diff --git a/modules/services/adguard.nix b/modules/services/adguard.nix
index 1d2679a..6465f8f 100644
--- a/modules/services/adguard.nix
+++ b/modules/services/adguard.nix
@@ -106,6 +106,10 @@ in {
                 "domain" = "kopatz.ddns.net";
                 "answer" = ip;
               }
+              {
+                "domain" = "kopatz.dev";
+                "answer" = ip;
+              }
               {
                 "domain" = "kop.oasch.net";
                 "answer" = ip;
diff --git a/modules/services/ddclient-cloudflare.nix b/modules/services/ddclient-cloudflare.nix
new file mode 100644
index 0000000..a69c752
--- /dev/null
+++ b/modules/services/ddclient-cloudflare.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }: {
+  age.secrets.cloudflare-api = {
+    file = ../../secrets/cloudflare-api.age;
+  };
+  services.ddclient = {
+    enable = true;
+    domains = [ "kopatz.dev" ];
+    protocol = "cloudflare";
+    zone = "kopatz.dev";
+    ssl = true;
+    passwordFile = config.age.secrets."cloudflare-api".path;
+    usev6 = "disabled";
+  };
+}
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index cacdddb..a9edc29 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -132,6 +132,7 @@ in {
           "kopatz.ddns.net" = kopConfig;
           "kop.oasch.net" = kopConfig;
           "kop.bobin.at" = kopConfig;
+          "kopatz.dev" = kopConfig;
         };
     };
   };
diff --git a/secrets/adminarea.age b/secrets/adminarea.age
index 3ee1b8b..a055b2a 100644
--- a/secrets/adminarea.age
+++ b/secrets/adminarea.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 bqM3xA Ga4g0hvxrjdHgsZO+Ty2EmiEbuSWr/YY7B2lvPSMs2Y
-rb7e7Im5cpgu4ybtuAV6o1YpKCjv072GLz5Rp9+jk20
--> ssh-ed25519 DCzi1A zqOVsasJHE44AgkztL9Ax9N2TZWaz7Welk7VnV9pOwk
-cTsg8t/Ezs1GeW9am9CsE3O53HjTH2NroVcYiONBcvU
---- bFQLNVvQHgzwhjUNqJdWNY2BOy4F8SeYrq121FU4Au0
-ŸÃ	)$mî9Èá³Z3bÖ›ëÉŽÄÛeFJI59Œç3ØÕé‘.MÅŽK&~Ø
-ÞÄ`|ï¤±,Júß_r{ÛA\5[ò€‘ÑB’Šßlé¢h)4ëo‚%ÌÂuý"ïØ
\ No newline at end of file
+-> ssh-ed25519 bqM3xA 1PcCxKcMWu7nOK79jHrgPj/Ss1b8FWpyRz+zFqIHIGI
+yIHKl4t6svsMSKacceSvHfuk2bvAoQCgTTkU+bGLqao
+-> ssh-ed25519 DCzi1A tPK69KA2d8SMVqKAHuEn4wAoNuS5qrP6WZ9+crtANxU
+kmZ3rcURlIdaTyaH4/ioX5KWaZZbpgp8CR9I6QyncXQ
+--- s2Y4uO4I7VnJkVRMibZi2ReUN39tujPBh7rUhmZG2u0
+Q+Å2²ûgˆÙlOÔC0­å›I2óÿû¾Óêä(È…X«èS±Q=—þ0¢(¸Wõé+V±¢?SëD¾`ŠXÌS˜ì%:ŒÔ,f}â¢lVHƒŸY[Ëf^j-¬Éiâ¹Ë}™*
\ No newline at end of file
diff --git a/secrets/binary-cache.age b/secrets/binary-cache.age
index 28f1b8a..35a0cae 100644
--- a/secrets/binary-cache.age
+++ b/secrets/binary-cache.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 DCzi1A J3I1vGqKxAesFi1z4us5N741PT1XQTHJId2ySEyLBRc
-LpXNCN/Jwepmpb0vcX9wKpxuhZmaikAy2UVLa/DPLAg
--> ssh-ed25519 lNJElA KmftSH8+q5ACPz08PHATGlaXq8tJrxwWGuys092ZDGU
-GeNEMWhfeP4Y/yd4WVpdCCnT7Qjv/jN6jPkcj1J2bdE
---- 0jeS9BIt6KHyJ7SEMFEfzUNxWtNg1MPmBb0TeHwq7e0
-§ê^š›Ïê÷Z]-kµd\ëPû”FÍŸ(¨5ÉnÆÞ…õ·$¿—ÞïÈRÈ¼¶»½¹Ý¾sµŸ‚ÜÑzÐÁåL[|a‰†:þ:’wsÇ1H·
-ÉzÏI2,#…~BŽUÕøhƒýdCþ“÷"+aœ;•Ö¦³		á*1sÌÑ
\ No newline at end of file
+-> ssh-ed25519 DCzi1A iDaTD/xnczwfV+bdRd4CYXuriCvvAnm/utiICt9qMGg
+2N8wVyxA04xdvSF8x9HprFv4BgjVMd0RQHP5cbQwsDo
+-> ssh-ed25519 lNJElA C3UoNk3ueRYtEq7Z+xTTQPIQxBG7TKVkrYxUhRf+9AQ
+MNZZKojRsDyfSS7jhtOJGraEVgR6mo0ouQ9Ai2PWjTc
+--- TKSZzQF81D3ShrcXZKTz98C0dEZIXpOQQQ5vRZXKSZQ
+ÔÂôõÈ(´gçÆ{¶Êã’ó^ïC’ô'wíQx4+?)½¥“Ë(šV^¶ˆgÂÏ†"&U^)’|7QèWMKÑÍ?lLœFJðÉBk4®'=QDeñ|_«ó3Ä$ó-{”xÀÓ$I? 6÷ˆÅ­·¾©­(:Š-©{ÝñhÇ€çÊ
\ No newline at end of file
diff --git a/secrets/cloudflare-api.age b/secrets/cloudflare-api.age
new file mode 100644
index 0000000..03688d0
--- /dev/null
+++ b/secrets/cloudflare-api.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 DCzi1A es6n0xP4sQ03hvUWUJ2FjRu68Xw2H64SirMyXeUR52I
+B5h4pHYbomcgi0B8gIOuoufHXAtE2tZTkqPmUPwisq8
+-> ssh-ed25519 oDXHAQ uhhGCBPYeGxhXQ7o4Ibu2i3DV6B53NANw4206mUB7g4
+zeKDRa+2R/yBERunfDXPfMw79wEDWlbR5Y7mGj6PGGE
+--- Y7KBu6POO4vD0mUPuImeozACsZskZ4Ouw2Yuzl89orM
+røÜÒJL¦|7ú¤Èñ¶í¦WÚGì*ÉâPÃ¨L'£$M°[’´åàœ|½;†Ò5dÔdOFÀ—:ž§Ÿ‰÷OÛ¤
\ No newline at end of file
diff --git a/secrets/coturn-secret.age b/secrets/coturn-secret.age
index 8446314..d274613 100644
Binary files a/secrets/coturn-secret.age and b/secrets/coturn-secret.age differ
diff --git a/secrets/duckdns.age b/secrets/duckdns.age
index 9a06a6e..215a9dc 100644
--- a/secrets/duckdns.age
+++ b/secrets/duckdns.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ gbqR6JNoGpLB9glCUAnEdLjXfUD45FMAthMkx37UUic
-XZI8xpza74wuMsPeMQmkYCtwQaZ33PuXKBzEPgVoApU
--> ssh-ed25519 xfrWcQ ufWZtiUYMsPHXR5dGFBkUeXMlChDp2QzqXpYLmQthxs
-yALEGpBLzsvKET0Y4qyIIhDa0Ru/sv9At/H8HYC78IU
--> ssh-ed25519 IV3DkQ 78Hnme9NIQK6jdw+C/K6w/oeFEVoPcMZzPGN+oBW9lQ
-9sLV0jWl76tIRO5k3ouIleEGAGZSI+Rjtk4ycsnPQSk
--> ssh-ed25519 DCzi1A 6aZVuCw15F/iUBJVs8EubOz6X1ydLSJATUKKLTnJjS4
-muCrYVglDqseh4ovq3d+JbugQNfnZiD4lmpCN90HNbs
---- WAl554L+ne3tInpHkPqSUo0r3ltUjweNCWMnLNq8H+4
-˜0©*p+¯y7œ{£zîäï—žÔ§:e¯¼|bé'!JJý«¸?Ÿ	ìP>>Þ_>³ªJ˜[þò,N÷*ã½ñ@íÓÖùZ~
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ zuPOJ5Z/LspqvchDYFWlzaDY+4QZivokZ19FRaWA9TQ
+St33PTF5YyjamVUhALJ/yyMwUOIO7QNMNYapkhpBP8Q
+-> ssh-ed25519 xfrWcQ WjcVYbjiJXRm6+AAZLp4m3osIa1CbI0XaaSjCEkOBGA
+WAqMFxcTkfib4XpqnAgY//6OOFhWUyK7n3QydDpMmHg
+-> ssh-ed25519 IV3DkQ k37rMbiFtQRcmgAmkNuAYqjyI+YCAxSz6m0O4Rs+hyc
+qlzIP2e+G+UXarfhTQBnD2B67FkEqohwXUO6LjWk19Y
+-> ssh-ed25519 DCzi1A 27Pay6rJAcUREOc8hlI8KAwGavwOQS4p47Oqa4Hvd0Q
+93UKW6UIG/M51THEd6RPE0FfNyROLhyU/Rp3plC6yyw
+--- hbmTmsRd1Cz8YpXVyqHdj3mBua/evek1tYSj9gKLWeA
+ÄzýÍS7¬¯3zK,;;Ý+jÒ…Ù=ê¼B!<åW]¢‹)—ÏÚWpû“s‹”ïÖ¦™è%8õÔ„Ø¿=(lÕ
\ No newline at end of file
diff --git a/secrets/fileshelter-conf.age b/secrets/fileshelter-conf.age
index df04737..f3a50c5 100644
Binary files a/secrets/fileshelter-conf.age and b/secrets/fileshelter-conf.age differ
diff --git a/secrets/github-runner-pw.age b/secrets/github-runner-pw.age
index fba1193..195c838 100644
Binary files a/secrets/github-runner-pw.age and b/secrets/github-runner-pw.age differ
diff --git a/secrets/github-runner-token.age b/secrets/github-runner-token.age
index b44054a..38b9106 100644
Binary files a/secrets/github-runner-token.age and b/secrets/github-runner-token.age differ
diff --git a/secrets/grafana-contact-points.age b/secrets/grafana-contact-points.age
index ce7b268..8ad0125 100644
--- a/secrets/grafana-contact-points.age
+++ b/secrets/grafana-contact-points.age
@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ +mtQdocfgSjauNvXmkPAuRr+U8kXsIn3A7+coiS4dFQ
-AcJR6s7noinnOFg9p/rKBb642H62s0ggzvG1Z4Zh9U4
--> ssh-ed25519 xfrWcQ dOCXVKfB2zm7cgAgo+7UZ6B+HmCJ1FiDltXzXO1pRxM
-zAzDx/wiHyyi7Dz2SdAt9JHkHXEvr0Ma3LJq04J3oE8
--> ssh-ed25519 IV3DkQ N9PjZJk2h3anqKBNIPWEgRl1CIGsrPALBPkhHRBZShw
-5yMfK2s8iUAwdb+9feAVt94iQbUlXWd8kpt/y1TPCv4
--> ssh-ed25519 DCzi1A Z1dO3VKvNFlwBc+g78zavclc7+2tzIRHEc9kwnrV3Ew
-Sbc5nXnybXFUDv99ndnFAJO4lybLPK0IQkZwM+n2/dM
---- 8kU+q0w/FDYU06bOlpXgs2qT5etUYRrXM0DS49oiS6Y
-„ÒŠ/_1ßùö`ÍE„P9"Woéã@š¦üE>âR_t¡"áMr{ÖÒ7œÈÔ£¦_k.,|j}§ÿE!z½tp¸a$å&}³øä,Ì@…ž’z"Œ(Öº%ž¤¶†’¡iÝ@²´c>“žüîõÐÅ¦±¯0ˆÁÊUã‚,r.·¿³FpÉÛeÿ¿qZ³<)dv×R9S™Q¿ºq´ì^„ÿúJä§¡ž•§fgÆZ~3Ž'ÓÉbp¼ƒwÏ²8—;[‘/MR[£æ¼?h:]5}¾ZlôÓÓ¬ÂF¯”èóWT‚Æ·}‘>_'Oxˆ³h^/Ø-P‹Û„aë ÿs¶ýU¾šðSé$Þqädø"
-c³dóe£“4E=ÂØR¾®6$t°%F´Œú¶’:¸oÎæb:)V¼\7c{íçÚðBÆ€ËUê_v]
-Î).7ì5LÑ!×X©sÊ/‚D«á×»Úü]É€!“M×†Éº«øWW5Ïa‘±
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ TFGIBisWzfGgEDoM78KMQBo3XHAQdNUuesZZ6Aesx1o
+DRVTnbQ1wYarig7b47VAGp77lMEKSUd/nYnS+wZzDgg
+-> ssh-ed25519 xfrWcQ t5UC+kO48Ku/0O57oa9IF3d0poJ3JVIisZcJBWkZnj4
+hcIQoOp1nZoPyZhCgtUOvE7lK0zkGaE7xVPYfoLXKyI
+-> ssh-ed25519 IV3DkQ bE6F24RT87cs5pYC0kIeF/ElcBHrorOMt2bMW+/peCk
+mRXMVDosjd1U7J/hutg3arvrDsqs8kIbCkuW+13Y7cA
+-> ssh-ed25519 DCzi1A 5RWmVwx/J/k+/rh+heDqlUABtOsMAUgXNzehV3/aGgw
+U9bmROup6t+AcsDYlkyf709U407nXEkoa+MCEcAADgU
+--- I8BPnLucIBOeKQi9S+TObvwCNMzjg6ZSreOudU8k5rE
+Z‚=8ÙopŸvzfh™
+Ú±KtR¤B¡<EévS„¹&W²âÝùtŸÅwNê|&ºd‡¥òçòeÏ“bÐøïÇú~XŠºx[S·ÇLþ»š í|ýûýr^œÔµp¨ÚXŸè–#íÖ«oú­åSJ†f]ç#frXOç¤¿3ÚÌ‚â†lÊ·×™â¡o¨’$$6n‚,Kez‹æþAw áh>Gó$2¹©H®ÿDÇ1É<.ÒY-y‹ÆÄš&“²‚”BskJQ	ºåª«©ê¦ª0×ïÃÑæDJfPå±4’Wâ5Q ßû2ˆL›áyt»!FAr•&üà|D´^tÜC2ñC±Ý"ý‡W!Cmìá©×:Í¿&­QR€¢l-\â¯ˆpùáÇm-EÑ+½D×¢ŸâkJÉÉý|˜bôÝSBš?*­W>Àç¦v#/¢vMÃ«q6iiÞÿR›>KÇxžÚqã1ôR8Ð%ö´++îîù½‚Àvçq{8ŒLØ
+/Ý
\ No newline at end of file
diff --git a/secrets/kavita.age b/secrets/kavita.age
index e61b55d..7544a4b 100644
Binary files a/secrets/kavita.age and b/secrets/kavita.age differ
diff --git a/secrets/matrix-registration.age b/secrets/matrix-registration.age
index 56b6b71..bf47b00 100644
--- a/secrets/matrix-registration.age
+++ b/secrets/matrix-registration.age
@@ -1,13 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ atKuhdRrHGOxTZMSyHCUr2DsrkYCbJSeKp4+WJgqOzs
-eymYWsh3EzTrJjxf9hQj0uV4y5rm96kMOHpWYNrGpok
--> ssh-ed25519 xfrWcQ re158GOgNwc3TtwQqYRMIGFKIL3PH+nwbHa2VG4ltGU
-0Twg+bQxg14FH1bZ5MeEQXl9NALNt9kxfnaW/UZ6BeI
--> ssh-ed25519 IV3DkQ 7an++FYt4n0VKJ5Ne454pKqoShyXu9mOcmT24Kpr2Rg
-JufxZ0sWKZosVkaGn6WyvFDCPbKGqFhAVLkZN24I7iw
--> ssh-ed25519 DCzi1A lJxRwc28VmsdYFELukX4ud2bqryjJR9VD82CRZZR+VA
-HlAmLsHaT3HcHAuuVnm2e13mVDoQig7hmrdarub48Ug
---- H/VWknmPK9GFkXYEmCSyHbW/sHD2KSnvzwovn7qAexY
-‹h§‰ó4ÅgèŒøJ&SÁŒã·4šüÁÀÍ2d¾¾†wÑ&†Ð¦µÒ†~¢)È>åœÃczIa´eõqxÂ€Ih¬ÊŠ„?æ±a„xB$]L!
-5T]8Kõ£±…lX†@(¦¼%çq°ñn²UÇÕÚ2©km¼U>æ6ïáÌ„ûCsˆyÁ	ÍöçobfñöÏû·‹™
-#?¹Dè‰åß Md:@hDpêÐ¦4éÓïà	@ñïlÎÎ¶ G#ª
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ r3tGPKJtMOjKeKBkBGSaxHqLr+k0QPO99wm/SyIXNDg
+4XubpJrSsCaduXkeYpMs0EBe0pfw1kUkr9C7z2rLiAg
+-> ssh-ed25519 xfrWcQ JMJuUZZoPfpuUid3ufpkriK9mk2xhfeff5w98FBhsVc
+zdWmtguA+fGqYiiYHVKna03VbV1lHTKjjol57Bw3jH4
+-> ssh-ed25519 IV3DkQ RTLWsP1C5/VEWScFP02pi7cC/hqOu4heJcD79fpW9W0
+PK4kwFW90HVAU/1iSyowhBg/07ZjRrHSEPpfxZqDUKw
+-> ssh-ed25519 DCzi1A jPYOQEbpTqkVQOIU0nTJFDMEgOkYRTEbLAaE/Z3sOyM
+lB8GjtGLSahZJKmoq1MZiwfFjIzI1TnSmXSacSc9n3k
+--- QV0CQ4lSRRbfDk8gEbVcrmWn5YWcujzYiW4EOyV20vk
+4¦Ñ;o¯™M-¡FP~4¡ºÚ	:­}äQ‘7wAs”bö“ê5ñ0Ç&CpÔ«jÖP0gÝôÍpž;®GfËÒ¯Å}}ânëŽ!›CÒ†@AQ”Ò°0e8|H}ÚÒ>àD(J°¡,€Â˜SYnË¤+Šþ#ÔÐæÁÒÃO•ƒâ™-»ØòØÆóÍ%†ÖÞ+ŸÑè÷¯ÜáóÑÞ2ÙÓ‡£}µªÔ¼ö|ŽÉÿ]¨!4”}†¯1¾Y
\ No newline at end of file
diff --git a/secrets/nextcloud-admin.age b/secrets/nextcloud-admin.age
index 080a253..308be0f 100644
Binary files a/secrets/nextcloud-admin.age and b/secrets/nextcloud-admin.age differ
diff --git a/secrets/nextcloud-cert.age b/secrets/nextcloud-cert.age
index b1a9a24..1a775a9 100644
Binary files a/secrets/nextcloud-cert.age and b/secrets/nextcloud-cert.age differ
diff --git a/secrets/nextcloud-key.age b/secrets/nextcloud-key.age
index 23c2d79..b7a439f 100644
Binary files a/secrets/nextcloud-key.age and b/secrets/nextcloud-key.age differ
diff --git a/secrets/paperless.age b/secrets/paperless.age
index 830afea..57a44e6 100644
Binary files a/secrets/paperless.age and b/secrets/paperless.age differ
diff --git a/secrets/plausible-admin.age b/secrets/plausible-admin.age
index 44d1df4..146bc81 100644
Binary files a/secrets/plausible-admin.age and b/secrets/plausible-admin.age differ
diff --git a/secrets/plausible-keybase.age b/secrets/plausible-keybase.age
index fe1a697..8119606 100644
Binary files a/secrets/plausible-keybase.age and b/secrets/plausible-keybase.age differ
diff --git a/secrets/radicale.age b/secrets/radicale.age
index 85f9771..c1eabf9 100644
Binary files a/secrets/radicale.age and b/secrets/radicale.age differ
diff --git a/secrets/restic-gdrive.age b/secrets/restic-gdrive.age
index 36e74e6..2f1e4d0 100644
Binary files a/secrets/restic-gdrive.age and b/secrets/restic-gdrive.age differ
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
index cfabdaa..4d48e43 100644
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ 1ylRcikeS7eUVRpy/q5M+9+32zB5pt2GDLU6+3wHWyI
-9VSg8kOE1g3IQvBnDwLvn0C8dOw4/xuPxxrqL+fDP3Q
--> ssh-ed25519 xfrWcQ cUWcTsQ+Y8NaxA73EBuh1+Dv2YeTJB112nlpbI9JkA0
-fp+vmBxZ5O/WxlXmKPqwMISGsgBKrAU9tUNpwUJWy8w
--> ssh-ed25519 IV3DkQ z7wy/ZXA1KvuYucY1EfDRWakBmcv7D+gwjENV7E5tlQ
-9wovsEodoxREIHeTm7KT+OnbKxJnfrnZAdMrKu1Tf1I
--> ssh-ed25519 DCzi1A EGSWyT7CoUNR239LL9s0pumdWW/hWEAf9SwVKaVdODw
-44DaSHhXr5UKDNtG7NIQjF2X1F708TNq9NAt2/fmnpg
---- qAqy+kI1hpPXgVB+qcNqsOD2BSBxLtWq9ovkhS0rlCU
-Ôð¥¹ú¿~m©5¡l€Ö½zz.¹ºncöI{d%$AyCû^ÐY.+ë¾ËYè›ZZ•s(ÛÃ˜;äWÈFoöTkÉÈôrAS\9tùS7í·
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ m+Of2fFXpmWNIcPpld+1M0SeSj9slmaNFM+uYqR5NE0
+a5G+NDQL9kChBEQDTfCFcFaFHiEsFjug2E80F+4nFFM
+-> ssh-ed25519 xfrWcQ wtNSw0azb6iJWhWpwAqELWBjt7fFgDHZxTZrbXDxTQ8
+fGt0zSHMq51SRlcy526CTH9IlLG7a0DppYGlRePkyX4
+-> ssh-ed25519 IV3DkQ fcsiE5BUqpEnAzZ3QHP0aZLtaoS6gSGkabT4AI4bh28
+Z+pu1qcH7lvh+WLkmSrpoz258MeNxL8vdpg0uzeil8Q
+-> ssh-ed25519 DCzi1A GBm/EjD8pKbimUaE3S9XlUeCoRZhgVAfL7D52Uy5PWM
+A1YWX1EUxzoiY/8rcHdoOrKKm4FKm4LZ90NuiIL4iOw
+--- 3iHL8TouNqGEBxIKO1zJEa0CO+omewquYlt65E2RpfI
+‘üþá'(|i+ÂløŽ;íóÄâöÊ—<’N]'cÃÉ0Ã‹F÷ŒÎùfâ¥•ï'@‘F^¼½OÍ¨]‘-ä'™(QEÒýRÌ’¸+¯²%
\ No newline at end of file
diff --git a/secrets/restic-s3.age b/secrets/restic-s3.age
index d39af63..e55e991 100644
Binary files a/secrets/restic-s3.age and b/secrets/restic-s3.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f183ba3..dc11ec5 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,7 @@ let
   kop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2 lukas@Kopatz-PC2";
   server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
   laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqcphdDEJhnSBkAZzQXZJDCzsyb/Tqpcf0pUADFpbd1 root@nix-laptop";
-  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGsTZvAahTrszYDHn+94sLtcF8865/mpd26ZDVQklSj root@server-vm";
+  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGsTZvAahTrszYDHn+94sLtcF8865/mpd26ZDVQklSj root@server-vm"; # actual used server
   mini-pc-proxmox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0kX32LfIOv8FDVvdp7lWesVvMGh5tj84nv7TkIR1cs root@mini-pc";
   adam-site = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfaIaKoNStnbfjB9cSJ9+PW0BVO3Uhh1uIbZA2CszDE root@nixos";
   amd-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/t25OaQF020DZdew53gMFqoeHX1+g3um02mopke2eX root@nixos";
@@ -38,4 +38,5 @@ in
   "radicale.age".publicKeys = [ mini-pc mini-pc-proxmox kop ];
   "binary-cache.age".publicKeys = [ kop amd-server ];
   "wireguard-evo-vpn.age".publicKeys = [ kop amd-server-vpn-vm ];
+  "cloudflare-api.age".publicKeys = [ kop mini-pc ];
 }
diff --git a/secrets/stash-auth.age b/secrets/stash-auth.age
index 60d07cb..90dc8a7 100644
Binary files a/secrets/stash-auth.age and b/secrets/stash-auth.age differ
diff --git a/secrets/step-ca-key.age b/secrets/step-ca-key.age
index 248e21e..eaa0d53 100644
Binary files a/secrets/step-ca-key.age and b/secrets/step-ca-key.age differ
diff --git a/secrets/step-ca-pw.age b/secrets/step-ca-pw.age
index 0ba53cb..71c730b 100644
--- a/secrets/step-ca-pw.age
+++ b/secrets/step-ca-pw.age
@@ -1,11 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ p7LQlfq0mtdnmTJOvi6QQqAg/uCKAUWjdoVOgNcqn0g
-Ka17+MWpb/MnZrV5HIwji54GffoeZC4ZFPzhCIxlrOw
--> ssh-ed25519 xfrWcQ Tc14rVFq5eAmbTtjNkIVdpOEBce4E8JChTznb8B6HCI
-izYgC0YkqgUT/l82363MjBrDoQ0R+b5LHn7B3TglOK0
--> ssh-ed25519 IV3DkQ qQ8DSh8+Gmy0hV8w76hR+GiABQv+OJkigA40QycPABg
-tZnpWcEEVLqwpRpmHo/Skbc2/78dXM5Swwv6cSbitXs
--> ssh-ed25519 DCzi1A hTm67QVFyufZzbu7XZ2NxozPBVvOsN1UIi/8zBz+hiA
-c0dCopDkZ0FgwHZ6b3H3uBJyVqvZGXtAU0TsZt/Zu8Y
---- Pp0HncaouK+xj2oF56aJ+UDanDokOEzeaZif9G4obT8
-Çdš¬º¢*«)Ù®7åpÄj¶Þˆ5Û­Ó—˜?%*$¿xoä@YI@´ õw<Š¦y-··èõÖ›
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ YIid9iirmPoo6k+MzZolZUq+YM7+U2mfxwWzQsA/S1Q
+J3HeDG58L2oZY1W8XpV6Fc/jigk4NeWUSyvYW2GdpJs
+-> ssh-ed25519 xfrWcQ HC4x5Of4+tbA6N/xuLwRoK9t8fX92zZ2hEP83eK/pUQ
++QMdeFeNPObTTryy3s/JyrJVWbAg3dHTCahlKngX4do
+-> ssh-ed25519 IV3DkQ mlatj+WBtKcjZW9qlGlNoaYz6K/VYu6+a97ees3mJjQ
+9Gw1cwYcKfllZu02pLaiOUmMCpzKg5WO5tILNNHVkFU
+-> ssh-ed25519 DCzi1A +bsxS2neqBO/uX4IusVBbfzbK/DeWS8l2setQ2qlGzw
+MwH3XyQ1DqSaWRE3u1xfteBMSglQ0AQvq7dgKOZpw4o
+--- kPHpp8/8kHD/zbzA25DPh8E+4RfAcwSGYUYVr7NFTV4
+ýØ;CV—ØÛÜ
+
+ëS”f-	ÿð†"`”Ý7îü‡.…)ƒº£Õô¯,«çãð…ŽIÛÕñÞ¿O÷E‹
\ No newline at end of file
diff --git a/secrets/webhook.age b/secrets/webhook.age
index de35076..254c4cd 100644
--- a/secrets/webhook.age
+++ b/secrets/webhook.age
@@ -1,13 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 oDXHAQ JnlPQP9xUmPBWlHg55LW9j4BHpGIXhTy4kcpEBGrUC4
-1HiCgZQ/JUMTzvt4504ETWaMFKXiRJwVOkIHFNI3AUo
--> ssh-ed25519 xfrWcQ pLPHGDS8Jy8+/FyVpvqFeDTpgp9I76t9aqNut4NpMD8
-hhXBFUZ9u4+c9MJcva4sWN5wD5LRFOzLxjlrCgxQk+k
--> ssh-ed25519 IV3DkQ nKOU6lm+OzX7x2ejhCe1nO4JFZvrROofhorfIPurdnM
-nELj0F7SeMFoysowosvRSEZ5VoAfVkwIjLMCUP3K64E
--> ssh-ed25519 DCzi1A 0420GUGxNWBhhMlclQtfKk6kMpN/FpDL2tFKph8p92Y
-o66Iv9MC/jTFqfjM6xAbjVOvoRDQnJ/QTNT8nwb4pdU
--> ssh-ed25519 lNJElA DcoTNBEN/IAqrq5s5X9FUXg45ipyOK1gYZZgYNN+sxc
-iSyEZdguc8+p4yv2RP2iYfhVczRp5zmw6HylVuSN89g
---- M4LiD5KtohoDUyCde9owKG1hKWIn3xS6iMrvY5sLp98
-@«fÛb¦’³èKÒ×(¥õA_CVg‰ãƒãñ–¥iE÷jØ–Ä5[Äµ&øwjk¼ur{sj8HBYš‰âdôXO£î ¸ ]è(½C'ÞÕÒðs¦Š“š{NIJ)„ò*¯½ÈàV	^ëóÉª}ÊÄW€V~Œ±²4±h#(Ýì*<›Ir°øÌx–ñP=è®ÖýNÐäqâasÆ
\ No newline at end of file
+-> ssh-ed25519 oDXHAQ YOjThOjyPh8j1zRTG8PSb/Do5NKjchlR0Z5oiYIqTVY
+ecYu7pV2y9k7i4c0UlOha1Oy00mZ0/35CzbHSaTlnNY
+-> ssh-ed25519 xfrWcQ ppgMeDOCcqCWpYBaIwqIjnxWFcm8YASNhCd66zfJBkM
+xqjfumnhEqpF0s+L9n0dlZK2BtcKSyZY0n1h4ogyA6E
+-> ssh-ed25519 IV3DkQ zPs9zEaCGed/0FlFT/J4IhJ9mK9zgfU31G8gfHA0AE8
+JX8JSDsd4hkMX0iiqKhQf8nFhq5J8Q6QSqceKQjf8G4
+-> ssh-ed25519 DCzi1A v02CiKWDStJkaG3HlJ/ubQp/w39qsol0Mwu7nUY74Do
+xH4Ip5MhMFd+vR3ZBa2IJ7OBkDvOJc2wPbSRqEvDYi4
+-> ssh-ed25519 lNJElA XXZRMJye6OkJn+ECW2OcpUaJUR+kz5lkDl7F36ff9yw
+OfwpqFqfsJjH927zas1aqy+ZDkL6a5nkbhys6BScqOg
+--- Kjk4OMfBNeWo7/L1eAL+IPfaFL8xOp8ws5TOma02NKo
+7’ˆ¢1X>(:wÌûeƒ}Ï°#FÇ5*Þøs»½°êÉ–¹è2ÞÎ!kä‰y`Û4ŒGÀðEPõòÓGU£(à?ÌöåÁö4àm$Á0øx|Ÿ²…œâz¨0{ó•jví?p,IäË.Kò6B
+k½ù³j7OÄh(™³…øP9/½v²A%¦|Q›üñ²_Iß‹ØÂ
\ No newline at end of file
diff --git a/secrets/wireguard-client.age b/secrets/wireguard-client.age
index c463cb2..0df1e4a 100644
--- a/secrets/wireguard-client.age
+++ b/secrets/wireguard-client.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 DCzi1A LulvmoZ6C2otVBZC3dzvZzT5aAi11OM390HoL65tvXg
-rqzbTdb2cz6dew0aRBIXVAMQL9s0U7aaE4gDE8ZT0sM
--> ssh-ed25519 FOj4qg gmD0iZghlh+mbMg3fs8n9pCLwbhCHUYY5Cz/HFXHnTI
-VCL9JgFbYkA37qMx2+VMQNa5ykOYSoXROFDZuNI9kVA
---- PQsF2R+ptDOl+jCWhAaJEjcv0+Y5g+guziY32lqBiGo
-…u>óMŽWÓ½.á…³ÌÁ®²ˆÊ¶–¯Yl6\›ã=äX±(¿‹ŽÇž<àÍ-&d5
-ï˜&ï“'T<rë@<à62—ìzq½
\ No newline at end of file
+-> ssh-ed25519 DCzi1A zhxFqVyhUdmVvf5Wh/l07dtROYr52vjl464aWp8bbgI
+73lXdktsZ09qD+YzFytm54woaDtLBZGhKnR0l53MmeU
+-> ssh-ed25519 FOj4qg k5qqsKIUeJgynfctXXOPZoGCRyWmhfJhxJ7XTH2gwk4
+7lPP00zZhD568yaASlRxsMDR2ORC98YmeJiSEWgearM
+--- toz9GNJXrCu59KKF7uDH5whudcVutVyWrfyucaYgbRw
+˜ÿrá{+çá¬Q¡'Aý¦	‘­ägõFìza!1jÏèI\BWN‹.p««ÒLŸÑšZØx¥°9Ž*íÀùÔÄHþö;-½Ac(=
\ No newline at end of file
diff --git a/secrets/wireguard-evo-vpn.age b/secrets/wireguard-evo-vpn.age
index a8e1be4..c3e8c30 100644
--- a/secrets/wireguard-evo-vpn.age
+++ b/secrets/wireguard-evo-vpn.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 DCzi1A ik/pJSG40rFNR9Tde+Ud7RTuZwluC1za9SLrdnYyXDA
-aBWqRH0pdPYolWVAovT2cdhZZlRCG5ZTQfBjgj5jW60
--> ssh-ed25519 Jk07yA jOO5I3Om/NvHDCd28t5OFlxJK1UwZayRro7/0pXWGBQ
-/LlY7KhwzkunIvrPJ7SqLvRDF6s3JM62SWqlczg+vHE
---- 9SY9UJ5hw7csiD+edUptxq/pPUQDuGv70mrDtVUURw4
-n¬ÖcÙ,÷ Ü\~ë9É€_‚š^e¶¬DÌ¼ñ ^Ù­k]ÂAªÝÃ?`²)õaÇ
-ô™Wó®ñÆ¼þ¹CÑóžü#¨¶¯D
\ No newline at end of file
+-> ssh-ed25519 DCzi1A NKDkLZqhAQWqsWT3JaXJ1SMdoT63YOg30b/ZOC0mXSM
+zKtwdrRdwwJcVQy8QjzlTONVPh8B0oYcpm98AXRbPBo
+-> ssh-ed25519 Jk07yA zO9dqNhdPzIyyXJsFhXlk8qx1voY0i/glh/1dZg3enw
+XyRJtCKs7Zh2CzH4wn+HHEkQHCJjpEzWzIiWhvvn+zU
+--- M2/hFhh440WAVq/fZsfDmA3PDBpmw2DBPnaneFgm6Ls
+!!ÏÚÛ_ŒÕ‚½ÀÞ,úÝz'{™)•euf¼Ozš\‹œw:´PTØuþv³PzŒ×u*N¢ 5 4û…üôÎ/¬Üüf#û
\ No newline at end of file
diff --git a/secrets/wireguard-private.age b/secrets/wireguard-private.age
index 776af79..c712846 100644
Binary files a/secrets/wireguard-private.age and b/secrets/wireguard-private.age differ
diff --git a/systems/amd-server-vm/configuration.nix b/systems/amd-server-vm/configuration.nix
index ce78d49..3586a85 100644
--- a/systems/amd-server-vm/configuration.nix
+++ b/systems/amd-server-vm/configuration.nix
@@ -10,6 +10,7 @@
     ../../modules/misc/motd.nix
     ../../modules/misc/kernel.nix
     ../../modules/services/duckdns.nix
+    ../../modules/services/ddclient-cloudflare.nix
     ./disk-config.nix
     ./mail.nix
     (modulesPath + "/installer/scan/not-detected.nix")
diff --git a/systems/amd-server-vm/mail.nix b/systems/amd-server-vm/mail.nix
index 636248a..2b03a8a 100644
--- a/systems/amd-server-vm/mail.nix
+++ b/systems/amd-server-vm/mail.nix
@@ -1,12 +1,15 @@
 { config, lib, pkgs, ... }:
 let
   # create hash -> dovecot -O pw
-  tmp_dovecot_passwords = "kopatz:{CRYPT}$2y$05$jqBkvhJ0e439J0PLhef4leOGc3GACGH83kSDCrvmAcsdz68tELkA6:5000:5000::/home/kopatz";
-  email-domain = "mail.detschn.net";
+  tmp_dovecot_passwords = ''
+  lukas:{CRYPT}$2y$05$jqBkvhJ0e439J0PLhef4leOGc3GACGH83kSDCrvmAcsdz68tELkA6:5000:5000::/home/lukas";
+  '';
+  email-domain = "kopatz.dev";
 in
 {
   # 25 = stmp -> postfix
   # 143 = imap -> dovecot
+  # 587 = submission -> postfix
   networking.firewall.allowedTCPPorts = [ 25 143 587 ];
   users = {
     users = {
@@ -28,9 +31,6 @@ in
   services.nginx.virtualHosts."${email-domain}" = {
     forceSSL = true;
     enableACME = true;
-    locations."/" = {
-      extraConfig = ''return 404;'';
-    };
   };
   services.postfix = {
     enable = true;
@@ -105,22 +105,22 @@ in
       };
     };
     virtual = ''
-      root@${email-domain} kopatz@${email-domain}
-      mailer-daemon@${email-domain} kopatz@${email-domain}
-      postmaster@${email-domain} kopatz@${email-domain}
-      nobody@${email-domain} kopatz@${email-domain}
-      hostmaster@${email-domain} kopatz@${email-domain}
-      usenet@${email-domain} kopatz@${email-domain}
-      news@${email-domain} kopatz@${email-domain}
-      webmaster@${email-domain} kopatz@${email-domain}
-      www@${email-domain} kopatz@${email-domain}
-      ftp@${email-domain} kopatz@${email-domain}
-      abuse@${email-domain} kopatz@${email-domain}
-      dmarcreports@${email-domain} kopatz@${email-domain}
+      root@${email-domain} lukas@${email-domain}
+      mailer-daemon@${email-domain} lukas@${email-domain}
+      postmaster@${email-domain} lukas@${email-domain}
+      nobody@${email-domain} lukas@${email-domain}
+      hostmaster@${email-domain} lukas@${email-domain}
+      usenet@${email-domain} lukas@${email-domain}
+      news@${email-domain} lukas@${email-domain}
+      webmaster@${email-domain} lukas@${email-domain}
+      www@${email-domain} lukas@${email-domain}
+      ftp@${email-domain} lukas@${email-domain}
+      abuse@${email-domain} lukas@${email-domain}
+      dmarcreports@${email-domain} lukas@${email-domain}
     '';
     mapFiles = {
       "virtual-map" = pkgs.writeText "postfix-virtual" ''
-        kopatz@${email-domain} ${email-domain}/kopatz/
+        lukas@${email-domain} ${email-domain}/lukas/
         test@${email-domain} ${email-domain}/test/
       '';
     };