diff --git a/flake.lock b/flake.lock
index 40e31a1..c033a61 100644
--- a/flake.lock
+++ b/flake.lock
@@ -180,11 +180,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711915616,
-        "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=",
+        "lastModified": 1711625603,
+        "narHash": "sha256-W+9dfqA9bqUIBV5u7jaIARAzMe3kTq/Hp2SpSVXKRQw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6",
+        "rev": "c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2",
         "type": "github"
       },
       "original": {
@@ -200,11 +200,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711658384,
-        "narHash": "sha256-CbIPdqcX4k7DfnRaicJy6IlaszWyDIxiQMAxB6OGGK4=",
+        "lastModified": 1709110024,
+        "narHash": "sha256-5gJQgQAYZPvT5vzSrR2yHD4wGCQNO7Pds618MMGUTD8=",
         "owner": "rouven0",
         "repo": "TruckSimulatorBot-images",
-        "rev": "7f57bdee9a22d4b2bb46ed1eae5aba11dfe34976",
+        "rev": "05f98442b21c771c90699b55eed8f1e1c0dd50cd",
         "type": "github"
       },
       "original": {
@@ -281,11 +281,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711854532,
-        "narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=",
+        "lastModified": 1711249705,
+        "narHash": "sha256-h/NQECj6mIzF4XR6AQoSpkCnwqAM+ol4+qOdYi2ykmQ=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7",
+        "rev": "34519f3bb678a5abbddf7b200ac5347263ee781b",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "lastModified": 1711523803,
+        "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
         "type": "github"
       },
       "original": {
@@ -398,11 +398,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711961571,
-        "narHash": "sha256-kYcs9KKTbN0ACPYTmeAF+EIj62kGBiimffHmFgOeQJo=",
+        "lastModified": 1711391819,
+        "narHash": "sha256-sNI0PLFXvFM5M6h9PYrbF+IfL199OYLRz875lNZ9Y0Q=",
         "owner": "rouven0",
         "repo": "purge",
-        "rev": "6ce3c6cedb0f31885fc3775c96fb8cfca403bc93",
+        "rev": "e82088390a446b6ad1f4df92d62478ea557d98de",
         "type": "github"
       },
       "original": {
@@ -507,11 +507,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711961583,
-        "narHash": "sha256-ClezUJ0pH/DMU0u3e3t0qAgm+HQ9v6BmH1y5z8W6TZg=",
+        "lastModified": 1711395032,
+        "narHash": "sha256-2fH6TXdPKZaTx6NXucFn7HaFDZ9vC1ebTql5XkdkWTI=",
         "owner": "rouven0",
         "repo": "TruckSimulatorBot",
-        "rev": "eeffe63c4948769034a28cf0cd04885c754eba97",
+        "rev": "4776a2235fffb96aa8fcc8e33d39af17907754ae",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix
index c94ca84..eb4e333 100644
--- a/hosts/falkenstein/modules/dns/default.nix
+++ b/hosts/falkenstein/modules/dns/default.nix
@@ -6,7 +6,7 @@ let
     $ORIGIN rfive.de.
 
     rfive.de.   86400  IN  SOA ns.rfive.de. hostmaster.rfive.de. (
-      2024040103 ; serial
+      2024032601 ; serial
       10800      ; refresh
       3600       ; retry
       604800     ; expire
@@ -29,6 +29,10 @@ let
     nuc         A     141.30.227.6
     falkenstein A     23.88.121.184
     falkenstein AAAA  2a01:4f8:c012:49de::1
+    falkenstein SSHFP 1 1 DE42CA418093CF94EABC124E101AE4D8DE02C69F
+    falkenstein SSHFP 1 2 149100F5C3CA333E20E7B03EB463B0FB23D34FFE1FC65EFAADDDBE51 8EC35990
+    falkenstein SSHFP 4 1 70A38677DEE50C5B67AA11400A6BCD4984355C2A
+    falkenstein SSHFP 4 2 B25AD18A23C885AE965875C4C9EDA4E4EDFD3503334B10F0BFE7527B EB178CB2
 
     @    MX 1 mail.rfive.de.
     mail A 23.88.121.184
diff --git a/hosts/falkenstein/modules/fail2ban/default.nix b/hosts/falkenstein/modules/fail2ban/default.nix
index 0b7dd4b..658f87c 100644
--- a/hosts/falkenstein/modules/fail2ban/default.nix
+++ b/hosts/falkenstein/modules/fail2ban/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
 {
   services.fail2ban = {
     enable = true;
@@ -11,6 +11,11 @@
       enable = true;
     };
     jails = {
+      sshd = lib.mkForce ''
+        enabled = true
+        port = ssh
+        filter= sshd[mode=aggressive]
+      '';
       dovecot = ''
         enabled = true
         # aggressive mode add blocking for aborted connections
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index cbfb1f4..7bfaf31 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -163,8 +163,7 @@
       networkConfig = {
         Address = "192.168.43.3/32";
         DNS = "192.168.43.1";
-        Domains = "~vpn.rfive.de";
-        DNSSEC = false;
+        DNSSEC = true;
         BindCarrier = [ "wlp9s0" ];
       };
     };
diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix
index c42bf48..f4629b5 100644
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@@ -27,6 +27,9 @@
 
     # messaging
     tdesktop
+    gomuks
+    profanity
+    fractal
 
     # games
     prismlauncher
diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix
index 284d555..59fd80d 100644
--- a/users/rouven/modules/ssh/default.nix
+++ b/users/rouven/modules/ssh/default.nix
@@ -3,14 +3,14 @@ let
   git = "~/.ssh/git";
 in
 {
-  programs.ssh = {
+  programs.ssh = rec {
     enable = true;
     compression = true;
     controlMaster = "auto";
     controlPersist = "10m";
     extraConfig = ''
       CanonicalizeHostname yes
-      CanonicalDomains agdsn.network vpn.rfive.de
+      CanonicalDomains agdsn.network
       PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so
       IdentityFile ~/.ssh/id_ed25519
       VisualHostKey = yes
@@ -21,6 +21,26 @@ in
         match = "Host github.com User git";
         identityFile = git;
       };
+      "rfive.de" = {
+        hostname = "falkenstein.rfive.de";
+        user = "root";
+        extraOptions = {
+          VerifyHostKeyDNS = "yes";
+        };
+      };
+      # used for nix remote building
+      falkenstein = matchBlocks."rfive.de";
+
+      "nuc" = {
+        hostname = "192.168.42.2";
+        user = "root";
+      };
+
+      "router" = {
+        hostname = "192.168.42.1";
+        user = "root";
+      };
+
       # iFSR
       "fsr" = {
         hostname = "ifsr.de";
@@ -50,6 +70,10 @@ in
         hostname = "tomate.ifsr.de";
         user = "root";
       };
+      "durian" = {
+        hostname = "durian.ifsr.de";
+        user = "root";
+      };
       "git@ifsr.de" = {
         match = "Host ifsr.de User git";
         identityFile = git;
@@ -70,9 +94,6 @@ in
           VerifyHostKeyDNS = "yes";
         };
       };
-      "*.vpn.rfive.de" = {
-        user = "root";
-      };
       "git@git.agdsn.de" = {
         match = "Host git.agdsn.de User git";
         identityFile = git;