diff --git a/flake.lock b/flake.lock
index 1099d0c..5b54bca 100644
--- a/flake.lock
+++ b/flake.lock
@@ -180,11 +180,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705879479,
-        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
+        "lastModified": 1706134977,
+        "narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
+        "rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705677747,
-        "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
         "type": "github"
       },
       "original": {
@@ -488,11 +488,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705882164,
-        "narHash": "sha256-HAjEar8nN4HtOTEeA6LRjq40SPS84YWrfXMBBh7jCF8=",
+        "lastModified": 1705882231,
+        "narHash": "sha256-OyWYOsl876tAJ443p9lKSDIrBtq80JZ/OlmrVVdIHF4=",
         "owner": "therealr5",
         "repo": "TruckSimulatorBot",
-        "rev": "b59e230bdec747dbff7e15447cf68791a31c323f",
+        "rev": "9ae3c21b72b1f49f0b15808eb61b10600e00a845",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/mail/default.nix b/hosts/falkenstein/modules/mail/default.nix
index d1aff0c..54302df 100644
--- a/hosts/falkenstein/modules/mail/default.nix
+++ b/hosts/falkenstein/modules/mail/default.nix
@@ -12,6 +12,10 @@ let
     /^\s*X-Originating-IP/ IGNORE
     /^\s*Mime-Version/ IGNORE
   '';
+  login_maps = pkgs.writeText "login_maps.pcre" ''
+    # basic username => username@rfive.de
+    /^([^@+]*)(\+[^@]*)?@rfive\.de$/ ''${1}
+  '';
 in
 {
   networking.firewall.allowedTCPPorts = [
@@ -93,6 +97,10 @@ in
           "permit_mynetworks"
           "reject_unauth_destination"
         ];
+        smtpd_sender_restrictions = [
+          "reject_authenticated_sender_login_mismatch"
+        ];
+        smtpd_sender_login_maps = [ "pcre:${login_maps}" ];
         smtp_header_checks = "pcre:${header_cleanup}";
 
         alias_maps = [ "hash:/etc/aliases" ];
diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix
index ec40060..86f4ff2 100644
--- a/hosts/nuc/modules/matrix/default.nix
+++ b/hosts/nuc/modules/matrix/default.nix
@@ -27,6 +27,9 @@ in
       enable = true;
       configureRedisLocally = true;
       extraConfigFiles = [ config.age.secrets."matrix/shared".path ];
+      log = {
+        root.level = "WARNING";
+      };
 
       settings = {
         server_name = config.networking.domain;
diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix
index 6a39bcb..a900607 100644
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@@ -14,7 +14,8 @@
   };
   services.resolved = {
     enable = true;
-    dnssec = "true";
+    # dnssec is broken
+    # dnssec = "true";
     fallbackDns = [
       "9.9.9.9"
       "149.112.112.112"
diff --git a/hosts/nuc/modules/prometheus/default.nix b/hosts/nuc/modules/prometheus/default.nix
index 2b068b7..3d4f2af 100644
--- a/hosts/nuc/modules/prometheus/default.nix
+++ b/hosts/nuc/modules/prometheus/default.nix
@@ -10,7 +10,7 @@ in
         enable = true;
         enabledCollectors = [ "systemd" ];
       };
-      postgres.enable = true;
+      # postgres.enable = true;
     };
     scrapeConfigs = [
       {
@@ -21,14 +21,14 @@ in
           }
         ];
       }
-      {
-        job_name = "postgres";
-        static_configs = [
-          {
-            targets = [ "127.0.0.1:${toString exportersConfig.postgres.port}" ];
-          }
-        ];
-      }
+      # {
+      #   job_name = "postgres";
+      #   static_configs = [
+      #     {
+      #       targets = [ "127.0.0.1:${toString exportersConfig.postgres.port}" ];
+      #     }
+      #   ];
+      # }
     ];
 
   };
diff --git a/users/rouven/modules/helix/default.nix b/users/rouven/modules/helix/default.nix
index 5ea866f..2fc2ee1 100644
--- a/users/rouven/modules/helix/default.nix
+++ b/users/rouven/modules/helix/default.nix
@@ -5,6 +5,7 @@
     lldb
     rust-analyzer
     rnix-lsp
+    typst-lsp
     (python3.withPackages (ps: with ps; [
       pyls-isort
       pylsp-mypy
diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix
index e538165..b20a00e 100644
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@@ -53,6 +53,7 @@
     mosh
     ansible
     plover.dev
+    typst
 
     # programming languages
     cargo
@@ -63,6 +64,7 @@
     nodejs_20
     gnumake
     go
+    just
 
   ];