diff --git a/newinfra/README.md b/newinfra/README.md
index 2a8c0bc..fe67e82 100644
--- a/newinfra/README.md
+++ b/newinfra/README.md
@@ -24,6 +24,18 @@ All records are fully static, generated in the NixOS config.
 
 ## HTTP(S)
 
-Right now, there's only a single server (`vps1`) serving Caddy.
+stuff.
 
-In the future, there might be a second one in a shared-storage HA setup (with a postgres cluster probably)?
+## provisioning
+
+NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
+
+> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
+> Run `hostname something_without_dots` before running the script.
+> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
+
+```
+hostname tmp
+curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
+bash nixos-infect
+```
diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index b8764bd..0ed67e4 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -23,7 +23,7 @@
           wg = {
             privateIP = "10.0.0.1";
             publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
-            peers = [ "vps3" ];
+            peers = [ "vps3" "vps4" ];
           };
         };
         vps3 = {
@@ -32,7 +32,16 @@
           wg = {
             privateIP = "10.0.0.3";
             publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-            peers = [ "vps1" ];
+            peers = [ "vps1" "vps4" ];
+          };
+        };
+        vps4 = {
+          publicIPv4 = "195.201.147.17";
+          publicIPv6 = "2a01:4f8:1c1c:cb18::";
+          wg = {
+            privateIP = "10.0.0.5";
+            publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
+            peers = [ "vps1" "vps3" ];
           };
         };
       };
@@ -62,7 +71,7 @@
 
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
-    deployment.tags = [ "dns" "us" ];
+    deployment.tags = [ "dns" "us" "contabo" ];
     system.stateVersion = "23.11";
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
@@ -71,7 +80,7 @@
       ./modules/dns
     ];
 
-    deployment.tags = [ "dns" "eu" ];
+    deployment.tags = [ "dns" "eu" "hetzner" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -123,7 +132,7 @@
 
     age.secrets.docker_registry_password.file = ./secrets/docker_registry_password.age;
 
-    deployment.tags = [ "ingress" "eu" "apps" "wg" ];
+    deployment.tags = [ "ingress" "eu" "apps" "wg" "contabo" ];
     system.stateVersion = "23.11";
   };
   vps3 = { name, nodes, modulesPath, config, ... }: {
@@ -131,9 +140,68 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
       ./modules/wg-mesh
+      ./modules/ingress
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];
     system.stateVersion = "23.11";
   };
+  vps4 = { lib, modulesPath, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/ingress
+      ./modules/wg-mesh
+    ];
+
+    deployment.tags = [ "eu" "apps" "hetzner" ];
+    system.stateVersion = "23.11";
+
+    boot.loader.grub.device = "/dev/sda";
+    boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    boot.initrd.kernelModules = [ "nvme" ];
+    fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+    # This file was populated at runtime with the networking
+    # details gathered from the active system.
+    networking = {
+      nameservers = [
+        "8.8.8.8"
+      ];
+      defaultGateway = "172.31.1.1";
+      defaultGateway6 = {
+        address = "fe80::1";
+        interface = "eth0";
+      };
+      dhcpcd.enable = false;
+      usePredictableInterfaceNames = lib.mkForce false;
+      interfaces = {
+        eth0 = {
+          ipv4.addresses = [
+            { address = "195.201.147.17"; prefixLength = 32; }
+          ];
+          ipv6.addresses = [
+            { address = "2a01:4f8:1c1c:cb18::1"; prefixLength = 64; }
+            { address = "fe80::9400:3ff:fe95:a9e4"; prefixLength = 64; }
+          ];
+          ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+          ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
+        };
+
+      };
+    };
+    services.udev.extraRules = ''
+      ATTR{address}=="96:00:03:95:a9:e4", NAME="eth0"
+    
+    '';
+  };
+  /*vps5 = { name, nodes, modulesPath, config, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/contabo
+      ./modules/ingress
+    ];
+
+    deployment.tags = [ "eu" "apps" "wg" ];
+    system.stateVersion = "23.11";
+  };*/
 }
diff --git a/newinfra/nix/modules/default/default.nix b/newinfra/nix/modules/default/default.nix
index 6070161..3a5980a 100644
--- a/newinfra/nix/modules/default/default.nix
+++ b/newinfra/nix/modules/default/default.nix
@@ -23,6 +23,7 @@
 
   services.openssh = {
     enable = true;
+    openFirewall = true;
     banner = "meoooooow!! 😼 :3\n";
     settings = {
       PasswordAuthentication = false;
diff --git a/newinfra/nix/modules/dns/default.nix b/newinfra/nix/modules/dns/default.nix
index 4f28471..085a82a 100644
--- a/newinfra/nix/modules/dns/default.nix
+++ b/newinfra/nix/modules/dns/default.nix
@@ -2,8 +2,8 @@
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
-  networking.firewall.allowedUDPPortRanges = [
-    { from = 53; to = 53; }
+  networking.firewall.allowedUDPPorts = [
+    53
   ];
 
   nixpkgs.overlays = [
diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix
index 5ca23c0..399c802 100644
--- a/newinfra/nix/modules/ingress/default.nix
+++ b/newinfra/nix/modules/ingress/default.nix
@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   networking.firewall.allowedTCPPorts = [
-    22
     443
   ];
 
diff --git a/newinfra/nix/modules/wg-mesh/default.nix b/newinfra/nix/modules/wg-mesh/default.nix
index 862462d..c3677b9 100644
--- a/newinfra/nix/modules/wg-mesh/default.nix
+++ b/newinfra/nix/modules/wg-mesh/default.nix
@@ -19,6 +19,10 @@ in
     in
     builtins.listToAttrs wgHostEntries;
 
+  networking.firewall.allowedUDPPorts = [
+    listenPort
+  ];
+
   age.secrets.wg_private.file = ../../secrets/wg_private_${name}.age;
   networking.wg-quick.interfaces = {
     wg0 = {
@@ -33,6 +37,8 @@ in
             inherit (peerConfig) publicKey;
             endpoint = "${peer}.infra.noratrieb.dev:${toString listenPort}";
             allowedIPs = [ "${peerConfig.privateIP}/32" ];
+            # sometimes there's some weirdness....??
+            persistentKeepalive = 25;
           }
         )
         wgSettings.peers;
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 334b141..0f0beef 100644
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg Mi5DHbfLOMSQaKaB78XZbA273KGvj/HHF4vOiMRsMjA
-Zf7+IY93cTywmg7qjGyQ00YLJTc3MstQKyfFfpDqWic
---- KCKAhA7w141LPjEGSUI/azd8YFPn2EJWPGTyYXlnX+4
-����
P�_�g$vC����h/��jz:ch��d#W�ci��jE3��k�>t�`�
\ No newline at end of file
+-> ssh-ed25519 qM6TYg YI3rrnP9953xk8JnzhJSZR+tKaD6C3sCXJBiX0+KCHE
+CIfSlpyqhS66umh4/nv7v6qH5mqz2xh2AeDW19CGbYs
+--- 889zGO43+oX2nau25zROguc37dsi38Bnyzw/shG1x5g
+�o]̗y�N��d_�Ɨ��+�wBi���s��E���	5 y��^`[�5�
\ No newline at end of file
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index adc8f3c..dc61b07 100644
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg f2NnXHIO+lzuRNlvp70HCjFET8cqwLrQjEdXkK4wVgg
-HAUu/GGX/UHewWbCXfaiYx5h8xyLXN/Y3kTYHn+GT5M
---- tx0L90qNb6i1Bv1P5QsZUNu7FKQT3j09h/T1QDdwRZ8
-��c�������a�U�qb!�fFǔ	UAi�{ϔ����|9�?�[bH�p��A��n��^g	0��ӓ;�Ɯ�:�yu����m����杸����
\ No newline at end of file
+-> ssh-ed25519 qM6TYg vcUglH0m/mdME6tSzfZy3orW55ks1wZZAVqPe01ln0I
+Pbei2lMfgS+6N148qggu3DYUTnusItfVDqXGFqD9l8g
+--- qnH/lD17esiKbMH5M1wwJiq7cMmXXh4SQneeRNDiMPk
+��t8i��~� !�ެs���?�t��/��1�+��4:�07�R2�w��o�hQB4�pt��!9#��Gd�#�d)�3�ňШ�Zﳢ���H�yK��
\ No newline at end of file
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index 5e1edbd..13d69b4 100644
Binary files a/newinfra/nix/secrets/minio_env_file.age and b/newinfra/nix/secrets/minio_env_file.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index 1630851..1fad625 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -1,6 +1,7 @@
 let
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
+  vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
 in
 {
   "widetom_bot_token.age".publicKeys = [ vps1 ];
@@ -10,4 +11,5 @@ in
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
+  "wg_private_vps4.age".publicKeys = [ vps4 ];
 }
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index 7421c7e..527a63f 100644
Binary files a/newinfra/nix/secrets/wg_private_vps1.age and b/newinfra/nix/secrets/wg_private_vps1.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index c36bd97..603303c 100644
Binary files a/newinfra/nix/secrets/wg_private_vps3.age and b/newinfra/nix/secrets/wg_private_vps3.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
new file mode 100644
index 0000000..33c4f44
--- /dev/null
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 51bcvA ZldYAoisAZWIno1rtaRlkMaBL6+wN2M+RsxSqdFS/Ww
+hAxVR0kTHdHh8VVXn1DA+pPrnTNe32/7hk7vG6BYFlA
+--- eY4N6LUcdlFI1fsc9QzOVt8eMZdC8/SReSaiEsk60YQ
+=$uC�%��`�Ƶ>��H���6,���]�cO���E|�D��y�5͊10����t-��⩼��+�:�Zf����Y
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 586cbc5..ba8eb5c 100644
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg ftpW/zGgZcGI6jnmrkYlOO9bjMNHO7vk/WJIlCQzYTE
-LXRiwiUinl5HTt9ZfA+HQlSIL5K1TXFzLQXigEajU38
---- pE7CTJBICuROEQUVmK3hDad8yoiurMXvkizsAuZn6HA
-�М��N�&ʑ����ҙiD4��Q���SdZ�mSI	D��$�I����d�C���}�Y����j�.�-���H�N���;[��}����d�|
\ No newline at end of file
+-> ssh-ed25519 qM6TYg bHq26LyOxpLO6+kmuVS2eeRyX69kfX/iRRpGf7E9EQA
+6bmUzKiz+snI83v0ZhY8WkyIKMU1fkzs8Z4OEimeRrk
+--- 9RLCCX/0iiNdeSN8gy1gsXBW17/YTKJStxFVo/i5+zw
+����(%�B��$�ǂ���#g��kV,a���J��б4ek��q2\��w��)/��b~�5RVf��_��:ج'��h���%[E�X<t9���
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index af4eb9d..28adf58 100644
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/newinfra/provision/README.md b/newinfra/provision/README.md
deleted file mode 100644
index 1359c15..0000000
--- a/newinfra/provision/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# provisioning
-
-NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
-
-> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
-> Run `hostname something_without_dots` before running the script.
-> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
-
-```
-hostname tmp
-curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
-bash nixos-infect
-```
diff --git a/newinfra/secrets-git-crypt/wg_private_vps4 b/newinfra/secrets-git-crypt/wg_private_vps4
new file mode 100644
index 0000000..aded769
Binary files /dev/null and b/newinfra/secrets-git-crypt/wg_private_vps4 differ