diff --git a/flake.lock b/flake.lock
index c97c632..1c0aad3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700087144,
-        "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=",
+        "lastModified": 1700118404,
+        "narHash": "sha256-XkqpZpVoy1FV7UbiLkP+fQxxv/6KnwLYkFEHgE8z2IQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506",
+        "rev": "c1a033122df8a3c74fda3780c83a104a7d60873c",
         "type": "github"
       },
       "original": {
@@ -309,11 +309,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1699781429,
-        "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
+        "lastModified": 1699963925,
+        "narHash": "sha256-LE7OV/SwkIBsCpAlIPiFhch/J+jBDGEZjNfdnzCnCrY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
+        "rev": "bf744fe90419885eefced41b3e5ae442d732712d",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index c8f9247..7247b47 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -4,13 +4,11 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      # ./modules/adguard
       ./modules/networks
       ./modules/backup
       ./modules/grafana
       ./modules/prometheus
       ./modules/matrix
-      ./modules/nextcloud
       ./modules/seafile
       ./modules/uptime-kuma
       ./modules/vaultwarden
diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix
deleted file mode 100644
index c1c3af7..0000000
--- a/hosts/nuc/modules/adguard/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ... }:
-{
-  networking.firewall.allowedTCPPorts = [ 53 ];
-  networking.firewall.allowedUDPPorts = [ 53 ];
-  services.adguardhome = {
-    enable = true;
-    openFirewall = true;
-    settings.bind_port = 3000;
-  };
-}
diff --git a/hosts/nuc/modules/nextcloud/default.nix b/hosts/nuc/modules/nextcloud/default.nix
deleted file mode 100644
index 60a876a..0000000
--- a/hosts/nuc/modules/nextcloud/default.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{ config, pkgs, ... }:
-let
-  domain = "nextcloud.${config.networking.domain}";
-in
-{
-  age.secrets = {
-    "nextcloud/adminpass" = {
-      file = ../../../../secrets/nuc/nextcloud/adminpass.age;
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
-  };
-
-  services = {
-    nextcloud = {
-      enable = true;
-      package = pkgs.nextcloud27; # Use current latest nextcloud package
-      hostName = "${domain}";
-      https = true; # Use https for all urls
-      config = {
-        dbtype = "pgsql";
-        dbuser = "nextcloud";
-        dbhost = "/run/postgresql";
-        dbname = "nextcloud";
-        adminpassFile = config.age.secrets."nextcloud/adminpass".path;
-        adminuser = "rouven";
-      };
-    };
-
-    # Enable ACME and force SSL
-    nginx = {
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${domain}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-      };
-    };
-  };
-
-  # ensure that postgres is running *before* running the setup
-  systemd.services."nextcloud-setup" = {
-    requires = [ "postgresql.service" ];
-    after = [ "postgresql.service" ];
-  };
-  systemd.services."nextcloud-cron" = {
-    requires = [ "postgresql.service" ];
-    after = [ "postgresql.service" ];
-  };
-}
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index 2542faf..90826f1 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -199,6 +199,7 @@
     cups
     agenix.packages.x86_64-linux.default
     mosh
+    qpwgraph
   ];
 
   services.mysql = {
diff --git a/overlays/default.nix b/overlays/default.nix
index 7d42fb4..bb9750c 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -26,15 +26,6 @@ in
 
   pww = callPackage ../pkgs/pww { };
 
-  # fix pairing
-  AusweisApp2 = prev.AusweisApp2.overrideAttrs (_: {
-    patches = [
-      (fetchpatch {
-        url = "https://patch-diff.githubusercontent.com/raw/Governikus/AusweisApp2/pull/47.patch";
-        hash = "sha256-98ttPVOFHsxmvUFgNpxW0/C9PK64dUwmTxrNnXefkKo=";
-      })
-    ];
-  });
 
   tpm2-pkcs11 = prev.tpm2-pkcs11.overrideAttrs (_: {
     configureFlags = [ "--with-fapi=no" ];
diff --git a/pkgs/pww/default.nix b/pkgs/pww/default.nix
index 9e9f80d..87c29ba 100644
--- a/pkgs/pww/default.nix
+++ b/pkgs/pww/default.nix
@@ -12,7 +12,7 @@ buildGoModule rec {
 
   nativeBuildInputs = [ makeWrapper ];
 
-  vendorSha256 = "sha256-3PnXB8AfZtgmYEPJuh0fwvG38dtngoS/lxyx3H+rvFs=";
+  vendorHash = "sha256-3PnXB8AfZtgmYEPJuh0fwvG38dtngoS/lxyx3H+rvFs=";
   postInstall = ''
     wrapProgram $out/bin/${pname} \
       --prefix PATH : "${lib.makeBinPath [ playerctl ]}"
diff --git a/secrets.nix b/secrets.nix
index 8696670..57f7b82 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -14,7 +14,6 @@ in
   "secrets/thinkpad/borg/key.age".publicKeys = [ rouven thinkpad ];
 
   # nuc
-  "secrets/nuc/nextcloud/adminpass.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/matrix/shared.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/nextcloud/adminpass.age b/secrets/nuc/nextcloud/adminpass.age
deleted file mode 100644
index dd814c5..0000000
--- a/secrets/nuc/nextcloud/adminpass.age
+++ /dev/null
@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 uWbAHQ 04CqSy3PpePLQ60Ky55Bxtytnj4t+Wz5X9qZxaSWyDs
-QM8jHjiXvx70ZokFiuwSnkfI3De3t3cQwFf2zezYc74
--> ssh-ed25519 2TRdXg wUXwM0JL1YjeQvIUGzoZhhQ4WBu9HwmMbOfsTj918E0
-XlNUno46LV1LD1ni3DAhDL+MwBUtZYUEjgMWjiCy03Y
--> _yK#P&-grease x|25 "[ Eg]|<,
-3fuuF3W/4MbQthuHpYwMSdh0QEgIi9OILjM3oXyNzVjbPdN99NvEJ+nYYuh3FDGP
-vp02QsTygDBMaZBDtSBYGdQ
---- CvrR1mOa9m1ovX66PoB/1qi+fqMCyt4/6jrdnsoZKuo
-1*JùÒ[LÇøt˜i5å§fbŒ[B£Ä%èÎ 1¡§35ÙÜÅÖijPÈ#ÿÉqÂšs&ˆ,”€
\ No newline at end of file
diff --git a/users/rouven/modules/accounts/default.nix b/users/rouven/modules/accounts/default.nix
index 28f187d..e4bc130 100644
--- a/users/rouven/modules/accounts/default.nix
+++ b/users/rouven/modules/accounts/default.nix
@@ -83,7 +83,7 @@ in
       gpg.key = gpg-default-key;
       realName = "Rouven Seifert";
       userName = "rose159e";
-      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/tu-dresden";
+      passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."mail/tu-dresden".path}";
       imap = {
         host = "msx.tu-dresden.de";
         port = 993;
@@ -164,7 +164,7 @@ in
       gpg.key = gpg-default-key;
       realName = "Rouven Seifert";
       userName = "rouven.seifert";
-      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/ifsr";
+      passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."mail/ifsr".path}";
       imap = {
         host = "mail.ifsr.de";
         port = 993;
@@ -195,7 +195,7 @@ in
         "r5@agdsn.de"
         "rouven.seifert@agdsn.de"
       ];
-      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/agdsn";
+      passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."mail/agdsn".path}";
       imap = {
         host = "imap.agdsn.de";
         port = 993;
@@ -221,7 +221,7 @@ in
       address = "seifertrouven@gmail.com";
       realName = "Rouven Seifert";
       userName = address;
-      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/google";
+      passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."mail/google".path}";
       imap = {
         host = "imap.gmail.com";
         port = 993;