diff --git a/flake.lock b/flake.lock
index 700345d..42e8093 100644
--- a/flake.lock
+++ b/flake.lock
@@ -277,11 +277,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737762889,
-        "narHash": "sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio=",
+        "lastModified": 1737968762,
+        "narHash": "sha256-xiPARGKwocaMtv+U/rgi+h2g56CZZEmrcl7ldRaslq8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "daf04c5950b676f47a794300657f1d3d14c1a120",
+        "rev": "e1ae908bcc30af792b0bb0a52e53b03d2577255e",
         "type": "github"
       },
       "original": {
@@ -499,11 +499,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1737746512,
-        "narHash": "sha256-nU6AezEX4EuahTO1YopzueAXfjFfmCHylYEFCagduHU=",
+        "lastModified": 1737885589,
+        "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "825479c345a7f806485b7f00dbe3abb50641b083",
+        "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8",
         "type": "github"
       },
       "original": {
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index 8ac927b..9c68457 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -43,6 +43,8 @@
     ];
     files = [
       "/etc/machine-id"
+      # fix for systemd v257 panicking when /usr is empty
+      "/usr/dummy"
     ];
   };
 
@@ -71,11 +73,23 @@
   #         "${pkgs.openldap}/etc/schema/cosine.ldif"
   #         "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
   #         "${pkgs.openldap}/etc/schema/nis.ldif"
-  #         # "${pkgs.writeText "openssh.schema" ''
+  #         # "${pkgs.writeText "openssh.ldif" ''
+  #         #   dn: cn={4}openssh
+  #         #   objectClass: olcSchemaConfig
+  #         #   cn: {4}openssh
   #         # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
   #         # 		DESC 'SSH public key used by this user'
   #         # 		SUP name )
   #         # ''}"
+  #         "${pkgs.writeText "openssh.ldif" ''
+  #           dn: cn=openssh,cn=schema,cn=config
+  #           objectClass: olcSchemaConfig
+  #           cn: openssh
+  #           olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+  #               DESC 'MANDATORY: OpenSSH Public key'
+  #               EQUALITY octetStringMatch
+  #               SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+  #         ''}"
   #       ];
 
   #       "olcDatabase={1}mdb".attrs = {
@@ -88,7 +102,7 @@
 
   #         /* your admin account, do not use writeText on a production system */
   #         olcRootDN = "cn=portunus,dc=ifsr,dc=de";
-  #         olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+  #         olcRootPW = "test";
 
   #         olcAccess = [
   #           /* custom access rules for userPassword attributes */
@@ -102,6 +116,24 @@
   #               by * read''
   #         ];
   #       };
+
+  #       "olcOverlay={3}memberof,olcDatabase={1}mdb".attrs = {
+  #         objectClass = [ "olcConfig" "olcOverlayConfig" "olcMemberOf" "top" ];
+  #         olcOverlay = "{3}memberof";
+  #         olcMemberOfRefInt = "TRUE";
+  #         olcMemberOfDangling = "ignore";
+  #         olcMemberOfGroupOC = "groupOfNames";
+  #         olcMemberOfMemberAD = "member";
+  #         olcMemberOfMemberOfAD = "memberOf";
+  #       };
+
+  #       "olcOverlay={4}refint,olcDatabase={1}mdb".attrs = {
+  #         objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
+  #         olcOverlay = "{4}refint";
+  #         olcRefintAttribute = "memberof member manager owner";
+  #       };
+
+
   #     };
   #   };
   # };
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index f4b7af7..cd2ead1 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -74,6 +74,10 @@
           pskRaw = "ext:PIXEL_PSK";
           authProtocols = [ "WPA-PSK" ];
         };
+        "C3D2" = {
+          pskRaw = "ext:C3D2_PSK";
+          authProtocols = [ "WPA-PSK" ];
+        };
         "WIFI@DB" = {
           authProtocols = [ "NONE" ];
         };
diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age
index d9967a8..cb0faba 100644
Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ
diff --git a/shared/nix.nix b/shared/nix.nix
index f85d054..885d63c 100644
--- a/shared/nix.nix
+++ b/shared/nix.nix
@@ -15,10 +15,12 @@
       substituters = [
         "https://cache.rfive.de"
         "https://cache.ifsr.de"
+        "https://nix-community.cachix.org"
       ];
       trusted-public-keys = [
         "cache.rfive.de:of5d+o6mfGXQSR3lk6ApfDBr4ampAUaNHux1O/XY3Tw="
         "cache.ifsr.de:y55KBAMF4YkjIzXwYOKVk9fcQS+CZ9RM1zAAMYQJtsg="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       ];
       trusted-users = [
         "@wheel"
diff --git a/users/rouven/modules/helix/default.nix b/users/rouven/modules/helix/default.nix
index c4f7814..e027ff8 100644
--- a/users/rouven/modules/helix/default.nix
+++ b/users/rouven/modules/helix/default.nix
@@ -6,7 +6,7 @@
     rust-analyzer
     nil
     nixpkgs-fmt
-    typst-lsp
+    tinymist
     (python3.withPackages (ps: with ps; [
       pyls-isort
       pylsp-mypy