diff --git a/apps/prometheus/prometheus.yml b/apps/prometheus/prometheus.yml
deleted file mode 100644
index c251853..0000000
--- a/apps/prometheus/prometheus.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-global:
-  scrape_interval:     15s # By default, scrape targets every 15 seconds.
-
-  # Attach these labels to any time series or alerts when communicating with
-  # external systems (federation, remote storage, Alertmanager).
-  external_labels:
-    monitor: 'codelab-monitor'
-
-scrape_configs:
-  - job_name: 'bisect'
-    static_configs:
-      - targets: ['cargo_bisect_rustc_service:4001']
diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 5ad7694..3de4891 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -18,12 +18,22 @@
         dns1 = {
           publicIPv4 = "154.38.163.74";
           publicIPv6 = null;
+          wg = {
+            privateIP = "10.0.1.1";
+            publicKey = "7jy2q93xYBHG5yKqLmNuMWSuFMnUGWXVuKQ1yMmxoV4=";
+            peers = [ "vps3" ];
+          };
         };
         dns2 = {
           publicIPv4 = "128.140.3.7";
           # somehow this doesnt quite work yet, keep it out of DNS records
           #publicIPv6 = "2a01:4f8:c2c:d616::";
           publicIPv6 = null;
+          wg = {
+            privateIP = "10.0.1.2";
+            publicKey = "yfOc/q5M+2DWPoZ4ZgwrTYYkviQxGxRWpcBCDcauDnc=";
+            peers = [ "vps3" ];
+          };
         };
         vps1 = {
           publicIPv4 = "161.97.165.1";
@@ -40,7 +50,7 @@
           wg = {
             privateIP = "10.0.0.3";
             publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-            peers = [ "vps1" "vps4" "vps5" ];
+            peers = [ "vps1" "vps4" "vps5" "dns1" "dns2" ];
           };
         };
         vps4 = {
@@ -86,6 +96,7 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
       ./modules/dns
+      ./modules/wg-mesh
     ];
 
     # The name and nodes parameters are supported in Colmena,
@@ -97,6 +108,7 @@
     imports = [
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/dns
+      ./modules/wg-mesh
     ];
 
     deployment.tags = [ "dns" "eu" "hetzner" ];
diff --git a/newinfra/nix/modules/dns/default.nix b/newinfra/nix/modules/dns/default.nix
index 085a82a..3326e9a 100644
--- a/newinfra/nix/modules/dns/default.nix
+++ b/newinfra/nix/modules/dns/default.nix
@@ -39,4 +39,10 @@
       '';
     };
   };
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9433 ]; # metrics
+  services.prometheus.exporters.knot = {
+    enable = true;
+    port = 9433;
+  };
 }
diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix
index 0cf899e..397f2d2 100644
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@@ -42,7 +42,6 @@ let
         www = vps1;
 
         # --- legacy crap
-        vps2 = vps2; # TODO REMOVE
         old-docker = vps2;
 
         # --- apps
diff --git a/newinfra/nix/modules/garage/default.nix b/newinfra/nix/modules/garage/default.nix
index 80a15ae..13c616a 100644
--- a/newinfra/nix/modules/garage/default.nix
+++ b/newinfra/nix/modules/garage/default.nix
@@ -1,7 +1,10 @@
 { config, pkgs, name, ... }: {
   age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
 
-  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3901 ];
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    3901 # RPC
+    3903 # admin for metrics
+  ];
 
   services.garage = {
     enable = true;
diff --git a/newinfra/nix/modules/prometheus/default.nix b/newinfra/nix/modules/prometheus/default.nix
index e591593..7541000 100644
--- a/newinfra/nix/modules/prometheus/default.nix
+++ b/newinfra/nix/modules/prometheus/default.nix
@@ -12,6 +12,8 @@
       {
         job_name = "node";
         static_configs = [
+          { targets = [ "dns1.local:9100" ]; }
+          { targets = [ "dns2.local:9100" ]; }
           { targets = [ "vps1.local:9100" ]; }
           { targets = [ "vps3.local:9100" ]; }
           { targets = [ "vps4.local:9100" ]; }
@@ -33,6 +35,22 @@
           { targets = [ "vps1.local:9011" ]; }
         ];
       }
+      {
+        job_name = "garage";
+        static_configs = [
+          { targets = [ "vps1.local:3903" ]; }
+          { targets = [ "vps3.local:3903" ]; }
+          { targets = [ "vps4.local:3903" ]; }
+          { targets = [ "vps5.local:3903" ]; }
+        ];
+      }
+      {
+        job_name = "knot";
+        static_configs = [
+          { targets = [ "dns1.local:9433" ]; }
+          { targets = [ "dns2.local:9433" ]; }
+        ];
+      }
     ];
   };
 
diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age
index a9bf784..9a940bb 100644
Binary files a/newinfra/nix/secrets/caddy_s3_key_secret.age and b/newinfra/nix/secrets/caddy_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 9064b3d..110e8d2 100644
Binary files a/newinfra/nix/secrets/docker_registry_password.age and b/newinfra/nix/secrets/docker_registry_password.age differ
diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age
index 6d72f56..1d1e8f8 100644
Binary files a/newinfra/nix/secrets/garage_secrets.age and b/newinfra/nix/secrets/garage_secrets.age differ
diff --git a/newinfra/nix/secrets/grafana_admin_password.age b/newinfra/nix/secrets/grafana_admin_password.age
index 9860b55..2ff5b1e 100644
Binary files a/newinfra/nix/secrets/grafana_admin_password.age and b/newinfra/nix/secrets/grafana_admin_password.age differ
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index f9aa17e..cdc3a42 100644
Binary files a/newinfra/nix/secrets/hugochat_db_password.age and b/newinfra/nix/secrets/hugochat_db_password.age differ
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index 5328ccb..a214dce 100644
Binary files a/newinfra/nix/secrets/minio_env_file.age and b/newinfra/nix/secrets/minio_env_file.age differ
diff --git a/newinfra/nix/secrets/registry_htpasswd.age b/newinfra/nix/secrets/registry_htpasswd.age
index ef92c62..3491858 100644
Binary files a/newinfra/nix/secrets/registry_htpasswd.age and b/newinfra/nix/secrets/registry_htpasswd.age differ
diff --git a/newinfra/nix/secrets/registry_s3_key_secret.age b/newinfra/nix/secrets/registry_s3_key_secret.age
index e967f62..f3b5145 100644
Binary files a/newinfra/nix/secrets/registry_s3_key_secret.age and b/newinfra/nix/secrets/registry_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index f372d15..46de4d9 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -1,4 +1,6 @@
 let
+  dns1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBKoyDczFntyQyWj47Z8JeewKcCobksd415WM1W56eS";
+  dns2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ1yLdDhI2Vou/9qrPIUP8RU8Sg0WxLI2njtP5hkdL7";
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
   vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
@@ -15,6 +17,8 @@ in
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
   "grafana_admin_password.age".publicKeys = [ vps3 ];
+  "wg_private_dns1.age".publicKeys = [ dns1 ];
+  "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];
diff --git a/newinfra/nix/secrets/wg_private_dns1.age b/newinfra/nix/secrets/wg_private_dns1.age
new file mode 100644
index 0000000..2e5b93b
--- /dev/null
+++ b/newinfra/nix/secrets/wg_private_dns1.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 LZU5Eg pVN2rgdPyq31DrUEiwYgqNyWrFie0pvW5g1gRC8o4lc
+asCocO7XssxBm9XbE7H0OfOekU1XkdZhyFwLEfVRAy0
+--- nlmoVm1A2xNAD4bZ5WHuI9sJbbr3RKyAa02d5aZUOzg
+ÿiÙœÁBËvLý<˜^UTÚ®ôüå'yÜ±×Yš¬]OR#ÆO›@ò¤ßÐ³|‰W$¥_y+øÕ<Ìèü‡Ò&ôÊv{ËØø
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_dns2.age b/newinfra/nix/secrets/wg_private_dns2.age
new file mode 100644
index 0000000..8e6bee9
Binary files /dev/null and b/newinfra/nix/secrets/wg_private_dns2.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index e2ea459..503abb0 100644
Binary files a/newinfra/nix/secrets/wg_private_vps1.age and b/newinfra/nix/secrets/wg_private_vps1.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index aabf1dd..1ca6758 100644
Binary files a/newinfra/nix/secrets/wg_private_vps3.age and b/newinfra/nix/secrets/wg_private_vps3.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
index a4fb419..16471ae 100644
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA cvlpm3reQDmA9Faca2wB1M8a4diEUTAYnZ7scmbt+i0
-DNQrAzPoVvbDR7UVCft8m/6kjHySIpT1l+xl22TW9bk
---- PELEXNV7Ottz1Jgc+5U0ew9t2YEKfUVSsiaYehvwqnc
-WßÂLºŒ…£ÿe·‘7Mè?Ìí™VÛý¬69)†ÚY%yú1›ƒJ(uëˆ¿¸‚0)x@Y~¥óhâ”ˆ¿Ž¡ çÒY5îËNÎd
\ No newline at end of file
+-> ssh-ed25519 51bcvA ji2zWkOp9u2bor9xScXWckGZN3733piHLN/gd+quiW0
+uzciBDLzZiizL3fFbn3vjiIoHGJWdFlHff3vjSWHs7g
+--- fE0bz9m5izwJX90w3RjhmzNaCPuKjhpM5M0qngI9c/A
+ð·ß/žéË3^é¥'%‹(Ö¡!æk›eîG`òébÚê¹¯ÅJ´ù×0£L.»™–Ð´­Êîp¯ ŽeŸs,1ÚÈ·øÖ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age
index 39e89f5..5a1296f 100644
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA ZtMI/PoOE6fF7heY5Eq12bhzgn/ViE/PzeLRJlFOZxo
-kdRK08mwj0vCjhvJzX4TmI4H0dnRbnDC7kK+U7BW4mM
---- QSYK8SFsCQK0hrCG2ZjAG3KIpXPQTJqolMLj6aWHkcs
- ÕšŠb¤CÓCŽx·¼Tñ§Ñ>ÓIÐÄnñµe¦ÊÚþ3ÖÎö‰F n.‹Â=éàV~›â(GÀ8ÓšGi»¦(úÃ3Yd:e…u•
\ No newline at end of file
+-> ssh-ed25519 vT7ExA XLzlq29RuNTBKTbK/zDa6hISekIGx+deGh34/q+jqWU
+OsWQtxeRD+6ILJ+X/PNvYFV4CO+BJ+JK5VCHjRHSseY
+--- LNaTQFOLpwFhtjPmpUsgrm0zhmNcAPMWG/AuhCzQJsk
+š¿úã‡ôÌ¢*÷Ñ[ê,ìÈÈ	Î5*¹qD_7Ÿ6°D6Rº-m:ÏÜ0)š±•
+‚î~‰¹ìÕþŽd½Ñ…‹áºPbá%']
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 0fea19d..8fedc8f 100644
Binary files a/newinfra/nix/secrets/widetom_bot_token.age and b/newinfra/nix/secrets/widetom_bot_token.age differ
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index 2730076..7ae49df 100644
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/newinfra/secrets-git-crypt/garage_secrets b/newinfra/secrets-git-crypt/garage_secrets
index 428cb5a..f1a12ab 100644
Binary files a/newinfra/secrets-git-crypt/garage_secrets and b/newinfra/secrets-git-crypt/garage_secrets differ
diff --git a/newinfra/secrets-git-crypt/wg_private_dns1 b/newinfra/secrets-git-crypt/wg_private_dns1
new file mode 100644
index 0000000..9142100
Binary files /dev/null and b/newinfra/secrets-git-crypt/wg_private_dns1 differ
diff --git a/newinfra/secrets-git-crypt/wg_private_dns2 b/newinfra/secrets-git-crypt/wg_private_dns2
new file mode 100644
index 0000000..6b1311d
Binary files /dev/null and b/newinfra/secrets-git-crypt/wg_private_dns2 differ