diff --git a/flake.lock b/flake.lock
index d760e15..d21de87 100644
--- a/flake.lock
+++ b/flake.lock
@@ -37,11 +37,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1732215451,
-        "narHash": "sha256-P2VVlzRGKBNsiHsN1yMZcSMXpwtIx9ysMFZAqKFJ14o=",
+        "lastModified": 1730835992,
+        "narHash": "sha256-XYr4WQMxJdZkrQlsouyURMY4iNL5SS2RlQ7XGnjEQBU=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "9d9c0a3a94a91cfed654a18239e27cf56970daa4",
+        "rev": "5af11599eaec65b5b6e6e39d77b541db361c08aa",
         "type": "github"
       },
       "original": {
@@ -53,16 +53,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1732213300,
-        "narHash": "sha256-4Pv35cnZGiTxe6j2O0F9L9sHzxVIC1SazeAUD5kWeBs=",
+        "lastModified": 1730826392,
+        "narHash": "sha256-EuNOfMy7yVa1OqWwCtNtmdeIQeQCTCKBXgJdz0QCPIU=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "527e584699abc93712114b05f70f59c5187caa66",
+        "rev": "665de8ef2211524f3cc13dce9344bd59c61c3a5c",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2024.10.4",
+        "ref": "version/2024.10.1",
         "repo": "authentik",
         "type": "github"
       }
@@ -301,11 +301,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733045511,
-        "narHash": "sha256-n8AldXJRNVMm2UZ6yN0HwVxlARY2Cm/uhdOw76tQ0OI=",
+        "lastModified": 1730837930,
+        "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4964f3c6fc17ae4578e762d3dc86b10fe890860e",
+        "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
         "type": "github"
       },
       "original": {
@@ -336,11 +336,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1731242966,
-        "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
+        "lastModified": 1730403150,
+        "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
+        "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
         "type": "github"
       },
       "original": {
@@ -450,11 +450,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733024876,
-        "narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=",
+        "lastModified": 1730604744,
+        "narHash": "sha256-/MK6QU4iOozJ4oHTfZipGtOgaT/uy/Jm4foCqHQeYR4=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "6e0b7f81367069589a480b91603a10bcf71f3103",
+        "rev": "cc2ddbf2df8ef7cc933543b1b42b845ee4772318",
         "type": "github"
       },
       "original": {
@@ -524,11 +524,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1732837521,
-        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
+        "lastModified": 1730785428,
+        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
+        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix
index aab1cf9..9097c6f 100644
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@@ -64,7 +64,7 @@ in
         auth_url = "https://auth.rfive.de/application/o/authorize/";
         token_url = "https://auth.rfive.de/application/o/token/";
         api_url = "https://auth.rfive.de/application/o/userinfo/";
-        role_attribute_path = "contains(roles, 'Grafana Admin') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
+        role_attribute_path = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'";
 
       };
 
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index ef7f22b..c9bee3f 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -32,7 +32,6 @@
     # '';
     tmp.useTmpfs = true;
   };
-  services.lldpd.enable = true;
 
   environment.persistence."/nix/persist/system" = {
     directories = [
diff --git a/hosts/thinkpad/modules/graphics/default.nix b/hosts/thinkpad/modules/graphics/default.nix
index c6aeba4..d100e5c 100644
--- a/hosts/thinkpad/modules/graphics/default.nix
+++ b/hosts/thinkpad/modules/graphics/default.nix
@@ -7,15 +7,12 @@
     enableDefaultPackages = true;
     packages = with pkgs;
       [
-        nerd-fonts.noto
-        nerd-fonts.iosevka
-        nerd-fonts.iosevka-term
-        nerd-fonts.iosevka-term-slab
+        nerdfonts
+        noto-fonts
         noto-fonts-cjk-sans
         noto-fonts-emoji
         roboto
         fira
-        open-sans
       ];
   };
   console = {
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index 41f4ab8..3de3d79 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -7,7 +7,6 @@
       file = ../../../../secrets/thinkpad/dyport-auth.age;
     };
   };
-  programs.openvpn3.enable = true;
   networking = {
     supplicant = {
       "LAN" = {
@@ -97,7 +96,6 @@
       FSR = {
         psk = "ext:FSR_PSK";
         authProtocols = [ "WPA-PSK" ];
-        extraConfig = "disabled=1";
       };
     };
     openconnect.interfaces = {
diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix
index 63b94eb..6675e21 100644
--- a/hosts/thinkpad/modules/security/default.nix
+++ b/hosts/thinkpad/modules/security/default.nix
@@ -44,6 +44,7 @@
       };
     };
   };
+  # broken again
   services = {
     fprintd.enable = true; # log in using fingerprint
   };
diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age
index 41a2fe0..32fd7fe 100644
Binary files a/secrets/thinkpad/agdsn.age and b/secrets/thinkpad/agdsn.age differ
diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age
index d9967a8..d7bb382 100644
Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ
diff --git a/shared/systemd.nix b/shared/systemd.nix
index c1d9105..421022d 100644
--- a/shared/systemd.nix
+++ b/shared/systemd.nix
@@ -19,4 +19,10 @@
       rebootTime = "10m";
     };
   };
+
+  # https://github.com/NixOS/nixpkgs/pull/351151#issuecomment-2440083015
+  # fix hosts using impermanence
+  boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
+  systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
+
 }
diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix
index af2dfe8..d91e1fe 100644
--- a/users/rouven/modules/ssh/default.nix
+++ b/users/rouven/modules/ssh/default.nix
@@ -73,14 +73,6 @@ in
           GSSAPIAuthentication = "yes";
         };
       };
-      "gutenberg" = {
-        hostname = "ftp.agdsn.tu-dresden.de";
-        user = "r5";
-        extraOptions = {
-          VerifyHostKeyDNS = "yes";
-          GSSAPIAuthentication = "yes";
-        };
-      };
       "*.agdsn.network" = {
         user = "r5";
         extraOptions = {