diff --git a/.gitattributes b/.gitattributes
index d688e0f..1a9fc77 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -3,3 +3,4 @@
 
 /secrets/** filter=git-crypt diff=git-crypt
 /newinfra/secrets-git-crypt/** filter=git-crypt diff=git-crypt
+/secrets-git-crypt/** filter=git-crypt diff=git-crypt
diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml
deleted file mode 100644
index f18fb9f..0000000
--- a/.github/workflows/apply.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: Run playbooks
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    name: Run playbooks
-    steps:
-      - uses: actions/checkout@8b5e8b768746b50394015010d25e690bfab9dfbc # v3.6.0
-      - name: Unlock secrets
-        uses: sliteteam/github-action-git-crypt-unlock@8b1fa3ccc81e322c5c45fbab261eee46513fd3f8 # v1.2.0
-        env:
-          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY_BASE64 }}
-      - name: Run Ansible playbook
-        uses: dawidd6/action-ansible-playbook@260ab3adce54d53c5db8f1b2eed1380ae5c73fea # v2.6.1
-        with:
-          playbook: all.yml
-          directory: playbooks
-          key: ${{ secrets.VPS_DEPLOY_KEY }}
-          known_hosts: |
-            vps1.nilstrieb.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjiNfzZQpN2KWd1LSM/LL+dLx8snlCV6jYys+W4NOBH
-            vps2.nilstrieb.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzt3OZAOG2sih8T9Bhoqg8ANBP5ZX60z0xmUW4cBWvX
-          options: |
-            --inventory inventory.yml
-            -u root
diff --git a/Dockerfile.test b/Dockerfile.test
deleted file mode 100644
index 449fd74..0000000
--- a/Dockerfile.test
+++ /dev/null
@@ -1 +0,0 @@
-FROM scratch
\ No newline at end of file
diff --git a/README.md b/README.md
index fd16598..4093fce 100644
--- a/README.md
+++ b/README.md
@@ -1,39 +1,30 @@
-# Infra setup
+# new infra
 
-## TODOS
+New infra based on more servers and more shit.
 
-There are many todos here. First, grep this codebase for `todo`. In addition to that:
+All servers have their hostname as their name here and are reachable via `$hostname.infra.noratrieb.dev`.
+They will have different firewall configurations depending on their roles.
 
-- backups
-- data replication across the two servers. i have two servers, let's use that power. maybe rsync or something like that?
 
-## server??
+## DNS
 
-Each VPS has a caddy running _on the host_, not inside docker. It's the entrypoint to the stuff.
-Everything else runs in a docker container via docker compose.
+Two [knot-dns](https://www.knot-dns.cz/) nameservers (`dns1`, `dns2`).
+All records are fully static, generated in the NixOS config.
 
-## extra setup
+## HTTP(S)
 
-every app needs some secrets in places.
+stuff.
 
-there are also "global secrets" used for the docker-compose, for example
-for env vars. those should be placed in `/apps/.env`.
+## provisioning
 
-Right now the global secrets are
+NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
+
+> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
+> Run `hostname something_without_dots` before running the script.
+> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
 
 ```
-KILLUA_BOT_TOKEN=
-HUGO_CHAT_DB_PASSWORD=
+hostname tmp
+curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
+bash nixos-infect
 ```
-
-## things that shall not be forgotten
-
-there once was some custom k8s cluster setup in `./k8s-cluster`. it was incomplete and pretty cursed.
-
-also some kubernetes config in `./kube`. why.
-
-gloriously not great docker configs in `./docker`.
-
-`nginx`, `registry` with config for the two.
-
-`run_scripts` with not good scripts for starting containers.
diff --git a/ci/build.sh b/ci/build.sh
index 7a40715..e5c7a26 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -7,9 +7,9 @@ APP="$1"
 if [ "$APP" = "hugo-chat" ]; then
     REPO="https://github.com/C0RR1T/HugoChat.git"
 elif [ "$APP" = "cors" ]; then
-    REPO="https://github.com/nilstrieb-lehre/davinci-cors.git"
+    REPO="https://github.com/noratrieb-lehre/davinci-cors.git"
 else
-    REPO="https://github.com/Nilstrieb/$APP.git"
+    REPO="https://github.com/Noratrieb/$APP.git"
 fi
 
 echo "Checking out $REPO"
diff --git a/misc/vps_deploy_key.pub b/misc/vps_deploy_key.pub
deleted file mode 100644
index ce48e01..0000000
--- a/misc/vps_deploy_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Yl4+vAFgN+d82emRY8tHDgM7Pp0rLIsKBZku+YUsd vps-deploy-key
diff --git a/newinfra/README.md b/newinfra/README.md
deleted file mode 100644
index fe67e82..0000000
--- a/newinfra/README.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# new infra
-
-New infra based on more servers and more shit.
-
-All servers have their hostname as their name here and are reachable via `$hostname.infra.noratrieb.dev`.
-They will have different firewall configurations depending on their roles.
-
-```
-
---------    --------
-| dns1 |    | dns2 |
---------    --------
-
---------
-| vps1 |
---------
-
-```
-
-## DNS
-
-Two [knot-dns](https://www.knot-dns.cz/) nameservers (`dns1`, `dns2`).
-All records are fully static, generated in the NixOS config.
-
-## HTTP(S)
-
-stuff.
-
-## provisioning
-
-NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
-
-> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
-> Run `hostname something_without_dots` before running the script.
-> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
-
-```
-hostname tmp
-curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
-bash nixos-infect
-```
diff --git a/newinfra/nix/apps/openolat/extra-properties.properties b/newinfra/nix/apps/openolat/extra-properties.properties
deleted file mode 100644
index 17343fa..0000000
--- a/newinfra/nix/apps/openolat/extra-properties.properties
+++ /dev/null
@@ -1 +0,0 @@
-enforce.utf8.filesystem=false
diff --git a/newinfra/nix/secrets/backup_s3_secret.age b/newinfra/nix/secrets/backup_s3_secret.age
deleted file mode 100644
index 6e4b2ae..0000000
Binary files a/newinfra/nix/secrets/backup_s3_secret.age and /dev/null differ
diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age
deleted file mode 100644
index a0e5c46..0000000
Binary files a/newinfra/nix/secrets/caddy_s3_key_secret.age and /dev/null differ
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
deleted file mode 100644
index 3d42d33..0000000
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qM6TYg QziuzHQxmWyRdv8dUPBWTgnMxFtqR6ttP16Z3XdvD3Y
-Krxmha5J+gTU0DjzPDTDIwz1mW0Q84XR2FgQyPm4bf4
---- t4Mea1Y35o5t2dhREnp8Zq1AyR4DAWMFW7Vv3CkgGKw
-ìlTS+Æ³6y­¿rîëOØné&c`Ï°Êü:û³7V»-tf±puw€I¥w“Âøå
\ No newline at end of file
diff --git a/newinfra/nix/secrets/forgejo_s3_key_secret.age b/newinfra/nix/secrets/forgejo_s3_key_secret.age
deleted file mode 100644
index 6bfaa64..0000000
--- a/newinfra/nix/secrets/forgejo_s3_key_secret.age
+++ /dev/null
@@ -1,6 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qM6TYg ecu0Ic6o+WyT7XhZPo0Yf46bOye2LAgnJ5MxFPTY/E0
-JqJCtQmtxgktMl/4HsHh0uRp/rzEoqT9Z81H9v1RXio
---- /CmBzuDf0AcCk6rAvEh5SmIMxpwCTjfj9IQtRLv5qYA
-}Œ=5i
-©¨£#ª4bÎpzCaÀjÙnêB†±€ÍN%ÚnO Ž³GKÔ´ÖâõƒÏ”ßÁ¼‹Æçé'ÄZ>T“œìÙ‹Møô<›}//}|–uá–5œªsö*
\ No newline at end of file
diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age
deleted file mode 100644
index 57eb61b..0000000
--- a/newinfra/nix/secrets/garage_secrets.age
+++ /dev/null
@@ -1,12 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qM6TYg B17o68OCsoljQLd4yLx1gZbt9zsFhQE8/QJeZ3Gx+AI
-ADxN8iqNN5ApzHMtIXMnMTN4qe/7ba+ZoqkpHDpq9dE
--> ssh-ed25519 XzACZQ Jp5WvbUVmfecvN95vM6+DQmJicVf4u94Vm0mYtBVODw
-XAdVpk6bAwAU7OQxvedepr3g8HQo5sY5efy3lYhf1xA
--> ssh-ed25519 51bcvA DUkgjLS805iAsnaCl3B8BOP6cdKOJCx0aK23UEDmTyw
-dUZhXJiYkCZvassxSg0Cgf9c+ta2Oc2PNhLdvHBP24M
--> ssh-ed25519 vT7ExA 0Z2/GFY2aqO2HJJet3CRSh3yxchGt7AYTzkl0D2aoEQ
-GuMqW7tbsEl/SskgN1hPa0B/aWtet/+pHxmbwsTzPCM
---- vgf72fLRkTVRtJoxh+qfim9YYELE0W74L6ZVjpo+8vI
-åø=ê&óŸC»íÄŸŸ#À¥ÑÒ/nÜ¤è´2Â9†ØÞøo[›S+uWÊ¶¢£4êÕf/hAÈþ#ïþOs_†RV£òEÆÆóÎûúÎVAlžTÏ/¤VÎ¨tµøJNöËUë;ññnGúQïìÝ£ÖO{Áx[ #°¿›†íÏP¨Hß9P®€:z
-ê‰û²å‚yX„Ñ`]%>¨+ÙÞ~)Ø`V–ïâxÛ°€i-ƒã¬Fýªš$xHå)ÒTMcZ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/grafana_admin_password.age b/newinfra/nix/secrets/grafana_admin_password.age
deleted file mode 100644
index aa33f26..0000000
Binary files a/newinfra/nix/secrets/grafana_admin_password.age and /dev/null differ
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
deleted file mode 100644
index 1c4ea95..0000000
Binary files a/newinfra/nix/secrets/hugochat_db_password.age and /dev/null differ
diff --git a/newinfra/nix/secrets/killua_env.age b/newinfra/nix/secrets/killua_env.age
deleted file mode 100644
index 54a0777..0000000
Binary files a/newinfra/nix/secrets/killua_env.age and /dev/null differ
diff --git a/newinfra/nix/secrets/loki_env.age b/newinfra/nix/secrets/loki_env.age
deleted file mode 100644
index f071802..0000000
Binary files a/newinfra/nix/secrets/loki_env.age and /dev/null differ
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
deleted file mode 100644
index bf78046..0000000
Binary files a/newinfra/nix/secrets/minio_env_file.age and /dev/null differ
diff --git a/newinfra/nix/secrets/openolat_db_password.age b/newinfra/nix/secrets/openolat_db_password.age
deleted file mode 100644
index a9e307c..0000000
Binary files a/newinfra/nix/secrets/openolat_db_password.age and /dev/null differ
diff --git a/newinfra/nix/secrets/registry_htpasswd.age b/newinfra/nix/secrets/registry_htpasswd.age
deleted file mode 100644
index 738862b..0000000
Binary files a/newinfra/nix/secrets/registry_htpasswd.age and /dev/null differ
diff --git a/newinfra/nix/secrets/registry_s3_key_secret.age b/newinfra/nix/secrets/registry_s3_key_secret.age
deleted file mode 100644
index 3b6cb41..0000000
Binary files a/newinfra/nix/secrets/registry_s3_key_secret.age and /dev/null differ
diff --git a/newinfra/nix/secrets/s3_mc_admin_client.age b/newinfra/nix/secrets/s3_mc_admin_client.age
deleted file mode 100644
index 719f1ed..0000000
Binary files a/newinfra/nix/secrets/s3_mc_admin_client.age and /dev/null differ
diff --git a/newinfra/nix/secrets/upload_files_s3_secret.age b/newinfra/nix/secrets/upload_files_s3_secret.age
deleted file mode 100644
index a556152..0000000
Binary files a/newinfra/nix/secrets/upload_files_s3_secret.age and /dev/null differ
diff --git a/newinfra/nix/secrets/wg_private_dns1.age b/newinfra/nix/secrets/wg_private_dns1.age
deleted file mode 100644
index 0f4a0d0..0000000
--- a/newinfra/nix/secrets/wg_private_dns1.age
+++ /dev/null
@@ -1,6 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 LZU5Eg dlH/b9FXAowA5m9KYdF+MirRu9fKXhf76jHXuKA6OAI
-ADHjmdwYkyd24vbi2jbeI9GmFZuf86/Twm48J3g958s
---- WVLjItfhBqlv55yTzq0/OzfTSfD1ypQfu9EGFf1vUUE
-œ‚Ì<ñ{©„\VLv
-Î+Ôv_#PI§¬ãF%(ã„ ¶²ö>µëôãÈŸ–C'nËõ1|jNüÒÔT^6ÇoÅâ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_dns2.age b/newinfra/nix/secrets/wg_private_dns2.age
deleted file mode 100644
index 8495f12..0000000
--- a/newinfra/nix/secrets/wg_private_dns2.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5bWSnQ Li1ITKUHcUQFJX0NQCaz9Abjf6NjyVGTwE9WAzjJAU0
-UekGYi4xmM88U0BX52iKGWnBTWCGrxMyMeN6zed12D4
---- MUD9AikW/zNM+W3GiR23pw95ZsDhsxZVn5EMqr0X+DU
-Ê‚ý×]?@¥êTHôÀ]~œ?7qéãýŒÍ"W…+`·Ñ¥+Lµ]ö­‚»Êaœ­ÎSx*¥¹]6’Ð‰f¹îÀ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
deleted file mode 100644
index c4e3f87..0000000
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qM6TYg 4aRY2+KMkGoSJtRfdkTRwIj6bYGSQJvJjq669297MHE
-Kjf7jo93e4oMRKmN5u3Xa3CUpIp9bZPoUAGqjdgOulw
---- wapYiQbpT4gfZyI5cMnB4O+LdM9PvsUxM7nTv954nNg
-õšê÷¤eVn?Õ]¥ÁÁøÅ—3!l0•„†ÑâØ±°ñó«ëõó<¡ [œƒŸo¯¶ø[?Ý®ä¬í·¦ÓB'ìWò—(‡•
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
deleted file mode 100644
index 0e7dec1..0000000
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 XzACZQ J67LUjHa64q/z1K8zZpx1rsnoQ94NzhkeXEpfNr4ZVQ
-dy5Tre9IicxhLBHoqvQAZepG7bNg2dEXFT5iPRcWOcA
---- 9dJKhJeue6VNi0Sw05BX/t8jsxXyRIKz0K3/sy0kT7w
-Ýh9ÎÛËi£·ÀÍs¡ØâM=TnÕw€W)õ€Ûòêã²›îÃ\ÇÕ<2*%æ_ëå×Ü³¿«ôgÇLñõN‹5c—D5ô@áÍ»ÂØ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
deleted file mode 100644
index 414c14b..0000000
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 51bcvA P7ouUh98Mfi9Jsu6MDWaWH0NB2alXRIK8hxBIs0Nylg
-tUZ1sWLlvPizsSWhK3fnVVhr4C9Ign5rwowxePGXFII
---- PHPizXT8GPP9mIFg1paqqc8w3qsX63XpLkeT0APybik
-—´B§?*8-nËLsÍj<‘ k*.@¯ªœé6K‡Ug ‹×'8¼Ñ#Žòíhç.l~Sà3£%¶šÀ!ŸVYK•l¿R¾ ´ÔØ˜o
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age
deleted file mode 100644
index f677cad..0000000
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 vT7ExA 9+j3VYkFAW1obbLc31nv+45SyPMqH1zZPkI+PU4lVH8
-G9QkkyTNH499EWhjiXCyXt7HgHlzJTZsaLiR+yOF18E
---- vq7bT3yTioJ1UsD7hSu5jyYKhOE6UMIMsosu4f5pK1w
-Q±žž¹ýÁ˜ÅVÐé#(7èýÎEYÉÛÅÌ\ú££Z¨?GÙ«ç_CÛI¦îÐ‰gNi´V¯å‘e]•¢tx@¸w+
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
deleted file mode 100644
index 105c8e5..0000000
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ /dev/null
@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qM6TYg sAwuep3NgetXEKK5N8ZFP6Y0IDAGtTLIXH1hh5L0Hyc
-8pB7uytmRSkJMKi5S9YSLHKLgpYKkv5w2WaKaJL9sT4
---- JucAnOMMuFLpIyg9t+Azths9ttk6by6SKcMWA6Cwa+0
-v§õ‚Ð(TR›Í˜ä´JpÂDòÀ%J—*^îl–—ß±‹½ÂY…/‰§ê'®zBÙž˜Áë÷4§±GÛ6Æ·(å‹/\,Wérææ7ééeón€%á²@
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
deleted file mode 100644
index 13998d2..0000000
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and /dev/null differ
diff --git a/newinfra/nix/apps/cargo-bisect-rustc-service/default.nix b/nix/apps/cargo-bisect-rustc-service/default.nix
similarity index 100%
rename from newinfra/nix/apps/cargo-bisect-rustc-service/default.nix
rename to nix/apps/cargo-bisect-rustc-service/default.nix
diff --git a/newinfra/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix
similarity index 100%
rename from newinfra/nix/apps/does-it-build/default.nix
rename to nix/apps/does-it-build/default.nix
diff --git a/newinfra/nix/apps/forgejo/default.nix b/nix/apps/forgejo/default.nix
similarity index 100%
rename from newinfra/nix/apps/forgejo/default.nix
rename to nix/apps/forgejo/default.nix
diff --git a/newinfra/nix/apps/hugo-chat/default.nix b/nix/apps/hugo-chat/default.nix
similarity index 100%
rename from newinfra/nix/apps/hugo-chat/default.nix
rename to nix/apps/hugo-chat/default.nix
diff --git a/newinfra/nix/apps/killua/default.nix b/nix/apps/killua/default.nix
similarity index 100%
rename from newinfra/nix/apps/killua/default.nix
rename to nix/apps/killua/default.nix
diff --git a/newinfra/nix/apps/openolat/default.nix b/nix/apps/openolat/default.nix
similarity index 100%
rename from newinfra/nix/apps/openolat/default.nix
rename to nix/apps/openolat/default.nix
diff --git a/apps/openolat/extra-properties.properties b/nix/apps/openolat/extra-properties.properties
similarity index 100%
rename from apps/openolat/extra-properties.properties
rename to nix/apps/openolat/extra-properties.properties
diff --git a/newinfra/nix/apps/upload-files/default.nix b/nix/apps/upload-files/default.nix
similarity index 100%
rename from newinfra/nix/apps/upload-files/default.nix
rename to nix/apps/upload-files/default.nix
diff --git a/newinfra/nix/apps/uptime/default.nix b/nix/apps/uptime/default.nix
similarity index 100%
rename from newinfra/nix/apps/uptime/default.nix
rename to nix/apps/uptime/default.nix
diff --git a/newinfra/nix/apps/uptime/uptime.json b/nix/apps/uptime/uptime.json
similarity index 100%
rename from newinfra/nix/apps/uptime/uptime.json
rename to nix/apps/uptime/uptime.json
diff --git a/newinfra/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix
similarity index 100%
rename from newinfra/nix/apps/widetom/default.nix
rename to nix/apps/widetom/default.nix
diff --git a/newinfra/nix/deploy/deploy-dns.sh b/nix/deploy/deploy-dns.sh
similarity index 100%
rename from newinfra/nix/deploy/deploy-dns.sh
rename to nix/deploy/deploy-dns.sh
diff --git a/newinfra/nix/deploy/smoke-tests.sh b/nix/deploy/smoke-tests.sh
similarity index 100%
rename from newinfra/nix/deploy/smoke-tests.sh
rename to nix/deploy/smoke-tests.sh
diff --git a/newinfra/nix/hive.nix b/nix/hive.nix
similarity index 92%
rename from newinfra/nix/hive.nix
rename to nix/hive.nix
index 6410db8..6182440 100644
--- a/newinfra/nix/hive.nix
+++ b/nix/hive.nix
@@ -53,7 +53,16 @@
             wg = {
               privateIP = "10.0.0.1";
               publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
-              peers = [ "vps3" "vps4" "vps5" ];
+              peers = [ "vps2" "vps3" "vps4" "vps5" ];
+            };
+          };
+          vps2 = {
+            publicIPv4 = "184.174.32.252";
+            publicIPv6 = null;
+            wg = {
+              privateIP = "10.0.0.2";
+              publicKey = "SficHHJ0ynpZoGah5heBpNKnEVIVrgs72Z5HEKd3jHA=";
+              peers = [ "vps1" "vps3" "vps4" "vps5" ];
             };
           };
           vps3 = {
@@ -62,7 +71,7 @@
             wg = {
               privateIP = "10.0.0.3";
               publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-              peers = [ "vps1" "vps4" "vps5" "dns1" "dns2" ];
+              peers = [ "vps1" "vps2" "vps4" "vps5" "dns1" "dns2" ];
             };
           };
           vps4 = {
@@ -73,7 +82,7 @@
             wg = {
               privateIP = "10.0.0.4";
               publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
-              peers = [ "vps1" "vps3" "vps5" ];
+              peers = [ "vps1" "vps2" "vps3" "vps5" ];
             };
           };
           vps5 = {
@@ -82,7 +91,7 @@
             wg = {
               privateIP = "10.0.0.5";
               publicKey = "r1cwt63fcOR+FTqMTUpZdK4/MxpalkDYRHXyy7osWUk=";
-              peers = [ "vps1" "vps3" "vps4" ];
+              peers = [ "vps1" "vps2" "vps3" "vps4" ];
             };
           };
         };
@@ -190,6 +199,19 @@
     deployment.tags = [ "caddy" "eu" "apps" "website" ];
     system.stateVersion = "23.11";
   };
+  # VPS2 exists
+  vps2 = { name, nodes, modulesPath, config, lib, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/contabo
+      ./modules/wg-mesh
+      ./modules/caddy
+      ./modules/garage
+    ];
+
+    deployment.tags = [ "caddy" "eu" "apps" ];
+    system.stateVersion = "23.11";
+  };
   # VPS3 is the primary monitoring/metrics server.
   vps3 = { name, nodes, modulesPath, config, ... }: {
     imports = [
diff --git a/newinfra/nix/modules/backup/backup.sh b/nix/modules/backup/backup.sh
similarity index 100%
rename from newinfra/nix/modules/backup/backup.sh
rename to nix/modules/backup/backup.sh
diff --git a/newinfra/nix/modules/backup/default.nix b/nix/modules/backup/default.nix
similarity index 100%
rename from newinfra/nix/modules/backup/default.nix
rename to nix/modules/backup/default.nix
diff --git a/newinfra/nix/modules/caddy/base.Caddyfile b/nix/modules/caddy/base.Caddyfile
similarity index 100%
rename from newinfra/nix/modules/caddy/base.Caddyfile
rename to nix/modules/caddy/base.Caddyfile
diff --git a/newinfra/nix/modules/caddy/caddy-build.nix b/nix/modules/caddy/caddy-build.nix
similarity index 100%
rename from newinfra/nix/modules/caddy/caddy-build.nix
rename to nix/modules/caddy/caddy-build.nix
diff --git a/newinfra/nix/modules/caddy/caddy-static-prepare/default.nix b/nix/modules/caddy/caddy-static-prepare/default.nix
similarity index 100%
rename from newinfra/nix/modules/caddy/caddy-static-prepare/default.nix
rename to nix/modules/caddy/caddy-static-prepare/default.nix
diff --git a/newinfra/nix/modules/caddy/caddy-static-prepare/prepare.py b/nix/modules/caddy/caddy-static-prepare/prepare.py
similarity index 100%
rename from newinfra/nix/modules/caddy/caddy-static-prepare/prepare.py
rename to nix/modules/caddy/caddy-static-prepare/prepare.py
diff --git a/newinfra/nix/modules/caddy/debugging-page/index.html b/nix/modules/caddy/debugging-page/index.html
similarity index 100%
rename from newinfra/nix/modules/caddy/debugging-page/index.html
rename to nix/modules/caddy/debugging-page/index.html
diff --git a/newinfra/nix/modules/caddy/default.nix b/nix/modules/caddy/default.nix
similarity index 100%
rename from newinfra/nix/modules/caddy/default.nix
rename to nix/modules/caddy/default.nix
diff --git a/newinfra/nix/modules/caddy/vps1.Caddyfile b/nix/modules/caddy/vps1.Caddyfile
similarity index 100%
rename from newinfra/nix/modules/caddy/vps1.Caddyfile
rename to nix/modules/caddy/vps1.Caddyfile
diff --git a/newinfra/nix/modules/caddy/vps3.Caddyfile b/nix/modules/caddy/vps3.Caddyfile
similarity index 100%
rename from newinfra/nix/modules/caddy/vps3.Caddyfile
rename to nix/modules/caddy/vps3.Caddyfile
diff --git a/newinfra/nix/modules/caddy/vps4.Caddyfile b/nix/modules/caddy/vps4.Caddyfile
similarity index 100%
rename from newinfra/nix/modules/caddy/vps4.Caddyfile
rename to nix/modules/caddy/vps4.Caddyfile
diff --git a/newinfra/nix/modules/contabo/default.nix b/nix/modules/contabo/default.nix
similarity index 100%
rename from newinfra/nix/modules/contabo/default.nix
rename to nix/modules/contabo/default.nix
diff --git a/newinfra/nix/modules/default/default.nix b/nix/modules/default/default.nix
similarity index 100%
rename from newinfra/nix/modules/default/default.nix
rename to nix/modules/default/default.nix
diff --git a/newinfra/nix/modules/dns/default.nix b/nix/modules/dns/default.nix
similarity index 100%
rename from newinfra/nix/modules/dns/default.nix
rename to nix/modules/dns/default.nix
diff --git a/newinfra/nix/modules/dns/nilstrieb.dev.nix b/nix/modules/dns/nilstrieb.dev.nix
similarity index 94%
rename from newinfra/nix/modules/dns/nilstrieb.dev.nix
rename to nix/modules/dns/nilstrieb.dev.nix
index f804411..1d0fb7d 100644
--- a/newinfra/nix/modules/dns/nilstrieb.dev.nix
+++ b/nix/modules/dns/nilstrieb.dev.nix
@@ -37,11 +37,6 @@ let
         ns1 = dns1;
         ns2 = dns2;
 
-        # apps
-        cors-school = vps2 // {
-          subdomains.api = vps2;
-        };
-
         localhost.A = [ (a "127.0.0.1") ];
 
         # --- retired:
diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix
similarity index 96%
rename from newinfra/nix/modules/dns/noratrieb.dev.nix
rename to nix/modules/dns/noratrieb.dev.nix
index 9a4da25..dc52c14 100644
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/nix/modules/dns/noratrieb.dev.nix
@@ -9,9 +9,6 @@ let
           lib.optionalAttrs (publicIPv4 != null) { A = [ (a publicIPv4) ]; } //
           lib.optionalAttrs (publicIPv6 != null) { AAAA = [ (aaaa publicIPv6) ]; })
         networkingConfig;
-      vps2 = {
-        A = [ "184.174.32.252" ];
-      };
 
       combine = hosts: {
         A = lib.lists.flatten (map (host: if builtins.hasAttr "A" host then host.A else [ ]) hosts);
@@ -63,9 +60,6 @@ let
           };
         };
 
-        # --- legacy crap
-        old-docker = vps2;
-
         # --- apps
         bisect-rustc = vps1;
         docker = vps1;
diff --git a/newinfra/nix/modules/garage/README.md b/nix/modules/garage/README.md
similarity index 72%
rename from newinfra/nix/modules/garage/README.md
rename to nix/modules/garage/README.md
index c16f1d1..75b1116 100644
--- a/newinfra/nix/modules/garage/README.md
+++ b/nix/modules/garage/README.md
@@ -6,13 +6,6 @@
 - co-du -> Contabo DÃ¼sseldorf
 - he-nu -> Hetzner NÃ¼rnberg
 
-| name | disk space | identifier | zone  |
-| ---- | ---------- | ---------- | ----- |
-| vps3 | 70GB       | cabe      | co-du |
-| vps3 | 100GB      | 020bd      | co-ka |
-| vps4 | 30GB       | 41e40      | he-nu |
-| vps5 | 100GB      | 848d8      | co-du |
-
 ## buckets
 
 - `caddy-store`: Store for Caddy webservers
@@ -35,6 +28,7 @@
 - `loki`: `GK84ffae2a0728abff0f96667b`
 - `backups`: `GK8cb8454a6f650326562bff2f`
 - `forgejo`: `GKc8bfd905eb7f85980ffe84c9`
+- `upload-files`: `GK607464882f6e29fb31e0f553`
 
 - `admin`: `GKaead6cf5340e54a4a19d9490`
     - RW permissions on ~every bucket
diff --git a/newinfra/nix/modules/garage/default.nix b/nix/modules/garage/default.nix
similarity index 100%
rename from newinfra/nix/modules/garage/default.nix
rename to nix/modules/garage/default.nix
diff --git a/newinfra/nix/modules/podman/default.nix b/nix/modules/podman/default.nix
similarity index 100%
rename from newinfra/nix/modules/podman/default.nix
rename to nix/modules/podman/default.nix
diff --git a/newinfra/nix/modules/prometheus/default.nix b/nix/modules/prometheus/default.nix
similarity index 95%
rename from newinfra/nix/modules/prometheus/default.nix
rename to nix/modules/prometheus/default.nix
index 18ce407..b30d69d 100644
--- a/newinfra/nix/modules/prometheus/default.nix
+++ b/nix/modules/prometheus/default.nix
@@ -15,6 +15,7 @@
           { targets = [ "dns1.local:9100" ]; }
           { targets = [ "dns2.local:9100" ]; }
           { targets = [ "vps1.local:9100" ]; }
+          { targets = [ "vps2.local:9100" ]; }
           { targets = [ "vps3.local:9100" ]; }
           { targets = [ "vps4.local:9100" ]; }
           { targets = [ "vps5.local:9100" ]; }
@@ -24,6 +25,7 @@
         job_name = "caddy";
         static_configs = [
           { targets = [ "vps1.local:9010" ]; }
+          { targets = [ "vps2.local:9010" ]; }
           { targets = [ "vps3.local:9010" ]; }
           { targets = [ "vps4.local:9010" ]; }
           { targets = [ "vps5.local:9010" ]; }
@@ -39,6 +41,7 @@
         job_name = "garage";
         static_configs = [
           { targets = [ "vps1.local:3903" ]; }
+          { targets = [ "vps2.local:3903" ]; }
           { targets = [ "vps3.local:3903" ]; }
           { targets = [ "vps4.local:3903" ]; }
           { targets = [ "vps5.local:3903" ]; }
@@ -57,6 +60,7 @@
           { targets = [ "dns1.local:9150" ]; }
           { targets = [ "dns2.local:9150" ]; }
           { targets = [ "vps1.local:9150" ]; }
+          { targets = [ "vps2.local:9150" ]; }
           { targets = [ "vps3.local:9150" ]; }
           { targets = [ "vps4.local:9150" ]; }
           { targets = [ "vps5.local:9150" ]; }
diff --git a/newinfra/nix/modules/registry/default.nix b/nix/modules/registry/default.nix
similarity index 100%
rename from newinfra/nix/modules/registry/default.nix
rename to nix/modules/registry/default.nix
diff --git a/newinfra/nix/modules/wg-mesh/default.nix b/nix/modules/wg-mesh/default.nix
similarity index 100%
rename from newinfra/nix/modules/wg-mesh/default.nix
rename to nix/modules/wg-mesh/default.nix
diff --git a/newinfra/nix/my-projects.json b/nix/my-projects.json
similarity index 82%
rename from newinfra/nix/my-projects.json
rename to nix/my-projects.json
index ff195a2..e1e8ac0 100644
--- a/newinfra/nix/my-projects.json
+++ b/nix/my-projects.json
@@ -5,5 +5,5 @@
   "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
   "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
   "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
-  "upload.files.noratrieb.dev": "90f6a6a82fb24c61fd19643d383ea7c8415f558a"
+  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077"
 }
diff --git a/nix/secrets/backup_s3_secret.age b/nix/secrets/backup_s3_secret.age
new file mode 100644
index 0000000..4ef1361
Binary files /dev/null and b/nix/secrets/backup_s3_secret.age differ
diff --git a/nix/secrets/caddy_s3_key_secret.age b/nix/secrets/caddy_s3_key_secret.age
new file mode 100644
index 0000000..39bb560
Binary files /dev/null and b/nix/secrets/caddy_s3_key_secret.age differ
diff --git a/nix/secrets/docker_registry_password.age b/nix/secrets/docker_registry_password.age
new file mode 100644
index 0000000..13f02ef
--- /dev/null
+++ b/nix/secrets/docker_registry_password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg UtoSFhZQ2PW1y3ifXgSdQQswoi5kdRg2gvczlEateC4
+ir2FpFkYo17MGBy+C4thM4lit7vn2CiBi09DcTb6ubs
+--- YvRhsfFzedjeKssmOTzHvKkvIG0zXVVCIJsRNc/LTVg
+:Ë €KîÞ$é†Prm;Û·ûÎªæ ¹Œö+é	ÚqE@Àv]’¢Ôòm =Í™'Sm
\ No newline at end of file
diff --git a/newinfra/nix/secrets/encrypt.sh b/nix/secrets/encrypt.sh
similarity index 100%
rename from newinfra/nix/secrets/encrypt.sh
rename to nix/secrets/encrypt.sh
diff --git a/nix/secrets/forgejo_s3_key_secret.age b/nix/secrets/forgejo_s3_key_secret.age
new file mode 100644
index 0000000..2c66a3a
--- /dev/null
+++ b/nix/secrets/forgejo_s3_key_secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg GNYf0FjEDEqCe09mS9Hl7OIIjvhKTu8urwUPtY+yyB0
+xmAtm4n3s0rfq3S5OKFEG2k/noXFTKMt8hiW5QrD9SU
+--- HGBYxXQGM254m2YP5twgjgDme80f0uOL2m4uKy19ZBs
+ÖÂ(
+Õ×åÇÄT
+‚®à±Öì{’ÙõF“ü-\ƒ6{mítÏæÊMÑ-óX{‡%bQd]E³’Éàü]i¸úãË}F»2¸$7¤ö#k4“;8ZžGþ_‘oÛ–¼
\ No newline at end of file
diff --git a/nix/secrets/garage_secrets.age b/nix/secrets/garage_secrets.age
new file mode 100644
index 0000000..af23541
--- /dev/null
+++ b/nix/secrets/garage_secrets.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg F9aj1EmsmRSXt1m3a41zpuwFmDBOuuaIrHkqP7PTVno
+tVs8Oxa9gV/HdUf0hN/JLuWhbrXI9BXIrsh5HnsKBQI
+-> ssh-ed25519 pP9cdg dQdPm3OfbWl5Y8kJxmsUZ4rwpUo8w3+P3CHCiXw9VCw
+9yWbGgzgBz9GICAgYiOyPtMjDk/tBb4vsOveTuYP9bw
+-> ssh-ed25519 XzACZQ 4lldtotM16DN/75dRX3QEmOzfIEySHcNOlFWqymI+Rs
+oOaD7dZu0xC0R7CrVpfwoBU7eSgaWyJmAZ4WptCQdes
+-> ssh-ed25519 51bcvA k9eq2Tc3A9MztsdTvt3sDYUj/usYBJMp9IJQZAR67Ac
+ezccfIhPZaHKsVcUrxJL7u3jSA/kCTqLmWuQfxrFQBo
+-> ssh-ed25519 vT7ExA BOCylq1RqaburnXxfsl3xqAmGSJnIxVhXK8H2xeFynk
+OWhqsbJgHWlo3hsRZVQgEaArK32OI25N4Poi2qJ9wQs
+--- bBQkNfDI0onJOyxOJIN3Yl2jkK5iRgYbK67RWsipXOE
+3‡ýåA9â¯ÒAÕînÛ¯t•y®ßÚCj-îž{ÏÅ‡â)ô6¬DfØOÆQ¹Ü}'_n†øÈã‡>UPêNæDRŸÀÁª¨ûÊÆþ-¾„…éÂ"‡´úÛâšÙ?À>)E0™‡v(~7 eÍC¾O\UJJüŽ$SÂ8èá`€F«˜ÄíšQ§0uÙ3õmH•Ž~P÷Ž£ŒÅLqfõ~ºi¸Æn]‘=rSre#²wGŒ ³¥@ß|X#éØ÷’Â
\ No newline at end of file
diff --git a/nix/secrets/grafana_admin_password.age b/nix/secrets/grafana_admin_password.age
new file mode 100644
index 0000000..2d2fac7
--- /dev/null
+++ b/nix/secrets/grafana_admin_password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ g3qlnIBoRdlhvAhDd1oLC7sdWAYGw5FobFAbOp0Eamo
+FGoPMBeNp63zkvTml9cnXspAS65/G2+3hzaeMu/ack8
+--- /cGmX9i8KBgLSiv0HC7QGJoF5+C6wBHbBOhoIw5iRIE
+í?Þ³¸–[%‹N+ueeá8YÀÐ•FÞÇkM¯x&k+jŒì­ö¹œƒfW*U4½Ìß&“d˜ymNb¬úÀ?AcœiÝ€‡„á:n}<$]˜Ã‰Œ•0E¤má=/U6-j½
\ No newline at end of file
diff --git a/nix/secrets/hugochat_db_password.age b/nix/secrets/hugochat_db_password.age
new file mode 100644
index 0000000..3e48ca0
--- /dev/null
+++ b/nix/secrets/hugochat_db_password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg ZIBHuyNI3wIg1GaFtgZM+ubYEM2yoaM0cbG+Pei+chY
+Bp4xfIz7PzmFADD+w8fnZ73KwAojT22WADuUA3kQc8Q
+--- HvjuHpMC7XvjiM/y0zgOyg080PO3BbwnSWNgbZSIUWc
+Í!„C¸5ž¼›YþY>coŒ+5\‘ëÇãÚµÍjG1sFÎPÌÝ·°ÓßŠ*3Ö³³œ,,ý«U¾(^;Ãøbg€egÓtÐ:–³¨Ý®`áûa_>"eù=hC¡ÛËÃ_ @¹ÖÓÚ³‘\SCoŒ[£Ì4x&êÄÿ9€Y ŒæÅÏ	@í­Ûƒ'Kd#aäˆ¹^Öt°Ä…
\ No newline at end of file
diff --git a/nix/secrets/killua_env.age b/nix/secrets/killua_env.age
new file mode 100644
index 0000000..d9e3d98
--- /dev/null
+++ b/nix/secrets/killua_env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg i9WKTDnkYrTPkHzEDzbpwE0UzYvsHGNdezC43k9N6xA
+mQdIAyNO+1spsyKXdu4VxF18Dlh6ORkIn8qQVew6b0E
+--- JA923cG0dvBxGC7zsjdKFKZLcHvTj3PgyISIFpEsKBE
+;:Á
+¸â^}cÌÖÎËuœî«öd£
+»Ú•Lm›ÂT–zzM0RÝa=õiÍí!Uiþíö=I%@ÙÄ…pŠ÷¬‚úÜ‰Kû›ÑÄ[­ÖFÐm/‹ajx^¨cDÁ0,Ü…Ûu,ÙQþßž-Ï¼Vë
\ No newline at end of file
diff --git a/nix/secrets/loki_env.age b/nix/secrets/loki_env.age
new file mode 100644
index 0000000..010ee28
--- /dev/null
+++ b/nix/secrets/loki_env.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ 4ra1tOKgtlquGn8NV4e5WVP9/x3hfV86Bq7xSv3bFmI
+6aPQO3Sc++l2NpmmRhPo4RcdL3bsRLcbqHF4bWfYqJg
+--- b739OmteTR/Z3J3HZqcmqKYvMucyNSbTabqopToJHpY
+0¤¾C¦üŠŠ€,‡]Àwj¶£ŒÕÞ<4j‹Šsï@Ì‚eW9j¸¾w|¦Y2ÛJ{ƒÕ« “»­Té3„ƒ÷ëN”áŒý6ž)Ò	$&;pÑtôC9&òÓy$÷JŸ°A—Îc†I½éáGéh:ÈO±ÇÊHøVn%È˜}r3H¸‡®§a8ÐÀ9–©p5
\ No newline at end of file
diff --git a/nix/secrets/minio_env_file.age b/nix/secrets/minio_env_file.age
new file mode 100644
index 0000000..daf2e33
--- /dev/null
+++ b/nix/secrets/minio_env_file.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg FPuST3lWjHKcylkh0mlRbQm8lM28wce4Bb2/rp1zu2k
+cmA9aRF8zDe6YYmBCH7pOtl1FflKxwAiHtMYTQ0OWMk
+-> ssh-ed25519 XzACZQ 2M5O5Rj2LAS1T9UXRYeUZrq3iBiJu/0TPOtz5yC+nyE
+A1JFvr1iVj2Mc4F7/yjGxikmdAbofTuOMvI8QtyzTr4
+--- 7JakO0Kuuskiup7D+cYP7OKQtld7h7salUMRoOGa88Q
+´ük·5  »JçOU/St!ôû–k2v§òm]ßo¾ü5‹VÅÒ·BE!×QtÂJ!|[ÉçÀÅ5(FxÁ<zk.‰Õ;.}eÑ¨=˜ |,$IƒÒšÈ[á©¨‰dªªY, 
\ No newline at end of file
diff --git a/nix/secrets/openolat_db_password.age b/nix/secrets/openolat_db_password.age
new file mode 100644
index 0000000..f202cc0
--- /dev/null
+++ b/nix/secrets/openolat_db_password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg 0lWcSdSricBNu8i0oMnNe0gOsoDrY9DfPvmCIS63ohc
+fY0M+k7xXU5nlLTSbJQF7iDevujQVxZ2lLca9CiBTaI
+--- 5ObZSaeWsTlkqKq5D8vWKsrY8WCku2ndSlrjBKRtQE8
+ÕóˆI™þye$Q˜÷|îÂÏÂh'Q1Q¥·1éCõÕòÞ€mQ:ØQ.¿ýÎS¼îžE¨=cm…‘¥äŠ@ß-¤9Öj®Œó7fÇºFÚTÜ"oâù"|¼0€DÎ’¾‰å,£™‘ÊöWÅ‹m*ßÌ¬õ~5â'ç›{ jÝlu„¿Á”u Òßy+„¢ö
\ No newline at end of file
diff --git a/nix/secrets/registry_htpasswd.age b/nix/secrets/registry_htpasswd.age
new file mode 100644
index 0000000..9d1e5fd
Binary files /dev/null and b/nix/secrets/registry_htpasswd.age differ
diff --git a/nix/secrets/registry_s3_key_secret.age b/nix/secrets/registry_s3_key_secret.age
new file mode 100644
index 0000000..eee2e12
Binary files /dev/null and b/nix/secrets/registry_s3_key_secret.age differ
diff --git a/nix/secrets/s3_mc_admin_client.age b/nix/secrets/s3_mc_admin_client.age
new file mode 100644
index 0000000..2cc8862
Binary files /dev/null and b/nix/secrets/s3_mc_admin_client.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
similarity index 78%
rename from newinfra/nix/secrets/secrets.nix
rename to nix/secrets/secrets.nix
index 1d3b484..456c560 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@@ -2,6 +2,7 @@ let
   dns1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBKoyDczFntyQyWj47Z8JeewKcCobksd415WM1W56eS";
   dns2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ1yLdDhI2Vou/9qrPIUP8RU8Sg0WxLI2njtP5hkdL7";
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
+  vps2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzt3OZAOG2sih8T9Bhoqg8ANBP5ZX60z0xmUW4cBWvX";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
   vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
   vps5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBWbIznvWQSqRF1E9Gv9y7JXMy3LZxMAWj6K0Nq91kyZ";
@@ -13,20 +14,21 @@ in
   "hugochat_db_password.age".publicKeys = [ vps1 ];
   "openolat_db_password.age".publicKeys = [ vps1 ];
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
-  "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
-  "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
+  "garage_secrets.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
+  "caddy_s3_key_secret.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
   "grafana_admin_password.age".publicKeys = [ vps3 ];
   "loki_env.age".publicKeys = [ vps3 ];
-  "backup_s3_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
-  "s3_mc_admin_client.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
+  "backup_s3_secret.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
+  "s3_mc_admin_client.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
   "killua_env.age".publicKeys = [ vps1 ];
   "forgejo_s3_key_secret.age".publicKeys = [ vps1 ];
   "upload_files_s3_secret.age".publicKeys = [ vps1 ];
   "wg_private_dns1.age".publicKeys = [ dns1 ];
   "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
+  "wg_private_vps2.age".publicKeys = [ vps2 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];
   "wg_private_vps5.age".publicKeys = [ vps5 ];
diff --git a/nix/secrets/upload_files_s3_secret.age b/nix/secrets/upload_files_s3_secret.age
new file mode 100644
index 0000000..01042a4
--- /dev/null
+++ b/nix/secrets/upload_files_s3_secret.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg Tq8qyikECRKhPhMbKFDd+YZIGkx9uj3vOWk7QRHEkn8
+wDbkM7KZWGDF3mECEa1MPPTC5F7uxe8nGtIZZkVCWU0
+--- hpRMWveZaPAIS44Jr6rRGHMOQfRi7nFpN0nxHU6fPOQ
+t4¼`Æò³:,P»ùÊµN„?‘Ä³\¬È±é›µ¿­uAH_Ä?PgÎ#¨ 	³T+¯êRÁ-ëÈºXÆ,!YeZF m»d–¢À‚“ºø¥\4ÍbDAk×Lžk¤1RzÊÜõ˜6xo(Â8ÄgzVÍ+s|³‚ .ÃT;O¶¨M6z‹¶A¨’Qƒ¥öV®™¡Ÿ~„ôª§mÛN«ŠXÐIqk²ËtÔ#óÄJ–yºrSðuÊ?ÉîÚ–NÕˆbø!KsyÜ Ï, AyfWÄÑÀ##"Ë`¢™ænPÎX,$z1ðŽ(PÈÍÄ"yû€|ÈsðTŸÂýxåBFtl!6Û‰¤ìÔ0Ùos*.H/Üoëä5Û­ÐlçÀ
\ No newline at end of file
diff --git a/nix/secrets/wg_private_dns1.age b/nix/secrets/wg_private_dns1.age
new file mode 100644
index 0000000..e9a0be3
--- /dev/null
+++ b/nix/secrets/wg_private_dns1.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 LZU5Eg C3IfbvL4t0pOHEb3Bc54+r6DZESgN6K6zPDhBlDumXk
+UwOtrqp8I90Vux6L7CsV5K+2SDFB8LBiyLO8ud7IsQU
+--- 2tIecoG70broXFTtgjCUMcvk2RdKqpe5tihO6meI8DY
+Ÿ—AkÕÚ³&Ð`!ÍåM_’v`äý„´Ï-¡ÔEp^„öƒU#:©ë]Ñ—Dm»Ëyìñ™Î^Oõ+t8§€ä.ºûÍš÷; ®
\ No newline at end of file
diff --git a/nix/secrets/wg_private_dns2.age b/nix/secrets/wg_private_dns2.age
new file mode 100644
index 0000000..d986ea6
--- /dev/null
+++ b/nix/secrets/wg_private_dns2.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 5bWSnQ wqkRMdob+7G2mTNKySF2kiGhOKt4GLN/ne+4lM3pIwA
+Iz2Brik6I6YHjVxQcoDL0UTJOWcjuiErf5kCeWpnaV0
+--- 1ZkP0GiP78eGKl8te1w+o5I5kEbyPaiJFq7WGH4k1LE
+á61zIìTÂU/ò5ã'|Œ½ûÊÌþìhÕ>z±ñ¶Ýr^É‹wanog´lùX„º,kÜ¶G
+cÊõ¸æPÇ!Rh×»fW¥éhä §
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps1.age b/nix/secrets/wg_private_vps1.age
new file mode 100644
index 0000000..089fc55
Binary files /dev/null and b/nix/secrets/wg_private_vps1.age differ
diff --git a/nix/secrets/wg_private_vps2.age b/nix/secrets/wg_private_vps2.age
new file mode 100644
index 0000000..a92b028
--- /dev/null
+++ b/nix/secrets/wg_private_vps2.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pP9cdg GI2CXAYTJWUqmab/Fnl/cFZVCCBxYZX/snQ+w0aPjSk
+8D6TxN4VYH14GQJ/XhUqyfKNLjM8f3LDmykLAvtl+IM
+--- 6ru8v60LKlJjpy2PnmcwBdV09KMEh+neITYyuFscSIQ
+F Ð™¿y#<ï¯—Ö‹màß˜žº¦¼Q2Õ^T2Lâ9µ]LÄžµhž[b¼rß¤!ï³jEnS?¾ìjCRà%„ÓsŸ;mœƒ\R
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps3.age b/nix/secrets/wg_private_vps3.age
new file mode 100644
index 0000000..2536ac0
--- /dev/null
+++ b/nix/secrets/wg_private_vps3.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ pOD3jNWIufLkEVtkFJu6W0QjdzPJTK+t1MwgACv1zXU
+EJQ+9xPw6MnB6nJW6nDBUlzfHyY9XlfBIQlgje+FVE4
+--- BmTwJED+mJ/Qr0WFDELozwR2BgGDkHDcR2I9eSxuVn8
+KêÃ~alNh.€½ù «kiAÛF*Ã/MY±ñ¡Zd†¬p”AÉ+-²Ù¬A¹Ü¢*S¥Z¶ï„ Nê­F­fˆ‚bô3tª×rûÇy
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps4.age b/nix/secrets/wg_private_vps4.age
new file mode 100644
index 0000000..ca2ab16
--- /dev/null
+++ b/nix/secrets/wg_private_vps4.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 51bcvA mzB9FcwUgPczK4/Rd2DZvCYoQfjT4qE+Z7HE9yHjgGU
+sPDlr+YNhvbjYagyJb/kua9dWeG9tSt6KNjKh+/p+ps
+--- uZVoWpqKjapTtWRGpc7cUoifwOVFfd5DU+9pQpwruuo
+Fv6¾œÚ‹Ëï,ø»K¶¶Ó†(ÍÝè‰kÙ~Y4Á.`z(]w2²MV"¼%À³JUÚ$ô•È«ÁÇ¸CïG
+_:F¸Ý§ S
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps5.age b/nix/secrets/wg_private_vps5.age
new file mode 100644
index 0000000..fa70bad
--- /dev/null
+++ b/nix/secrets/wg_private_vps5.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 vT7ExA WsT1cFerSGwOnhrLBTN62zydQVC1oPQxXtwQxGUSY1w
+Je1zd3NJ16yaOHQD8iPX7eaPJV3WH6Z3eiDkFip/2FY
+--- J6ZhIFcXF12n+pV4JEaAut/QB2c5ycYSIGo6j3nLICQ
+S‹ñOÆžsIµ½öüÜÇ‡ãÞi—=Ùm|,gõnYÖ‚Dv·æAâd{Á·áq)~Ã3Ó!ó8¶·«ÞìñxPçÚñL7™"
\ No newline at end of file
diff --git a/nix/secrets/widetom_bot_token.age b/nix/secrets/widetom_bot_token.age
new file mode 100644
index 0000000..d3d06bf
--- /dev/null
+++ b/nix/secrets/widetom_bot_token.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg n/6/3HfVk0IWfGRbgBB7qLkEXylLgYDxNzbLTaJWyhs
+jNP6viJqbOgpNke072hDeaGmApVc51wAN/O+8Gc58U4
+--- WoF4XMNOMMwKJ16Q7QrH97cGdyJ4nB4Dw04dyznfmL8
+þÿ#ÙÖõ"ØLËÆi"W€µ•AEŒèû-?Ø•´ìæ´~Z¿\‹±éÞðgO¨&Ùõ¥´õÊx¤»³vÈç—¼þ¹¢&w]ý"¢¿S2‹VÉ¯Á/”É
\ No newline at end of file
diff --git a/nix/secrets/widetom_config_toml.age b/nix/secrets/widetom_config_toml.age
new file mode 100644
index 0000000..aa4e0f9
Binary files /dev/null and b/nix/secrets/widetom_config_toml.age differ
diff --git a/playbooks/all.yml b/playbooks/all.yml
deleted file mode 100644
index 94e52dd..0000000
--- a/playbooks/all.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: Generic setup
-  ansible.builtin.import_playbook: ./basic-setup.yml
-- name: VPS 2
-  ansible.builtin.import_playbook: ./vps2.yml
diff --git a/playbooks/basic-setup.yml b/playbooks/basic-setup.yml
deleted file mode 100644
index 3116e49..0000000
--- a/playbooks/basic-setup.yml
+++ /dev/null
@@ -1,112 +0,0 @@
----
-- name: Basic Server setup
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: Change hostname
-      ansible.builtin.hostname:
-        name: "{{ inventory_hostname }}"
-    - name: apt update
-      ansible.builtin.apt:
-        update_cache: true
-        upgrade: yes
-    - name: Install fish
-      ansible.builtin.apt:
-        name: "fish"
-        state: present
-    - name: "Change root's shell to fish"
-      ansible.builtin.user:
-        name: root
-        shell: /usr/bin/fish
-    - name: Install useful tools
-      ansible.builtin.apt:
-        name: "{{ item }}"
-        state: present
-      with_items:
-        - htop
-        - awscli
-    - name: Install keyring packages
-      ansible.builtin.apt:
-        name: "{{ item }}"
-      with_items:
-        - debian-keyring
-        - debian-archive-keyring
-        - apt-transport-https
-    - name: Add caddy keyrings
-      ansible.builtin.shell: |
-        set -euo pipefail
-
-        rm -f /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-
-        # todo: show ok/changed
-      args:
-        executable: /bin/bash
-    - name: Add caddy repository
-      ansible.builtin.get_url:
-        url: "https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt"
-        dest: "/etc/apt/sources.list.d/caddy-stable.list"
-        mode: "u=rw,g=r,o=r"
-    - name: Add the docker GPG key
-      ansible.builtin.get_url:
-        url: "https://download.docker.com/linux/ubuntu/gpg"
-        dest: "/etc/apt/keyrings/docker.asc"
-        mode: "u=r,g=r,o=r"
-    - name: Add docker repository
-      ansible.builtin.copy:
-        dest: "/etc/apt/sources.list.d/docker.list"
-        content: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu jammy stable"
-    - name: Install docker
-      ansible.builtin.apt:
-        name: "{{ item }}"
-        state: present
-      with_items:
-        - docker-ce
-        - docker-ce-cli
-        - docker-compose-plugin
-    - name: Ensure docker is started
-      ansible.builtin.service:
-        name: docker
-        state: started
-    - name: Install caddy
-      ansible.builtin.apt:
-        name: caddy
-        state: present
-      args:
-        update_cache: true
-    - name: Ensure caddy is started
-      ansible.builtin.service:
-        name: caddy
-        state: started
-    - name: Create debug html root
-      ansible.builtin.file:
-        path: /var/www/html/debug
-        state: directory
-        mode: "u=rwx,g=rx,o=rx"
-    - name: Create debug webserver file
-      ansible.builtin.copy:
-        dest: /var/www/html/debug/index.html
-        src: "../debug.html"
-        mode: "u=rw,g=r,o=r"
-    - name: Copy Caddyfile
-      ansible.builtin.copy:
-        dest: /etc/caddy/Caddyfile
-        src: "../{{ inventory_hostname }}/Caddyfile" # TODO: Choose the right caddyfile depending on the server.
-        mode: "u=rw,g=r,o=r"
-      notify:
-        - "Caddyfile changed"
-    - name: Create /apps
-      ansible.builtin.file:
-        path: /apps
-        state: directory
-        mode: u=rwx,g=rx,o=rx
-    - name: Copy docker-compose
-      ansible.builtin.copy:
-        dest: /apps/docker-compose.yml
-        src: "../{{ inventory_hostname }}/docker-compose.yml" # TODO: choose the right directory
-        mode: "u=r,g=r,o=r"
-  handlers:
-    - name: "Caddyfile changed"
-      ansible.builtin.service:
-        name: caddy
-        state: reloaded
diff --git a/playbooks/inventory.yml b/playbooks/inventory.yml
deleted file mode 100644
index c1e8d80..0000000
--- a/playbooks/inventory.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-vps:
-  hosts:
-    vps2:
-      ansible_host: vps2.noratrieb.dev
diff --git a/playbooks/vps2.yml b/playbooks/vps2.yml
deleted file mode 100644
index 4435e61..0000000
--- a/playbooks/vps2.yml
+++ /dev/null
@@ -1,97 +0,0 @@
----
-- name: VPS 2 setup
-  hosts: vps2
-  gather_facts: false
-  tasks:
-    - name: Copy backup file
-      ansible.builtin.copy:
-        src: "../vps2/backup.sh"
-        dest: "/apps/backup.sh"
-        mode: "u=rx,g=rx,o=rx"
-    - name: Configure backup cron
-      ansible.builtin.cron:
-        name: Daily backup
-        minute: "5"
-        hour: "7"
-        job: "/apps/backup.sh"
-    #####
-    # APP: karin bot, /apps/karin-bot
-    #####
-    - name: Create /apps/karin-bot
-      ansible.builtin.file:
-        path: /apps/karin-bot
-        state: directory
-        mode: "u=rwx,g=rx,o=rx"
-    - name: "Copy karin .env secret"
-      ansible.builtin.copy:
-        dest: "/apps/karin-bot/.env"
-        src: "../secrets/karin-bot/.env"
-        mode: "u=r,g=r,o=r"
-      # TODO: Mount a volume in the karin-db to this directory
-    #####
-    # APP: cors-school, /apps/cors-school
-    #####
-    - name: Create /apps/cors-school
-      ansible.builtin.file:
-        path: /apps/cors-school
-        state: directory
-        mode: "u=rwx,g=rx,o=rx"
-    - name: Copy secret envs
-      ansible.builtin.copy:
-        dest: "/apps/cors-school/{{ item }}"
-        src: "../secrets/cors-school/{{ item }}"
-        mode: "u=r,g=r,o=r"
-      with_items:
-        - bot.env
-        - db.env
-        - server.env
-    #####
-    # APP: minecraft server, /apps/minecraft
-    #####
-    - name: Create /apps/minecraft
-      ansible.builtin.file:
-        path: /apps/minecraft
-        state: directory
-        mode: "u=rwx,g=rx,o=rx"
-    - name: Copy minecraft secrets
-      ansible.builtin.copy:
-        dest: "/apps/minecraft/.env"
-        src: "../secrets/minecraft/.env"
-        mode: "u=r,g=r,o=r"
-    #####
-    # APP: openolat, /apps/openolat
-    #####
-    - name: Create /apps/openolat
-      ansible.builtin.file:
-        path: /apps/openolat
-        state: directory
-        mode: "u=rwx,g=rx,o=rx"
-    - name: Copy extra properties
-      ansible.builtin.copy:
-        dest: /apps/openolat/extra-properties.properties
-        src: ../apps/openolat/extra-properties.properties
-        mode: "u=r,g=r,o=r"
-    - name: Olat data file permissions # TODO: a bit hacky.
-      ansible.builtin.file:
-        path: /apps/openolat/olatdata
-        state: directory
-        mode: "u=rwx,g=rwx,o=rwx"
-    #####
-    # END: docker compose up!
-    #####
-      # We want this to be last so that all app-specific config has been done.
-    - name: Copy .env
-      ansible.builtin.copy:
-        dest: "/apps/.env"
-        src: "../secrets/vps2.env"
-        mode: "u=r,g=r,o=r"
-    - name: Docker compose up! ðŸš€
-      community.docker.docker_compose_v2:
-        project_src: /apps
-        state: "present"
-    #####
-    # POST: things after starting up
-    #####
-    - name: Run CORS db migrations
-      ansible.builtin.shell: |
-        docker exec -w /app/server cors-school-server diesel migration run
diff --git a/run.sh b/run.sh
deleted file mode 100755
index 86e34f8..0000000
--- a/run.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-ansible-playbook -i playbooks/inventory.yml playbooks/all.yml -u root
diff --git a/scripts/copy-deploy-key.sh b/scripts/copy-deploy-key.sh
deleted file mode 100755
index 4a30d19..0000000
--- a/scripts/copy-deploy-key.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-
-# Copies a base64 encoded deploy key to the servers.
-
-set -eu
-
-printf "Enter private key (base64 encoded): "
-read -r key64
-
-private=$(echo "$key64" | base64 -d)
-public=$(ssh-keygen -f <(echo "$private") -y)
-
-tmp=$(mktemp -d)
-echo "$private" > "$tmp/id"
-echo "$public" > "$tmp/id.pub"
-
-delete() {
-    rm -r "$tmp"
-}
-trap delete EXIT
-
-ssh-copy-id -i "$tmp/id" root@vps1.nilstrieb.dev
-ssh-copy-id -i "$tmp/id" root@vps2.nilstrieb.dev
diff --git a/newinfra/secrets-git-crypt/backup_s3_secret b/secrets-git-crypt/backup_s3_secret
similarity index 100%
rename from newinfra/secrets-git-crypt/backup_s3_secret
rename to secrets-git-crypt/backup_s3_secret
diff --git a/newinfra/secrets-git-crypt/caddy_s3_key_secret b/secrets-git-crypt/caddy_s3_key_secret
similarity index 100%
rename from newinfra/secrets-git-crypt/caddy_s3_key_secret
rename to secrets-git-crypt/caddy_s3_key_secret
diff --git a/newinfra/secrets-git-crypt/docker_registry_password b/secrets-git-crypt/docker_registry_password
similarity index 100%
rename from newinfra/secrets-git-crypt/docker_registry_password
rename to secrets-git-crypt/docker_registry_password
diff --git a/newinfra/secrets-git-crypt/forgejo_s3_key_secret b/secrets-git-crypt/forgejo_s3_key_secret
similarity index 100%
rename from newinfra/secrets-git-crypt/forgejo_s3_key_secret
rename to secrets-git-crypt/forgejo_s3_key_secret
diff --git a/newinfra/secrets-git-crypt/garage_secrets b/secrets-git-crypt/garage_secrets
similarity index 100%
rename from newinfra/secrets-git-crypt/garage_secrets
rename to secrets-git-crypt/garage_secrets
diff --git a/newinfra/secrets-git-crypt/grafana_admin_password b/secrets-git-crypt/grafana_admin_password
similarity index 100%
rename from newinfra/secrets-git-crypt/grafana_admin_password
rename to secrets-git-crypt/grafana_admin_password
diff --git a/newinfra/secrets-git-crypt/hugochat_db_password b/secrets-git-crypt/hugochat_db_password
similarity index 100%
rename from newinfra/secrets-git-crypt/hugochat_db_password
rename to secrets-git-crypt/hugochat_db_password
diff --git a/newinfra/secrets-git-crypt/killua_env b/secrets-git-crypt/killua_env
similarity index 100%
rename from newinfra/secrets-git-crypt/killua_env
rename to secrets-git-crypt/killua_env
diff --git a/newinfra/secrets-git-crypt/loki_env b/secrets-git-crypt/loki_env
similarity index 100%
rename from newinfra/secrets-git-crypt/loki_env
rename to secrets-git-crypt/loki_env
diff --git a/newinfra/secrets-git-crypt/minio_env_file b/secrets-git-crypt/minio_env_file
similarity index 100%
rename from newinfra/secrets-git-crypt/minio_env_file
rename to secrets-git-crypt/minio_env_file
diff --git a/newinfra/secrets-git-crypt/openolat_db_password b/secrets-git-crypt/openolat_db_password
similarity index 100%
rename from newinfra/secrets-git-crypt/openolat_db_password
rename to secrets-git-crypt/openolat_db_password
diff --git a/newinfra/secrets-git-crypt/registry_htpasswd b/secrets-git-crypt/registry_htpasswd
similarity index 100%
rename from newinfra/secrets-git-crypt/registry_htpasswd
rename to secrets-git-crypt/registry_htpasswd
diff --git a/newinfra/secrets-git-crypt/registry_s3_key_secret b/secrets-git-crypt/registry_s3_key_secret
similarity index 100%
rename from newinfra/secrets-git-crypt/registry_s3_key_secret
rename to secrets-git-crypt/registry_s3_key_secret
diff --git a/newinfra/secrets-git-crypt/s3_mc_admin_client b/secrets-git-crypt/s3_mc_admin_client
similarity index 100%
rename from newinfra/secrets-git-crypt/s3_mc_admin_client
rename to secrets-git-crypt/s3_mc_admin_client
diff --git a/newinfra/secrets-git-crypt/upload_files_s3_secret b/secrets-git-crypt/upload_files_s3_secret
similarity index 100%
rename from newinfra/secrets-git-crypt/upload_files_s3_secret
rename to secrets-git-crypt/upload_files_s3_secret
diff --git a/newinfra/secrets-git-crypt/wg_private_dns1 b/secrets-git-crypt/wg_private_dns1
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_dns1
rename to secrets-git-crypt/wg_private_dns1
diff --git a/newinfra/secrets-git-crypt/wg_private_dns2 b/secrets-git-crypt/wg_private_dns2
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_dns2
rename to secrets-git-crypt/wg_private_dns2
diff --git a/newinfra/secrets-git-crypt/wg_private_vps1 b/secrets-git-crypt/wg_private_vps1
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_vps1
rename to secrets-git-crypt/wg_private_vps1
diff --git a/secrets-git-crypt/wg_private_vps2 b/secrets-git-crypt/wg_private_vps2
new file mode 100644
index 0000000..77cd133
Binary files /dev/null and b/secrets-git-crypt/wg_private_vps2 differ
diff --git a/newinfra/secrets-git-crypt/wg_private_vps3 b/secrets-git-crypt/wg_private_vps3
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_vps3
rename to secrets-git-crypt/wg_private_vps3
diff --git a/newinfra/secrets-git-crypt/wg_private_vps4 b/secrets-git-crypt/wg_private_vps4
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_vps4
rename to secrets-git-crypt/wg_private_vps4
diff --git a/newinfra/secrets-git-crypt/wg_private_vps5 b/secrets-git-crypt/wg_private_vps5
similarity index 100%
rename from newinfra/secrets-git-crypt/wg_private_vps5
rename to secrets-git-crypt/wg_private_vps5
diff --git a/newinfra/secrets-git-crypt/widetom_bot_token b/secrets-git-crypt/widetom_bot_token
similarity index 100%
rename from newinfra/secrets-git-crypt/widetom_bot_token
rename to secrets-git-crypt/widetom_bot_token
diff --git a/newinfra/secrets-git-crypt/widetom_config.toml b/secrets-git-crypt/widetom_config.toml
similarity index 100%
rename from newinfra/secrets-git-crypt/widetom_config.toml
rename to secrets-git-crypt/widetom_config.toml
diff --git a/secrets/cors-school/bot.env b/secrets/cors-school/bot.env
deleted file mode 100644
index b3a54fd..0000000
Binary files a/secrets/cors-school/bot.env and /dev/null differ
diff --git a/secrets/cors-school/db.env b/secrets/cors-school/db.env
deleted file mode 100644
index 6954a69..0000000
Binary files a/secrets/cors-school/db.env and /dev/null differ
diff --git a/secrets/cors-school/server.env b/secrets/cors-school/server.env
deleted file mode 100644
index 44ecd71..0000000
Binary files a/secrets/cors-school/server.env and /dev/null differ
diff --git a/secrets/karin-bot/.env b/secrets/karin-bot/.env
deleted file mode 100644
index 1440911..0000000
Binary files a/secrets/karin-bot/.env and /dev/null differ
diff --git a/secrets/minecraft/.env b/secrets/minecraft/.env
deleted file mode 100644
index 86936a7..0000000
Binary files a/secrets/minecraft/.env and /dev/null differ
diff --git a/secrets/vps1.env b/secrets/vps1.env
deleted file mode 100644
index bdcfc28..0000000
Binary files a/secrets/vps1.env and /dev/null differ
diff --git a/secrets/vps2.env b/secrets/vps2.env
deleted file mode 100644
index bdcfc28..0000000
Binary files a/secrets/vps2.env and /dev/null differ
diff --git a/shell.nix b/shell.nix
index e845754..896485e 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,9 +1,6 @@
 { pkgs ? import <nixpkgs> { } }: pkgs.mkShell {
   packages = with pkgs; [
-    ansible
-    ansible-lint
     awscli
-    certbot
     colmena
     dig
     openssl
diff --git a/newinfra/update-my-projects.mjs b/update-my-projects.mjs
similarity index 100%
rename from newinfra/update-my-projects.mjs
rename to update-my-projects.mjs
diff --git a/vps2/Caddyfile b/vps2/Caddyfile
deleted file mode 100644
index f5e1903..0000000
--- a/vps2/Caddyfile
+++ /dev/null
@@ -1,47 +0,0 @@
-{
-	email nilstrieb@gmail.com
-}
-
-# https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
-(cors) {
-	@cors_preflight{args.0} method OPTIONS
-	@cors{args.0} header Origin {args.0}
-
-	handle @cors_preflight{args.0} {
-		header {
-			Access-Control-Allow-Origin "{args.0}"
-			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-			Access-Control-Allow-Credentials "false"
-			Access-Control-Allow-Headers "${args.1}"
-			Access-Control-Max-Age "86400"
-			defer
-		}
-		respond "" 204
-	}
-
-	handle @cors{args.0} {
-		header {
-			Access-Control-Allow-Origin "{args.0}"
-			Access-Control-Expose-Headers *
-			defer
-		}
-	}
-}
-
-vps2.nilstrieb.dev {
-	root * /var/www/html/debug
-	file_server
-}
-
-old-docker.noratrieb.dev {
-	reverse_proxy * localhost:5000
-}
-
-api.cors-school.nilstrieb.dev {
-	import cors https://cors-school.nilstrieb.dev "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,token,refresh-token,Authorization"
-	reverse_proxy * localhost:5003
-}
-
-cors-school.nilstrieb.dev {
-	reverse_proxy * localhost:5004
-}
diff --git a/vps2/backup.sh b/vps2/backup.sh
deleted file mode 100755
index 560d54b..0000000
--- a/vps2/backup.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-
-set -euxo pipefail
-
-BUCKET=nilstrieb-backups
-PREFIX="1/$(date --rfc-3339 seconds --utc)"
-
-cd /apps
-
-function upload_file {
-    local file="$1"
-    local tmppath
-    tmppath="$(mktemp)"
-
-    cp "$file" "$tmppath"
-    xz "$tmppath"
-    aws s3api put-object --bucket "$BUCKET" --key "${PREFIX}/${file}.xz" --body "${tmppath}.xz"
-
-    rm "$tmppath.xz"
-}
-
-function upload_pg_dump {
-    local appname="$1"
-    local containername="$2"
-    local dbname="$3"
-    local username="$4"
-    local tmppath
-    tmppath="$(mktemp)"
-
-    docker exec "$containername" pg_dump --format=custom --file /tmp/db.bak --host "127.0.0.1"  --dbname "$dbname" --username "$username"
-    docker cp "$containername:/tmp/db.bak" "$tmppath"
-    xz "$tmppath"
-    aws s3api put-object --bucket "$BUCKET" --key "${PREFIX}/$appname/postgres.bak.xz" --body "$tmppath.xz"
-
-    docker exec "$containername" rm "/tmp/db.bak"
-    rm "$tmppath.xz"
-}
-
-function upload_dump_mongo {
-    local appname="$1"
-    local containername="$2"
-    local usernamepassword="$3"
-    local tmppath
-    tmppath="$(mktemp)"
-
-    docker exec "$containername" mongodump --archive=/tmp/db.bak --uri="mongodb://${usernamepassword}@127.0.0.1:27017"
-    docker cp "$containername:/tmp/db.bak" "$tmppath"
-    xz "$tmppath"
-    aws s3api put-object --bucket "$BUCKET" --key "${PREFIX}/$appname/db.bak.xz" --body "$tmppath.xz"
-
-    docker exec "$containername" rm "/tmp/db.bak"
-    rm "$tmppath.xz"
-}
-
-function upload_directory {
-    local appname="$1"
-    local directory="$2"
-    local filename="$3"
-    local tmppath
-    tmppath="$(mktemp)"
-
-    tar -cJf "$tmppath" "$directory"
-    aws s3api put-object --bucket "$BUCKET" --key "${PREFIX}/$appname/$filename" --body "$tmppath"
-
-    rm "$tmppath"
-}
-
-upload_pg_dump "cors-school" "cors-school-db" "davinci" "postgres"
-
-# shellcheck disable=SC1091
-source "karin-bot/.env"
-upload_dump_mongo "karin-bot" "karin-bot-db" "$MONGO_INITDB_ROOT_USERNAME:$MONGO_INITDB_ROOT_PASSWORD"
-
-upload_directory "openolat" "openolat/olatdata" "olatdata.tar.xz"
-
-echo "Finished backup!"
diff --git a/vps2/docker-compose.yml b/vps2/docker-compose.yml
deleted file mode 100644
index b66cc6c..0000000
--- a/vps2/docker-compose.yml
+++ /dev/null
@@ -1,109 +0,0 @@
-version: "3.8"
-services:
-  #### Karin
-  karin_bot_db:
-    container_name: karin-bot-db
-    image: "mongo:latest"
-    restart: always
-    volumes:
-      - "/apps/karin-bot/data:/data/db"
-    environment:
-      RUST_LOG: info
-      PRETTY: "true"
-    env_file:
-      - "/apps/karin-bot/.env"
-    networks:
-      - karin-bot
-    deploy:
-      resources:
-        limits:
-          cpus: "0.5"
-          memory: 500M
-  karin_bot:
-    container_name: karin-bot
-    image: "docker.noratrieb.dev/discord-court-bot:921be642"
-    restart: always
-    env_file:
-      - "/apps/karin-bot/.env"
-    environment:
-      DB_NAME: court_bot
-      MONGO_URI: "mongodb://karin-bot-db:27017"
-      RUST_LOG: INFO
-      PRETTY: "false"
-    networks:
-      - karin-bot
-  #### Cors School
-  cors_school_db:
-    container_name: cors-school-db
-    image: "postgres:latest"
-    restart: always
-    volumes:
-      - "/apps/cors-school/data:/var/lib/postgresql/data"
-    env_file:
-      # POSTGRES_PASSWORD=PASSWORD
-      - "/apps/cors-school/db.env"
-    environment:
-      POSTGRES_DB: davinci
-      PGDATA: "/var/lib/postgresql/data/pgdata"
-    networks:
-      - cors-school
-  cors_school_server:
-    container_name: cors-school-server
-    image: "docker.noratrieb.dev/cors-school-server:bef75a80"
-    restart: always
-    env_file:
-      # DATABASE_URL=postgres://postgres:PASSWORD@cors-school-db/davinci
-      # JWT_SECRET=secret
-      - "/apps/cors-school/server.env"
-    environment:
-      RUST_LOG: info
-    networks:
-      - cors-school
-    ports:
-      - "5003:8080"
-  cors_school_client:
-    container_name: cors-school-client
-    image: "docker.noratrieb.dev/cors-school-client:bef75a80"
-    restart: always
-    ports:
-      - "5004:80"
-  cors_school_bot:
-    container_name: cors-school-bot
-    image: "docker.noratrieb.dev/cors-school-bot:bef75a80"
-    restart: always
-    volumes:
-      # DISCORD_TOKEN=
-      # CORS_API_TOKEN=
-      - "/apps/cors-school/bot.env:/.env"
-    environment:
-      APPLICATION_ID: "867725027080142870"
-      RUST_LOG: info
-      BACKEND_URL: "http://cors-school-server:8080/api"
-    networks:
-      - cors-school
-  # minecraft_server:
-  #   container_name: minecraft-server
-  #   image: itzg/minecraft-server:latest
-  #   restart: always
-  #   environment:
-  #     - TYPE=VANILLA
-  #     - VERSION=1.20.1
-  #     - DIFFICULTY=HARD
-  #     - EULA=TRUE
-  #     - MOTD=baden
-  #     - MEMORY=6G
-  #     - MODE=creative
-  #     - PVP=true
-  #     - SERVER_NAME=hallenbad
-  #     - USE_AIKAR_FLAGS=true
-  #   env_file:
-  #     # For example, storing the WHITELIST and OPS
-  #     - /apps/minecraft/.env
-  #   ports:
-  #     - "25565:25565"
-  #   volumes:
-  #     - /apps/minecraft/server:/data
-
-networks:
-  cors-school:
-  karin-bot: