diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml
new file mode 100644
index 0000000..93d16c5
--- /dev/null
+++ b/.github/workflows/fmt.yaml
@@ -0,0 +1,27 @@
+name: main
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check-flake:
+    name: Nixpkgs Formatting
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v18
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos 
+      - run: nix-channel --update
+      - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..bfb606f
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,33 @@
+name: main
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check-flake:
+    name: Check Flake
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v18
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - uses: cachix/cachix-action@v12
+        with:
+          name: fruitbasket
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          extraPullNames: nix-community
+
+      - run: nix build
+
+      - run: nix flake check
diff --git a/.gitignore b/.gitignore
index 8cb727e..ee0c388 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-.qcow2
+*.qcow2
 result
diff --git a/.sops.yaml b/.sops.yaml
index 13849d7..3738915 100755
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -44,3 +44,16 @@ creation_rules:
         - *jonas
         age:
         - *test
+  - path_regex: secrets/admin\.yaml$
+    key_groups:
+      - pgp:
+        - *bennofs
+        - *revol-xut
+        - *felix
+        - *simon
+        - *rouven
+        - *helene
+        - *fugi
+        - *emmanuel
+        - *joachim
+        - *jonas
diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json
new file mode 100644
index 0000000..b73bf07
--- /dev/null
+++ b/config/portunus_seeds.json
@@ -0,0 +1,54 @@
+{
+	"groups": [
+		{
+			"name": "admins",
+			"long_name": "Portunus Admins",
+			"members": ["admin"],
+			"permissions": {
+				"portunus": { "is_admin": true },
+				"ldap": { "can_read": true }
+			}
+		},
+		{
+			"name": "ifsr",
+			"long_name": "Mitglieder des ifsr",
+			"members": [],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": false }
+			}
+		},
+		{
+			"name": "strukturer",
+			"long_name": "Strukturer des ifsr",
+			"members": [],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": false }
+			}
+		},
+		{
+			"name": "search",
+			"long_name": "LDAP search group",
+			"members": ["search"],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": true }
+			}
+		}
+	],
+	"users": [
+		{
+			"login_name": "admin",
+			"given_name": "admin",
+			"family_name": "admin",
+			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
+		},
+		{
+			"login_name": "search",
+			"given_name": "search",
+			"family_name": "search",
+			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] }
+		}
+	]
+}
diff --git a/flake.lock b/flake.lock
index c2baba1..3650034 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1673740915,
-        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
+        "lastModified": 1676162277,
+        "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
+        "rev": "d863ca850a06d91365c01620dcac342574ecf46f",
         "type": "github"
       },
       "original": {
@@ -87,16 +87,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1672580127,
-        "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
+        "lastModified": 1676375384,
+        "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0874168639713f547c05947c76124f78441ea46c",
+        "rev": "c43f676c938662072772339be6269226c77b51b8",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-22.05",
+        "ref": "nixos-22.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1673752321,
-        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
+        "lastModified": 1676171095,
+        "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e18eefd2b133a58309475298052c341c08470717",
+        "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 48f499a..ef4e809 100755
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = github:nixos/nixpkgs/nixos-22.05;
+    nixpkgs.url = github:nixos/nixpkgs/nixos-22.11;
     sops-nix.url = github:Mic92/sops-nix;
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     fsr-infoscreen.url = github:fsr/infoscreen;
@@ -56,15 +56,21 @@
           modules = [
             inputs.sops-nix.nixosModules.sops
             ./hosts/quitte/configuration.nix
+            ./modules/options.nix
             ./modules/base.nix
             ./modules/sops.nix
-            ./modules/keycloak.nix
+            ./modules/ldap.nix
+            # ./modules/keycloak.nix replaced by portunus
+            ./modules/mail.nix
             ./modules/nginx.nix
-            #./modules/hedgedoc.nix
+            ./modules/hedgedoc.nix
             ./modules/wiki.nix
             ./modules/stream.nix
             ./modules/nextcloud.nix
+            ./modules/matrix.nix
             {
+              fsr.enable_office_bloat = false;
+              fsr.domain = "staging.ifsr.de";
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }
           ];
@@ -74,10 +80,11 @@
           modules = [
             inputs.sops-nix.nixosModules.sops
             ./hosts/quitte/configuration.nix
+            ./modules/options.nix
             ./modules/base.nix
-            ./modules/keycloak.nix
+            # ./modules/keycloak.nix replaced by portunus
             ./modules/nginx.nix
-            #./modules/hedgedoc.nix
+            ./modules/hedgedoc.nix
             ./modules/wiki.nix
             ./modules/stream.nix
             ./modules/vm.nix
diff --git a/keys/ssh/joachim b/keys/ssh/joachim
index dcf3458..218443f 100644
--- a/keys/ssh/joachim
+++ b/keys/ssh/joachim
@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9akyIw74vwJ+8NM7um8NhTcMO7okD46jYkodHTLYe6Oj7QR/kHZD3VEu5Wy7mN33av0Pr6gqeqzPBmn1kxa+J0FnD83rjm989Z9mKbpjt1EtAd9WSlx1MmixHCSgTvHezaiUHmikWdUK3XLITZeGOM3fyDDV5Nqm1rvg5PMV2mAMP9j8T2RsWweGUgcoE8RIfH4WA6t1ZhP4Px01UWozFadeQ6qRG8hMfq3gWKC9lGLAlgUHqpUuNVJ8I45znR/UhrR+h4VF0mkCYFM3JP0z+o/KwDTfcLlRCMxcY3rpRvbrhmgkqHuPTqwQfiBxTyZvWb2IeCkKVFAk0WmFb1M4Elnk+tJrF2G7yzpyRNilin8/P7pQk7M3BAY2m1iZA6u7cBUxWFbzRqRluRR8R+HAk9hqjtr0XmMifq0K7ZX31u48Ss/lgNXa2KHHYeI79++mfELhIhNXAznkhIAT1PhRKeL12RtDVjzfEd1JbHR8hE1L/n0K3Hyfzw/bJXBAwJJ8= joach@DESKTOP-FOASM6G
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0FSJ1IFmAMaeuO/OcY56koVTO68DZOJkUpZvHKkGttCtSmio2w3lXoJG+X+950DdwZcgF9vf4/h8VjsmQdNg/ACQQM6gNwVk8p2arIbYy9M3s0FfHKoMkfMDlZ91Md0/9BtogFRQWCP9Og3vV7q63cPJldqk+gljp10OruxawjAc+myz2xUppjk3BWzoHX86lAtF2ggqY1HW9rloMqj0j1zdqyMkHzy4akJbE2NAekNsdz0dWKC3tTGuEXlisZiC1Q51S5JrZIsr8hZXdL2u/nThsveSPC/jW3tfQxthu7TFyLr5n5ms9S3s47TGdtUTKmkTXWvspAHD4EP2nHTniqnesVO3TE9lHiI++TBQAtrTp+Ivb6Fwv55fUH1V36tkaFfAuTJq0zHv7tYedqMdzfH99jsHb4hej6LWMJPaH1R/UyNOzJr+ac50C7vFO+j4UKiu0vFRebnID7nLBY7vl3n5bmX1FjfD9axHncIranI4Lyt5RMxueR11IHIDqEEE= joachim@nixos
diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix
index f85d2a7..3c8b776 100644
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  domain = "pad.quitte.tassilo-tanneberger.de";
+  domain = "pad.${config.fsr.domain}";
 in
 {
   services = {
@@ -19,7 +19,7 @@ in
 
     hedgedoc = {
       enable = true;
-      settings = {
+      configuration = {
         port = 3002;
         domain = "${domain}";
         protocolUseSSL = true;
@@ -44,7 +44,7 @@ in
           enableACME = true;
           forceSSL = true;
           locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
+            proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
             proxyWebsockets = true;
           };
         };
diff --git a/modules/ldap.nix b/modules/ldap.nix
new file mode 100644
index 0000000..dd459e0
--- /dev/null
+++ b/modules/ldap.nix
@@ -0,0 +1,103 @@
+{ config, ... }:
+let
+  domain = "auth.${config.fsr.domain}";
+
+  portunusUser = "portunus";
+  portunusGroup = "portunus";
+
+  ldapUser = "openldap";
+  ldapGroup = "openldap";
+in
+{
+  sops.secrets.unix_ldap_search = {
+    key = "portunus_search";
+    owner = config.systemd.services.nslcd.serviceConfig.User;
+  };
+
+
+  users.users."${portunusUser}" = {
+    isSystemUser = true;
+    group = "${portunusGroup}";
+  };
+
+  users.groups."${portunusGroup}" = {
+    name = "${portunusGroup}";
+    members = [ "${portunusUser}" ];
+  };
+
+  users.users."${ldapUser}" = {
+    isSystemUser = true;
+    group = "${ldapGroup}";
+  };
+
+  users.groups."${ldapGroup}" = {
+    name = "${ldapGroup}";
+    members = [ "${ldapUser}" ];
+  };
+
+  sops.secrets = {
+    "portunus_admin" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
+    "portunus_search" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
+  };
+
+  services.portunus = {
+    enable = true;
+    user = "${portunusUser}";
+    group = "${portunusGroup}";
+    domain = "${domain}";
+    port = 8081;
+
+    ldap = {
+      user = "${ldapUser}";
+      group = "${ldapGroup}";
+
+      suffix = "dc=ifsr,dc=de";
+      searchUserName = "search";
+
+      # disables port 389, use 636 with tls
+      # `portunus.domain` resolves to localhost
+      #tls = true;
+    };
+
+    seedPath = ../config/portunus_seeds.json;
+  };
+
+  #users.ldap = {
+  #enable = true;
+  #server = "ldap://localhost";
+  #base = "${config.services.portunus.ldap.suffix}";
+  #};
+  users.ldap =
+    let
+      portunus = config.services.portunus;
+      base = "ou=users,${portunus.ldap.suffix}";
+    in
+    {
+      enable = true;
+      server = "ldap://localhost";
+      base = base;
+      bind = {
+        distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
+        passwordFile = config.sops.secrets.unix_ldap_search.path;
+      };
+      daemon.enable = true;
+    };
+
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${config.services.portunus.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+      };
+    };
+  };
+}
diff --git a/modules/mail.nix b/modules/mail.nix
new file mode 100644
index 0000000..14c009c
--- /dev/null
+++ b/modules/mail.nix
@@ -0,0 +1,165 @@
+{ config, pkgs, ... }:
+let
+  hostname = "mail.${config.fsr.domain}";
+  domain = config.fsr.domain;
+  rspamd-domain = "rspamd.${config.fsr.domain}";
+  # brauchen wir das überhaupt?
+  #ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
+  #server_host = ldap://localhost
+  #search_base = ou=mail, dc=ifsr, dc=de
+  #'';
+  dovecot-ldap-args = pkgs.writeText "ldap-args" ''
+    uris = ldap://localhost
+    dn = uid=search, ou=users, dc=ifsr, dc=de
+    auth_bind = yes
+    dnpass = $(${pkgs.coreutils}/bin/cat ${config.sops.secrets."portunus_search".path})
+
+    ldap_version = 3
+    scope = subtree
+    base = dc=ifsr, dc=de
+    user_filter = (&(ou=mail)(uid=%n))
+    pass_filter = (&(ou=mail)(uid=%n))
+  '';
+in
+{
+  sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
+
+  networking.firewall.allowedTCPPorts = [ 25 465 993 ];
+
+  services = {
+    postfix = {
+      enable = true;
+      hostname = "${hostname}";
+      domain = "${domain}";
+      relayHost = "";
+      origin = "${domain}";
+      destination = [ "${hostname}" "${domain}" "localhost" ];
+      sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
+      sslKey = "/var/lib/acme/${hostname}/key.pem";
+      config = {
+        smtpd_recipient_restrictions = [
+          "reject_unauth_destination"
+          "permit_sasl_authenticated"
+          "permit_mynetworks"
+        ];
+        #alias_maps = [ "ldap:${ldap-aliases}" ];
+        smtpd_sasl_auth_enable = true;
+        smtpd_sasl_path = "/var/lib/postfix/auth";
+        virtual_mailbox_base = "/var/lib/mail";
+      };
+    };
+    dovecot2 = {
+      enable = true;
+      enableImap = true;
+      enableQuota = false;
+      sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
+      sslServerKey = "/var/lib/acme/${hostname}/key.pem";
+      mailboxes = {
+        Spam = {
+          auto = "create";
+          specialUse = "Junk";
+        };
+        Sent = {
+          auto = "create";
+          specialUse = "Sent";
+        };
+        Drafts = {
+          auto = "create";
+          specialUse = "Drafts";
+        };
+        Trash = {
+          auto = "create";
+          specialUse = "Trash";
+        };
+      };
+      extraConfig = ''
+        mail_location = maildir:/var/lib/mail/%u
+        passdb {
+          driver = ldap
+          args = ${dovecot-ldap-args}
+        }
+        userdb {
+          driver = ldap
+          args = ${dovecot-ldap-args}
+        }
+        service auth {
+          unix_listener /var/lib/postfix/auth {
+               group = postfix
+               mode = 0660
+               user = postfix
+            }
+        }
+      '';
+    };
+    rspamd = {
+      enable = true;
+      postfix.enable = true;
+      locals = {
+        "worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
+        "redis.conf".text = ''
+          read_servers = "127.0.0.1";
+          write_servers = "127.0.0.1";
+        '';
+        "dkim_signing.conf".text = ''
+          path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+          selector = "quitte";
+          sign_authenticated = true;
+          use_domain = "header";
+        '';
+      };
+    };
+    redis = {
+      vmOverCommit = true;
+      servers.rspamd = {
+        enable = true;
+        port = 6379;
+      };
+    };
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts."${hostname}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+      virtualHosts."${rspamd-domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:11334";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/modules/matrix.nix b/modules/matrix.nix
new file mode 100644
index 0000000..82cfa0f
--- /dev/null
+++ b/modules/matrix.nix
@@ -0,0 +1,141 @@
+{ config, pkgs, lib, ... }:
+let
+  domainServer = "matrix.${config.fsr.domain}";
+  domainClient = "chat.${config.fsr.domain}";
+
+  clientConfig = {
+    "m.homeserver" = {
+      base_url = "https://${domainServer}:443";
+      server_name = domainServer;
+    };
+  };
+  serverConfig = {
+    "m.server" = "${domainServer}:443";
+  };
+
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+
+  # build ldap3 plugin from git because it's very outdated in nixpkgs
+  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { };
+  # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
+in
+{
+  sops.secrets.matrix_ldap_search = {
+    key = "portunus_search";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [{
+        name = "matrix-synapse";
+      }];
+    };
+
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        # synapse
+        "${domainServer}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          # homeserver discovery
+          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+
+          # 404 on /
+          locations."/".extraConfig = "return 404;";
+
+          # proxy to synapse
+          locations."/_matrix".proxyPass = "http://[::1]:8008";
+          locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+        };
+
+        # element
+        "${domainClient}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          root = pkgs.element-web.override {
+            conf = {
+              default_server_config = clientConfig;
+              disable_3pid_login = true;
+            };
+          };
+        };
+      };
+    };
+
+    matrix-synapse = {
+      enable = true;
+
+      plugins = [ matrix-synapse-ldap3 ];
+
+      settings = {
+        server_name = domainServer;
+
+        listeners = [{
+          port = 8008;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [{
+            names = [ "client" "federation" ];
+            compress = false;
+          }];
+        }];
+      };
+
+      extraConfigFiles = [
+        (pkgs.writeTextFile {
+          name = "matrix-synapse-extra-config.yml";
+          text = let portunus = config.services.portunus; in ''
+            modules:
+              - module: ldap_auth_provider.LdapAuthProviderModule
+                config:
+                  enabled: true
+                  # have to use fqdn here for tls (still connects to localhost)
+                  uri: ldaps://${portunus.domain}:636
+                  base: ou=users,${portunus.ldap.suffix}
+                  # taken from kaki config
+                  attributes:
+                    uid: uid
+                    mail: uid
+                    name: cn
+                  bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+          '';
+        })
+      ];
+    };
+  };
+
+  systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ];
+
+  systemd.services.matrix-synapse-pgsetup = {
+    description = "Prepare Synapse postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";
+
+    path = [ pkgs.sudo config.services.postgresql.package ];
+
+    # create database for synapse. will silently fail if it already exists
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql <<SQL
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          ENCODING 'UTF8'
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      SQL
+    '';
+  };
+}
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 407f847..373466d 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  domain = "nc.quitte.fugi.dev";
+  domain = "nc.${config.fsr.domain}";
 in
 {
   sops.secrets = {
diff --git a/modules/options.nix b/modules/options.nix
index 26868ae..dc8f4d5 100644
--- a/modules/options.nix
+++ b/modules/options.nix
@@ -1,7 +1,14 @@
 { config, lib, ... }: with lib; {
-  options.fsr.enable_office_bloat = mkOption {
-    type = types.bool;
-    default = false;
-    description = "install heavy office bloat like texlive, okular, ...";
+  options.fsr = {
+    enable_office_bloat = mkOption {
+      type = types.bool;
+      default = false;
+      description = "install heavy office bloat like texlive, okular, ...";
+    };
+    domain = mkOption {
+      type = types.str;
+      default = "ifsr.de";
+      description = "under which top level domain the services should run";
+    };
   };
 }
diff --git a/modules/stream.nix b/modules/stream.nix
index 2d7bb7f..088840d 100644
--- a/modules/stream.nix
+++ b/modules/stream.nix
@@ -10,7 +10,7 @@ in
   services = {
     nginx = {
       virtualHosts = {
-        "stream.ifsr.de" = {
+        "stream.${config.fsr.domain}" = {
           enableACME = true;
           forceSSL = true;
           locations."/" =
diff --git a/modules/wiki.nix b/modules/wiki.nix
index 23767c8..aa4e5cc 100644
--- a/modules/wiki.nix
+++ b/modules/wiki.nix
@@ -116,10 +116,6 @@
                 $wgPluggableAuth_EnableLocalLogin = true;
       '';
       extensions = {
-        #Cite = pkgs.fetchzip {
-        #  url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz";
-        #  sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM=";
-        #};
         CiteThisPage = pkgs.fetchzip {
           url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz";
           sha256 = "sha256-sTZMCLlOkQBEmLiFz2BQJpWRxSDbpS40EZQ+f/jFjxI=";
@@ -128,10 +124,6 @@
           url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz";
           sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk=";
         };
-        #DynamicPageList = pkgs.fetchzip {
-        #  url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz";
-        #  sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o=";
-        #};
         Lockdown = pkgs.fetchzip {
           url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz";
           sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA=";
@@ -188,7 +180,7 @@
     nginx = {
       recommendedProxySettings = true;
       virtualHosts = {
-        "wiki.quitte.tassilo-tanneberger.de" = {
+        "wiki.${config.fsr.domain}" = {
           enableACME = true;
           forceSSL = true;
           locations."/" = {
diff --git a/pkgs/matrix-synapse-ldap3.nix b/pkgs/matrix-synapse-ldap3.nix
new file mode 100644
index 0000000..0635ab0
--- /dev/null
+++ b/pkgs/matrix-synapse-ldap3.nix
@@ -0,0 +1,21 @@
+{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-ldap3";
+  version = "0.2.2";
+
+  format = "pyproject";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "matrix-org";
+    repo = "matrix-synapse-ldap3";
+    rev = "2584736204165f16c176567183f9c350ee253f74";
+    sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
+  };
+
+  propagatedBuildInputs = [ service-identity ldap3 twisted ];
+
+  # ldaptor is not ready for py3 yet
+  doCheck = !isPy3k;
+  checkInputs = [ ldaptor mock ];
+}
diff --git a/secrets/admin.yaml b/secrets/admin.yaml
new file mode 100644
index 0000000..2a70171
--- /dev/null
+++ b/secrets/admin.yaml
@@ -0,0 +1,188 @@
+cachix_password: ENC[AES256_GCM,data:Cx8d4Sd3yTDMfxVEPHcI2d1EQXuXRwf7TRO3WmwotYc=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:kC2VoEugIHxib5zK/em24w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-11-25T15:54:51Z"
+    mac: ENC[AES256_GCM,data:3r5MEGkl7heMrVP7adypwys1qUj0B8/rhWgoSp0g2U+qMnGfQqAbvuBOTkdmWpNhM1a+aKRD9ASmpoJ2S0QL5tMOFbNpE3exugzSCOlwO7+o/m8wU6uujOw7nxAAFlbDXNbv9s3tFod0gVe6Y14oxFTWI8F1PqS9eGy/y09a8U4=,iv:7IaM37M1hbfdJ1eDr5o3iekz3GQq8nb/59CDRPcSkE0=,tag:raNPUg7abddKyOvhYeL+nQ==,type:str]
+    pgp:
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DntlvaG5T7wcSAQdAM/BVbImmA9J2ns6PCIHhfb+LPQbKqotoD4Jb9XJNp1Qw
+            5qJuTv4gzgQ7sREvihZLtAyydAivVM8z39MjEutazzdUwzK/VO1Gm9zOI6BMbi2O
+            0l4BxxANLvRM2Ap0MHH5o5Rhlm8Y6RGc3mQA730ipfHaNYfUPx/BdhEkUtkWBVw0
+            8330JlhDjgzHldxg+8M+ZRTB5BQ7v8HmNTiDRRxgKxKoW720MYLLGyFKG0biw0oj
+            =/WEe
+            -----END PGP MESSAGE-----
+          fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/YLzOYaRIJJAQ/7BTAoJD+khMXNIWJizL1BoXDXFXOwA3RCxdpQH0Fp1FSY
+            b4GKYK4YNf3mFxLvGf2Gz4hn0FPRLw2H2p8bTtRcnKmxpiDnIC9D7WEs4TlznFOz
+            /7DU/GG1T1qjgScyLQNP5xH+t9LnNIllR+BQKCuTLW/CoPTgfF/GjVR+3U5WqUB2
+            +oDrBWMtMkWqjAFFSv7Nx7JWNHUhJm2Deydmg1VCFheVMe6YogoqarsALRLNNvp9
+            6anrIpaneAlWvU15q/ax46qXSIiqbLdMEy/iLfZT6YIopowDb2SrAYCHR6VwXWiZ
+            qr8OFwhsK9gdBFsN42QlXsySvRlZOy5lWOdq1/fbUZwBbeEJAMUsa5wQjVp3cuYQ
+            XHHQk5s08eSakGc6U+ypizbrBe8d+RH8H0kWAQVrQ0E8xzB4hnWdps7XNIW/+eAe
+            dVVcmg4pRnqmvk/O+V+m8UK1TYe49hg8aGRgtX1bojSB09CQkZl3MdCpwGcw53b1
+            Udf16K9ggXScAeQYvrsXLJ39kxXNrTfFPTloAaq25kGriRzcPaaOBL8x+Q/sb44P
+            eibiRTC3jcOdo+9icSLPunaAw9oJGX7LhVv3gvK19EAJyaZFWBI72RKr/57UyYxZ
+            DQTxz8jGwdQeWuu4z9/M02EM3aWOEswkZBDFO72cfNAn8kOmuGq5ApNY6fOviAjS
+            XgF68qMCUUOpzuRxmz/g3fsg0oS4OhOCVUn/ntmB5kAtAKtxaKEXHtPqjsdf3iY3
+            qH08FulmrYsP0cU4cXM2u+RdqcBj4IeYE/zhmmIlw233XvB07Wjrc4pj9uUWWr4=
+            =zQ7p
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8uqUsBLHj6XARAAny5iqElv07bTRcGx9/ExcBHtcrFh7WE+r3xDGCuJFbhg
+            ULcE5IW4Lr4htW8gWcsU8uJSvk8epoB8XnRh3CqKzfa6hjGKaGFdvrqwQl4H5r/v
+            OOx68am7N6mUzzpbNp10Q8urCCLkCkUUZvh7/t9G5K+uosp1J4/FyqvbX3rDHcQY
+            hFFpJMISTUkpFVp7LWzzB3GmW2ivqgCKq7FWb8j4GWo5c0TMkEHoSP5KI5A8pLpy
+            cmlTIk8/wYRAkNaZkN7+H+NFPDvnJirnHab7272TD2CZV9WsaGpv+7R9B0RDGyI/
+            LSRHiz0HvTK9d4y/G9WCotqcYQ7qhRy7zT80oarmJ3lYJXWwZHSJDtuXUKUvjaIP
+            s8fW+8dLKR4yekSrC7SS2d5t+F7o8emAWUWWXnQnjfDGmL8Koj4kDRJscNfsyYsA
+            DMB5jSmlWzeLLuZBtvbEnrFBg+rvRBSAEo4NleMk52HCi4PAf7dn//P4jlAkpfzN
+            clCs4XHXY4O1ab5nE/LLHkB5y1m1PYkilP43hMkqXmhA/jrVFd5u+vQ05kNCzCuW
+            vHSuvQvhoPFvid/ikGEa+qEWIUXFhL7z9/As9/GeGNzlSL5FgmhFd3CwMdEj8bjR
+            cKGMR76n1I7ER4RMe1pq4nI5vFQ7teCuD1QHKLtLFVAIkQgIBibECdlOXOLIe93U
+            aAEJAhBrXKPr+8mhR/xRHVdagUUBqxQWicjMZ13d3vuPWb6QBKyKgoGlDixK4VkO
+            KDDjQY1evyHtmGXeiLXajY3fUwTggPtuKxab2YztmeiliKiG2sLay8PGke4dD8yk
+            3WRs2IRu0v4+
+            =rwIY
+            -----END PGP MESSAGE-----
+          fp: F8634A1CFF7D61608503A70B24363525EA0E8A99
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAwDgSONkM+d4ARAAsPpfKaJ+/24rwoPWcjK7VN6vfK78XyOzWvpLFiDlpK2g
+            6NscC80PQ2820UFKjXMSG1ZfxPUxnYGqcrP3I75LVMN5ODYi+Tn/snoI3HFwiUhc
+            R42gvSx/MXcvz65Zf8h8nLOuinSngiMcH9J3fQkEFEmen0laEr0V9D536Zgq87S8
+            I13DHosLia/o7l7wL6xig6EjYg2fCK41wm0ZfFBY6m+82eqijOvOwPOdm+bWHwqa
+            EVOzsxJHAg8iYNQ/FEPRfz0W7K335Kzvcltq5/cp8AiKJQaVB25k1+kfJwyMUIrV
+            02UgETvZLqoMTXiwbbYgER8RfFo+pEAiG2Zs8VJcI8Lo4bc6q0jWHqcMIlHVNZyA
+            vM04p3/ezD4cM7IW/MuvhGuZEnuK3jUrmMOqQRlNYgfama2piqqMlX8W3ypBLOeL
+            RzuGrwZ9FaSra8XE3yLDmfvx9oazLfr++/Kg14Zm/gVd65dzS9NUvCqdvK7Ie4Cc
+            fPrRIHLN7gkynt1WrFyF2PcgJa8oepHid7hr8eEYA21d6RtnyvP+dLBnybE1q9Ks
+            ojKyL5WQtTWtMIOaJwAWI4PA1azFXxwlKjpnnKSNhoG8/71AvG8hugUCkyUwjOCu
+            ZlGiyUdc3WKD7UYmi2F76TLMnLlSmXBN8iiPGchSNJfdxT61VTz2sNsoVm3jJ9nS
+            UQHKKWNz9Z5oUTOXqREGVO+5je4c1dQBkRBIa0gVMkhXtvxsR38nc22gWEynO06H
+            oLefe5EI0xXsCY6pu76hYT4oYcR/xK2pcskPZdkn3/pxzA==
+            =FD5R
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAzUXo8ZPJwGLARAAjeYrnUgB3trB84njBwD5onsJDnhxGRwzB3Gxosf3ocfB
+            ruW4cJ97XnXcOXtfIyayUJz/tnsaL8LZwTOGxzS7s43RBYC0fhNEkRGcLl2aHCzu
+            rTNoFqnYNk/C4xrfQPpk8lKlvgW9HYnky1Khv08YrvDlgajYEtkWFI/pbQKzASa2
+            arZiDo37NXIQUMWoF6tBgzKu7d7U9mK3DQQ17IX4LjDxmESKIGGJ9JiFc9q7B/sS
+            1k9Am13nojNpeCqwOTMSlZ/RrrglPEI5IxuXsfUD+NgDtVWgiBHHNa/SgtPEkmQB
+            d7PvFneaWcCDOCUhshydlX0dso28IIN5TYJpiG1iCfIy6/0h/fgPpEJb1MAqcAfo
+            VQCKW5Y5V9X/U/YrofXkueLq+CvdOVilVUWOqNdNqBEHYQg0PlDswSlEYeLqKkaV
+            EBV0WABZRHoYEkDGdW4R06gN8qdISoRytMV5jyus/kEJnnfRxGYDbsmexRHBZtIl
+            37cDbHRMQK0l18LPRFv/4RGVer+lt7/fLWUcJud2bC15Wl6dfabqzqU9GwXPAQdj
+            x+aP/GSEf7PgPnhOvxzKM6gjrMgb1TuKb5j197Plambh0IA34//34Gea5v+PUKAD
+            rum+KXvkFec/X+dQMboFfv07e2to1ci+Z0BqC6HUOTHCsmJpAZq3ezEimY610G7S
+            UQEOtZ/NH5Yjvkc5osaw/TegmJm7ZbSaCR6XaPhCiU95IpwpTxUYYI2QOiBBlRgf
+            UlunIR/sfNm0Pd5T/eB+RUJapHL3rkRpQquhxkln2kYy0w==
+            =rDY/
+            -----END PGP MESSAGE-----
+          fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D9r3oXQWw/BASAQdAR6qHAUn8s50JRyEbkIL9Buy/tx5/N1SEeFty3wOCpnEw
+            +QLAbvme/NMB1uO2jwwY9nlfl7IpwaB7VflXkhN1hPGzU9fCMK5ndaNePOEDcQPe
+            1GgBCQIQ7ozw5I51cQOs+kg/9VOkh9zbOpNLUiyoxEqp7u4rswnsA1XrhSnlpX1Y
+            QtJoyY+0cif1Bz9T+0LM4t9OxCCF0UhVNcf8oYrP+GCHEjkcc7y5WAJuBkUhpeIt
+            lQPhlrni2TH1+w==
+            =M5Cq
+            -----END PGP MESSAGE-----
+          fp: B43C3A8A92CA28486AC6C4E2F115100C787C1C19
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA30JDs8MiK29AQ//Ym8SiT1oqRvwEyIPPILK7DY3MnAIxw4ycJJ1nlC2ry2z
+            e/zzJj3GynYzXogfH6lqaFVtMMWsjAahsgw2CQjk15hPU6rnJKGj7O+vccgNGwfS
+            4fpXxgbhHj12wGd2nn+4zGZHNq+HGR1VclSnb1ZcqP0O06VWyhi/G9uDVoyuHcl7
+            XxmMJBPPws2DY8Il+DmCOU2DUBq/2p9Y5DOOJPdY16WWUGk49R0h9koTLpn2EQbD
+            WkQJnn4fUSAOLB8ozWTo0Yg6R1iWpGEgz2jbLC/b8ENuC70crDge0v6mA3r8m153
+            63awupZv0Rwqnq6+JaMmqq86IMOMiFWF8t5ZZ8i9u/d2F+3ok90EVwn/ea1kINn0
+            WAOTe1tj4SkX5x/lglucbaeB4hfdHJFrU28UYDC2e5gx+9mGpPjqDVcfvLkdVE/s
+            +Oa/3zm9IJDa03yxOSPTGOu6KYtXv9huTPKZO+rYCpUbvU8YSHf4EmbnfAMfhT9L
+            KhItQSLX8uAY2r9o4ycQ0CvYhbktxc0QYO45Cc37dewi+BrF8SUNFGuaLdBZSG7e
+            y8D5z+4KC76Ygw1K/apds7pnvH8Z/JXog7QAf5mi7Z+crCizFOz5Vrbxw5/1Qxq3
+            bhfd2KjUHyZHqOT7dImX0SLuJH0FkCfUnxFgQI4zo13/nwvJfH4dlutkvxT7SfrS
+            XgH5TJTMXG37k4NSQzW7O8atgT1C6jVyMvhN0HGbHAGPpcHQoE6U76p9v/Xq9nm5
+            qfYC4Wo8bvGtEJLYH2YwfzPNILdQj+7cArOTwNLy7Sq4gJlnIRbGGOE8lYrQ8jI=
+            =lKbJ
+            -----END PGP MESSAGE-----
+          fp: BF37903AE6FD294C4C674EE24472A20091BFA792
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0nQCLGHQlNzAQ/+PNzpv4IOkYpQHkE+5/o15Ob3miIH0d+iPoj74CbhJZpm
+            jcszEFZ7fMRkMU4O6PpG/+f0QNqhOivwTQOwfxVVhQR/Zyvpr48cuTrfHDgHUePU
+            U0BZFoQRCx+hWt05ziYjJkTd0x1iBrotlvNAlPwtjbxrjTsBFq1hXUjQsE+9n+Nv
+            7d9oBFG1r/3pp6ZCdncnERKWglvRnIjz0DWj6l2rXGeInzP8sbaPdblxKmm0LQBY
+            K1UQeMJiGmurOOlhIKBDOVsioVrT0nmdQGkJEmGqtJYQ+6cY9piEU4wREj3XKBQc
+            /JWD96TKZeCZvnEyz/abuXU7P4u9sUrvULCB7us3UreK4n8EPIJKjg9ofMDg89pn
+            eTTgK2E3Wg6FIfJd3RWLjvs34eCUT3giftoggBzmiKYMJ/ALC3FLuDHywAeDLUQf
+            FGVvciO7vqM4W31cMsTserxWnCEp+T1wCXwZWS0+Wh58U2X0RtRa+DYeEasU9W7v
+            3RJmbGgjCTnTrNNnS7NcgG3Cidg92bbzonXn6VB5eU/vbS0BcoTu/cfoHnyUQfMe
+            +n/XCwW00fds/jkLOll52x478C4NkeYkwoL1FzDZBgCNkidpPleDLivC7wj62E+w
+            rhwxNBGf4Qs2LHRWHgimd8l6z9+WG9g+5UgxUTp4WhJkuRSp8TmhbqfIWI0zCGfS
+            XgFoAIyQtXOKLnFFCEcwFUTh7mKw6bbk8u0pQUPLyQSBlVHZdhqtpkT+hq1+Y4Nm
+            tU8pb9G8BOryUvgOnEy8dPx9G64iwxYrYOu+cms6AigK8ZGHjSzOfqbJsgn7zgE=
+            =RDPX
+            -----END PGP MESSAGE-----
+          fp: E83F398E6423179FE4F63D4FF085CAD394DE329D
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DNffZWjBmO5ASAQdAsqGwMruz+NHQGNXhBlkFxzz49h/s+0rL8glEfh9avyww
+            WgBSk5HdE7O2/NNSBKSoNEjO8mHa0Z0yyQEi36ohY3KlwNPsP4ThiPOLl6z8xsK3
+            1GgBCQIQrNrzmh92ThNLfkhjNvfdFnPOK1LScYAVQQt+wYjWZJ7Cj6v3rxmiPWqj
+            DuJSJrbWRFVXEQWRT7hfTa8lhAymec9G65MYN+GUQy68Yb1dJckPmuj4ja6d0JMA
+            Mo5Sz7alehfJfw==
+            =kmse
+            -----END PGP MESSAGE-----
+          fp: B1A16011B86BACB56ADB713DB712039D23133661
+        - created_at: "2022-11-25T15:54:04Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6MARpDCLIz2ARAAgWhMSYIrgIs5WEpkpKbMQ0Gs89BJVAk+e/aF6F5JFKFD
+            lXdhin+XOK+foCdba68d8iCj+G94vO2TjnC1clv6BSMtpCjFspLISK3993JahBCt
+            lVPDl6OPjjgETLa7v9JrkYadafzQasXSDtC0Nqfg3AAb/EfYAe2k/K79kAElHWIl
+            ALLm8i8kbiOfySnjwhl8cJdDS7ua8nfC+pTac6e2GML0bKGjA0WR+ccOTGpNsFAu
+            UPtw5onoSDmywqv88tlUdmdWAz1NsnQUhzvZ4j+YCLCltlU7bzDI9/ExhgQHxC4v
+            Fghfs9jLINQZ7aWdqdib7S3FmFRdN06lsGh4bQFG+NPtLcoFxLcWkiArRVPW2lZ5
+            YUZ1Brs+gvHNMvSVPXbe+1V9nwjvm1S76vUYwTm5mf8jm7wA1NqyoB3etPEaQzPA
+            FYAZqErNVgG7pfa0zpnNYHHBB8y/Z/pyJKqRvRMJFpRj91FFULRrVPFr2B4JARAu
+            6/Sonr20Q5UTIPpT2yhzDltL25Yfj6alCrsOTJ+XufGgw5m62UjKmarqCQJUwEk+
+            /Qx3z+j1NlMgeuYpr+bWnjLgtwXuR0Q0pFgBkpJdP3VrvmfM/79fOBvEAFRgkevL
+            tKPNfFrJv56ODfFmjMwmux2tHxROMAXWLUb5gFeAIoRRIk0ru0sEQVGwaj5Yo6bS
+            XgEaqKfvaVzc1TuY5YIuXuXP+YLOJKJvDLmSaowFnM+GS1HtW1yGrdtCajEls2tE
+            MJAnCZurAfwK48GfQx1qnzyd9QOi1KYRafXFXEu1AyU7BCgwZiMPp3Qdv09sAMg=
+            =Rs7Q
+            -----END PGP MESSAGE-----
+          fp: A4F92BC7B792108A463995827C1F2DA2BC929412
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 99ecdc2..9bb401d 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -4,6 +4,10 @@ postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR
 nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
+wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
+portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
+portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str]
+rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZgV+UlfsJk9IELIA==,iv:7O48+wB7zJUIp3lQDTC7tkP1UFvmDfjs50x1Zo3hOhw=,tag:MNdiDF22a3n1ZrE6qTDVLA==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@@ -23,8 +27,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-09T15:15:33Z"
-    mac: ENC[AES256_GCM,data:8G4Kohgr0lF8G135/MNzcSRIrtfX+QRCfMtLRK+fNbc/NHHozlLaI8XDpiURfvgaWR5fVim7DgT5r59aU+G+F8O45C83hJ5LLLmeisWL78Ktm9vOUhWgoClCZ8l/603uPpIG3WlenLF1D5DTO11U60wcGdWv1RMQ9ovxJCXtRfs=,iv:0L4KQR1LYUW52Upv5sZWKquuLNhdaRQ2yoV4y0rs+R0=,tag:uBEfNmk5hmRqSUGhF+V3SQ==,type:str]
+    lastmodified: "2023-02-03T14:46:12Z"
+    mac: ENC[AES256_GCM,data:Bg5S8lSYnCUhlYFObVpmPXsp2IVxm1vfDdyzEmGGoKNU9lit/0nxrmgv3ZvOfzrcilQQHLzAfPIM5HXTCVtoPPWmkicQ72SdNWLJbY9p1+MFQgiqFZcVAYb+FMm9s1IOxBgXx/OQWmQxDmTA6jZHqgYBZnrBMgjeo0ol1Zp60uY=,iv:FlCsVbOBQC43yrmAKv8j7b0DTuhZXmeURxWWkbIcRQQ=,tag:e9vubxFQOK6h1fHQ8GHLvQ==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |
diff --git a/secrets/test.yaml b/secrets/test.yaml
index 620e16d..610fada 100644
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@@ -5,6 +5,9 @@ postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4
 nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
 wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
+portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
+portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
+rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@@ -24,8 +27,8 @@ sops:
             MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
             ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-20T15:34:41Z"
-    mac: ENC[AES256_GCM,data:YjrmGxH7DCf4HP2GKMb+2XThSTnvcNgIaM4uvuEK/Nb4ZuVKvF4usKvsHXuy0lJEtghfw1wd9ao9pEKbcCMTkkhjXmXe8LuprT72CQl5+qVLfchfgmYdwkx2H3pN9rWXR0jQnF/d6djAwvm7c2bepioUa2IamJx+++CWjttB0Ds=,iv:Ds6KZzSppATyo/jsWxeiuVP2jXDGiTHEk3XaSy2xgLA=,tag:zaPwS8jfKrom3JAncg6UXQ==,type:str]
+    lastmodified: "2023-02-03T14:47:01Z"
+    mac: ENC[AES256_GCM,data:qSuGdUOgVDhZ25zYGfZ6+GC7XxsoGV9dUSKM0YstpSQgR7u9S8fQVkcbz5gNTVhG8bdGQVxmMPTW3QyMI6s76yngs6kBxwnBSycAFowJlO6P/cRPqRlAuVhJy82hq0lOJem93vOnRPBQsb6Da0OS/7+SKoRd/I66BtPNKMmxEdo=,iv:IXy3cuZfUK2k8TIA7LpIbPSzcxXtiW4pmdILO6441Is=,tag:PuACj+FwaTxoTCFLytXoiw==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:58Z"
           enc: |