     forkstat.sandbox.keepPidsAndProc = true;
+    forkstat.sandbox.tryKeepUsers = true;
+    forkstat.sandbox.net = "all";  #< it errors without this, wish i knew why
 
     fuzzel.sandbox.method = "bwrap";
     fuzzel.sandbox.whitelistWayland = true;