89 files changed, 2706 insertions, 1643 deletions

diff --git a/.sops.yaml b/.sops.yaml
index 948383b2..a65dca8e 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -8,6 +8,12 @@ creation_rules:
   - path_regex: ^hosts/surtr/email/ca
     key_groups:
       - age: [ *admin_gkleen ]
+  - path_regex: ^home-modules/lmu-hausschrift/
+    key_groups:
+      - age: [ *admin_gkleen ]
+  - path_regex: ^accounts/gkleen@sif/
+    key_groups:
+      - age: [ *admin_gkleen ]
   - path_regex: surtr\/?[^\/]*$
     key_groups:
       - age: [ *admin_gkleen, *machine_surtr ]
diff --git a/_sources/generated.json b/_sources/generated.json
index be1e12e9..4498b987 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -22,7 +22,7 @@
     },
     "bpf-examples": {
         "cargoLocks": null,
-        "date": "2025-03-06",
+        "date": "2025-07-04",
         "extract": null,
         "name": "bpf-examples",
         "passthru": null,
@@ -34,12 +34,12 @@
             "name": null,
             "owner": "xdp-project",
             "repo": "bpf-examples",
-            "rev": "64e7da048b14822bef06f3971189c4c0985422e7",
-            "sha256": "sha256-cyyRNvU35ujxkLraOqw2oiZwUblBpJaEncPl2++VHL4=",
+            "rev": "588d0064f575e58878f27bfa7eb52e460150dc6a",
+            "sha256": "sha256-8wp2lfp7RQYmMJmHp0hzpCYQXj6hQXDIIKhpiCBYTt0=",
             "sparseCheckout": [],
             "type": "github"
         },
-        "version": "64e7da048b14822bef06f3971189c4c0985422e7"
+        "version": "588d0064f575e58878f27bfa7eb52e460150dc6a"
     },
     "emacs-scratch_el": {
         "cargoLocks": null,
@@ -91,11 +91,11 @@
         "passthru": null,
         "pinned": false,
         "src": {
-            "sha256": "sha256-afJuTByGUMU6kFqGGa3pbPaFVdYGcJYiR0RfDNYNgDk=",
+            "sha256": "sha256-GCtcIXGrMH6LOKxjnB2SkUSChQnMj5d939i2atvqK+Q=",
             "type": "tarball",
-            "url": "https://github.com/wofr06/lesspipe/archive/refs/tags/v2.17.tar.gz"
+            "url": "https://github.com/wofr06/lesspipe/archive/refs/tags/v2.18.tar.gz"
         },
-        "version": "2.17"
+        "version": "2.18"
     },
     "mako": {
         "cargoLocks": null,
@@ -327,11 +327,11 @@
         "passthru": null,
         "pinned": false,
         "src": {
-            "sha256": "sha256-Nz/lBhQbzWSnOKN4n0OUdJzDTpf3mfY0+FXoCqF03TU=",
+            "sha256": "sha256-JDKt+MzxxyaFWnzuq/7FfT/JPUknH/RRw4Cb8XDOtlk=",
             "type": "tarball",
-            "url": "https://github.com/hansmi/prometheus-lvm-exporter/archive/refs/tags/v0.4.0.tar.gz"
+            "url": "https://github.com/hansmi/prometheus-lvm-exporter/archive/refs/tags/v0.6.0.tar.gz"
         },
-        "version": "0.4.0"
+        "version": "0.6.0"
     },
     "psql-versioning": {
         "cargoLocks": null,
@@ -397,7 +397,7 @@
     },
     "swayosd": {
         "cargoLocks": null,
-        "date": "2025-04-20",
+        "date": "2025-07-07",
         "extract": null,
         "name": "swayosd",
         "passthru": null,
@@ -407,13 +407,13 @@
             "fetchSubmodules": false,
             "leaveDotGit": false,
             "name": null,
-            "rev": "ce1f34d80a7f8b4393a5551ea0535bd8beabb28c",
-            "sha256": "sha256-Z9c/5jKxs5ctUuVu7g+BXA1Wy4lyZLpGATtj2jd84jI=",
+            "rev": "73aed75146b81aaf67c4301353790ff5a17aed1f",
+            "sha256": "sha256-p31HNelptAw7Sk0NmYP4FkoUCdA5uAsrXC20JJp24Vw=",
             "sparseCheckout": [],
             "type": "git",
             "url": "https://github.com/ErikReider/SwayOSD"
         },
-        "version": "ce1f34d80a7f8b4393a5551ea0535bd8beabb28c"
+        "version": "73aed75146b81aaf67c4301353790ff5a17aed1f"
     },
     "tomorrow-night-paradise-theme": {
         "cargoLocks": null,
@@ -437,7 +437,7 @@
     },
     "v4l2loopback": {
         "cargoLocks": null,
-        "date": "2025-04-29",
+        "date": "2025-07-08",
         "extract": null,
         "name": "v4l2loopback",
         "passthru": null,
@@ -449,16 +449,16 @@
             "name": null,
             "owner": "umlaeute",
             "repo": "v4l2loopback",
-            "rev": "8d806ad688961d8840081a609c39d1a82d296b24",
-            "sha256": "sha256-zuE/qFI8QCWCePmHWjTIPTh2KzmDkwQ2uj5C1dAwo1c=",
+            "rev": "e3fb6825ebb4bc6da2e15a515e24769d76c93332",
+            "sha256": "sha256-cgxdWuIwmNaOIYmMA1mEvC+1FQFhTGsffVv71md5yXo=",
             "sparseCheckout": [],
             "type": "github"
         },
-        "version": "8d806ad688961d8840081a609c39d1a82d296b24"
+        "version": "e3fb6825ebb4bc6da2e15a515e24769d76c93332"
     },
     "xcompose": {
         "cargoLocks": null,
-        "date": "2025-03-11",
+        "date": "2025-06-05",
         "extract": null,
         "name": "xcompose",
         "passthru": null,
@@ -470,12 +470,12 @@
             "name": null,
             "owner": "kragen",
             "repo": "xcompose",
-            "rev": "8b5a6a0c788fd0a4b921d9d3737174defb863873",
-            "sha256": "sha256-6EjQErdBOd5hqcrdaf88E1UZVYIc3FOfv34hvUwOWdA=",
+            "rev": "4d8eab4d05a19537ce79294ae0459fdae78ffb20",
+            "sha256": "sha256-vKY4u5Z2IL111orLLkkF4AoVzqluKG/VQhNUUCqO/k8=",
             "sparseCheckout": [],
             "type": "github"
         },
-        "version": "8b5a6a0c788fd0a4b921d9d3737174defb863873"
+        "version": "4d8eab4d05a19537ce79294ae0459fdae78ffb20"
     },
     "yt-dlp": {
         "cargoLocks": null,
@@ -486,10 +486,10 @@
         "pinned": false,
         "src": {
             "name": null,
-            "sha256": "sha256-0BNn0MOulONcseLsy3p8cOGBxMpEj07iN08mSJ0mNgM=",
+            "sha256": "sha256-bQroVcClW/zCjf+6gE7IUlublV00pBGRoVYaTOwD2L0=",
             "type": "url",
-            "url": "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.4.30.tar.gz"
+            "url": "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.6.30.tar.gz"
         },
-        "version": "2025.4.30"
+        "version": "2025.6.30"
     }
 }
\ No newline at end of file
diff --git a/_sources/generated.nix b/_sources/generated.nix
index ff85bc0d..f470ad9e 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -18,15 +18,15 @@
   };
   bpf-examples = {
     pname = "bpf-examples";
-    version = "64e7da048b14822bef06f3971189c4c0985422e7";
+    version = "588d0064f575e58878f27bfa7eb52e460150dc6a";
     src = fetchFromGitHub {
       owner = "xdp-project";
       repo = "bpf-examples";
-      rev = "64e7da048b14822bef06f3971189c4c0985422e7";
+      rev = "588d0064f575e58878f27bfa7eb52e460150dc6a";
       fetchSubmodules = true;
-      sha256 = "sha256-cyyRNvU35ujxkLraOqw2oiZwUblBpJaEncPl2++VHL4=";
+      sha256 = "sha256-8wp2lfp7RQYmMJmHp0hzpCYQXj6hQXDIIKhpiCBYTt0=";
     };
-    date = "2025-03-06";
+    date = "2025-07-04";
   };
   emacs-scratch_el = {
     pname = "emacs-scratch_el";
@@ -53,10 +53,10 @@
   };
   lesspipe = {
     pname = "lesspipe";
-    version = "2.17";
+    version = "2.18";
     src = fetchTarball {
-      url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v2.17.tar.gz";
-      sha256 = "sha256-afJuTByGUMU6kFqGGa3pbPaFVdYGcJYiR0RfDNYNgDk=";
+      url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v2.18.tar.gz";
+      sha256 = "sha256-GCtcIXGrMH6LOKxjnB2SkUSChQnMj5d939i2atvqK+Q=";
     };
   };
   mako = {
@@ -196,10 +196,10 @@
   };
   prometheus-lvm-exporter = {
     pname = "prometheus-lvm-exporter";
-    version = "0.4.0";
+    version = "0.6.0";
     src = fetchTarball {
-      url = "https://github.com/hansmi/prometheus-lvm-exporter/archive/refs/tags/v0.4.0.tar.gz";
-      sha256 = "sha256-Nz/lBhQbzWSnOKN4n0OUdJzDTpf3mfY0+FXoCqF03TU=";
+      url = "https://github.com/hansmi/prometheus-lvm-exporter/archive/refs/tags/v0.6.0.tar.gz";
+      sha256 = "sha256-JDKt+MzxxyaFWnzuq/7FfT/JPUknH/RRw4Cb8XDOtlk=";
     };
   };
   psql-versioning = {
@@ -242,17 +242,17 @@
   };
   swayosd = {
     pname = "swayosd";
-    version = "ce1f34d80a7f8b4393a5551ea0535bd8beabb28c";
+    version = "73aed75146b81aaf67c4301353790ff5a17aed1f";
     src = fetchgit {
       url = "https://github.com/ErikReider/SwayOSD";
-      rev = "ce1f34d80a7f8b4393a5551ea0535bd8beabb28c";
+      rev = "73aed75146b81aaf67c4301353790ff5a17aed1f";
       fetchSubmodules = false;
       deepClone = false;
       leaveDotGit = false;
       sparseCheckout = [ ];
-      sha256 = "sha256-Z9c/5jKxs5ctUuVu7g+BXA1Wy4lyZLpGATtj2jd84jI=";
+      sha256 = "sha256-p31HNelptAw7Sk0NmYP4FkoUCdA5uAsrXC20JJp24Vw=";
     };
-    date = "2025-04-20";
+    date = "2025-07-07";
   };
   tomorrow-night-paradise-theme = {
     pname = "tomorrow-night-paradise-theme";
@@ -270,34 +270,34 @@
   };
   v4l2loopback = {
     pname = "v4l2loopback";
-    version = "8d806ad688961d8840081a609c39d1a82d296b24";
+    version = "e3fb6825ebb4bc6da2e15a515e24769d76c93332";
     src = fetchFromGitHub {
       owner = "umlaeute";
       repo = "v4l2loopback";
-      rev = "8d806ad688961d8840081a609c39d1a82d296b24";
+      rev = "e3fb6825ebb4bc6da2e15a515e24769d76c93332";
       fetchSubmodules = true;
-      sha256 = "sha256-zuE/qFI8QCWCePmHWjTIPTh2KzmDkwQ2uj5C1dAwo1c=";
+      sha256 = "sha256-cgxdWuIwmNaOIYmMA1mEvC+1FQFhTGsffVv71md5yXo=";
     };
-    date = "2025-04-29";
+    date = "2025-07-08";
   };
   xcompose = {
     pname = "xcompose";
-    version = "8b5a6a0c788fd0a4b921d9d3737174defb863873";
+    version = "4d8eab4d05a19537ce79294ae0459fdae78ffb20";
     src = fetchFromGitHub {
       owner = "kragen";
       repo = "xcompose";
-      rev = "8b5a6a0c788fd0a4b921d9d3737174defb863873";
+      rev = "4d8eab4d05a19537ce79294ae0459fdae78ffb20";
       fetchSubmodules = false;
-      sha256 = "sha256-6EjQErdBOd5hqcrdaf88E1UZVYIc3FOfv34hvUwOWdA=";
+      sha256 = "sha256-vKY4u5Z2IL111orLLkkF4AoVzqluKG/VQhNUUCqO/k8=";
     };
-    date = "2025-03-11";
+    date = "2025-06-05";
   };
   yt-dlp = {
     pname = "yt-dlp";
-    version = "2025.4.30";
+    version = "2025.6.30";
     src = fetchurl {
-      url = "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.4.30.tar.gz";
-      sha256 = "sha256-0BNn0MOulONcseLsy3p8cOGBxMpEj07iN08mSJ0mNgM=";
+      url = "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.6.30.tar.gz";
+      sha256 = "sha256-bQroVcClW/zCjf+6gE7IUlublV00pBGRoVYaTOwD2L0=";
     };
   };
 }
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index e07362fc..a1a694ea 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -71,6 +71,7 @@ in {
       imports = [
         ./libvirt
         ./niri
+        ./synadm
         flakeInputs.nix-index-database.hmModules.nix-index
         flakeInputs.impermanence.nixosModules.home-manager.impermanence
       ];
@@ -171,6 +172,7 @@ in {
             };
           };
         };
+        chromium.enable = true;
 
         zathura = {
           enable = true;
@@ -282,6 +284,16 @@ in {
           pro = "$HOME/projects/pro";
           media = "$HOME/media";
         };
+        jq.colors = {
+          arrays = "1;37";
+          "false" = "0;37";
+          "null" = "2;37";
+          numbers = "0;37";
+          objectKeys = "1;34";
+          objects = "1;37";
+          strings = "0;32";
+          "true" = "0;37";
+        };
 
         obs-studio = {
           enable = true;
@@ -317,8 +329,10 @@ in {
             # notify_on_cmd_finish = "invisible 120";
           };
           keybindings = {
-            "kitty_mod+n" = "detach_window";
+            "kitty_mod+n" = "new_os_window_with_cwd";
             "kitty_mod+m" = "detach_window ask";
+            "kitty_mod+enter" = "new_window_with_cwd";
+            "kitty_mod+t" = "new_tab_with_cwd";
           };
         };
         fuzzel = {
@@ -331,7 +345,7 @@ in {
               font = "Fira Sans";
             };
             colors = {
-              background = "000000aa";
+              background = "000000cc";
               text = "cdd6f4ff";
               match = "94e2d5ff";
               selection = "585b70ff";
@@ -352,6 +366,7 @@ in {
           enable = true;
           settings.show_banner = false;
         };
+        fd.enable = true;
       };
 
       services = {
@@ -477,6 +492,13 @@ in {
         };
       };
 
+      qt.kde.settings = {
+        kwalletrc = {
+          KSecretD.Enabled = false;
+          Wallet."Default Wallet" = "store";
+        };
+      };
+
       xsession.preferStatusNotifierItems = true;
 
       xresources.properties = import ./xresources.nix;
@@ -488,16 +510,15 @@ in {
           wrappedYTMDesktop libsForQt5.qt5ct playerctl evince papers
           thunderbird zoom-us xdg-desktop-portal steam steam-run
           wireshark virt-manager rclone cached-nix-shell worktime
-          fira-code-symbols libreoffice xournalpp google-chrome
+          fira-code-symbols libreoffice xournalpp
           nixos-shell virt-viewer freerdp gnome-icon-theme
           paper-icon-theme sshpassSecret weechat element-desktop
           sieve-connect gimp3 inkscape udiskie glab nitrokey-app
           pynitrokey gtklock wlrctl remmina openscad spice-record
           libguestfs-with-appliance nerd-fonts.fira-mono
           nerd-fonts.symbols-only nerd-fonts.fira-code powerline-fonts
-          swtpm (hunspellWithDicts (with hunspellDicts; [en_GB-large de_DE]))
-          libation
-          # synadm
+          swtpm (hunspell.withDicts (dicts: with dicts; [en_GB-large de_DE]))
+          libation libqalculate
         ] ++ mapAttrsToList (_name: pkg: pkgs.callPackage pkg {}) (customUtils.nixImport { dir = ./utils; });
 
         file = {
@@ -520,6 +541,7 @@ in {
           STACK_XDG = 1;
           EDITOR = lib.getExe' editor "emacsclient";
           RCLONE_PASSWORD_COMMAND = "${lib.getExe' pkgs.libsecret "secret-tool"} lookup service rclone";
+          SYSTEMD_TINT_BACKGROUND = "false";
         };
 
         extraProfileCommands = ''
@@ -556,9 +578,17 @@ in {
             General = {
               dot_as_separator = 0;
             };
+            Mode = {
+              calculate_as_you_type = 1;
+            };
           };
         };
-        "emacs/init.el".source = ./emacs.el;
+        "emacs/init.el".source = pkgs.substitute {
+          src = ./emacs.el;
+          substitutions = [
+            "--subst-var-by" "ksshaskpass" (lib.getExe pkgs.kdePackages.ksshaskpass)
+          ];
+        };
         "systemd/user/xdg-desktop-portal.service.d/after-graphical-session.conf".text = ''
           [Unit]
           After=graphical-session.target
@@ -576,6 +606,8 @@ in {
       xdg.dataFile = {
         "dbus-1/services/org.keepassxc.KeePassXC.service".source = "${wrappedKeepassxc}/share/dbus-1/services/org.keepassxc.KeePassXC.service";
         "dbus-1/services/org.freedesktop.secrets.service.service".source = "${wrappedKeepassxc}/share/dbus-1/services/org.freedesktop.secrets.service.service";
+        "dbus-1/services/org.kde.kwalletd6.service".source = "${pkgs.kdePackages.kwallet}/share/dbus-1/services/org.kde.kwalletd6.service";
+        "dbus-1/services/org.kde.kwalletd5.service".source = "${pkgs.kdePackages.kwallet}/share/dbus-1/services/org.kde.kwalletd5.service";
         "emoji-data/list.txt".source = pkgs.stdenv.mkDerivation {
           inherit (sources.emoji-data) pname src;
           version = lib.removePrefix "v" sources.emoji-data.version;
@@ -663,11 +695,11 @@ in {
             exec -- \
               ${lib.getExe' config.systemd.package "systemd-run"} --wait --user --slice-inherit \
               --property 'CPUAccounting=yes' --property 'CPUQuotaPeriodSec=50ms' \
-              --property 'Environment=DSCP=46' \
-              -- ${lib.getExe pkgs.dscp} ${lib.getExe' pkgs.google-chrome "google-chrome-stable"} \
+              -E DSCP=46 -E NIXOS_OZONE_WL \
+              -- ${lib.getExe pkgs.dscp} ${lib.getExe cfg.programs.chromium.package} \
               --class=Rainbow \
-              --kiosk "https://web.openrainbow.com" \
-              --user-data-dir=''${HOME}/.config/google-chrome-rainbow
+              --app="https://web.openrainbow.com" \
+              --user-data-dir=''${HOME}/.config/chromium-rainbow
           '');
           icon = pkgs.fetchurl {
             url = "https://web.openrainbow.com/rb/2.139.17/assets/skins/rainbow/images/homepage/logo__rainbow.svg";
@@ -677,6 +709,42 @@ in {
             StartupWMClass = "Rainbow";
           };
         };
+        kimai = {
+          name = "Kimai";
+          exec = toString (pkgs.writeShellScript "kimai" ''
+            exec -- \
+              ${lib.getExe cfg.programs.chromium.package} \
+              --class=Kimai \
+              --app="https://kimai.yggdrasil.li" \
+              --user-data-dir=''${HOME}/.config/chromium-kimai
+          '');
+          icon = pkgs.fetchurl {
+            url = "https://www.kimai.org/images/kimai_logo.png";
+            hash = "sha256-lnlOttzR2SwXA70R+egJUkeKr4U5V0avqTk8uX4bqfs=";
+          };
+          settings = {
+            StartupWMClass = "Kimai";
+            StartupNotify = "true";
+          };
+        };
+        audiobookshelf = {
+          name = "Audiobookshelf";
+          exec = toString (pkgs.writeShellScript "audiobookshelf" ''
+            exec -- \
+              ${lib.getExe cfg.programs.chromium.package} \
+              --class=Audiobookshelf \
+              --app="https://audiobookshelf.yggdrasil.li" \
+              --user-data-dir=''${HOME}/.config/chromium-audiobookshelf
+          '');
+          icon = pkgs.fetchurl {
+            url = "https://www.audiobookshelf.org/Logo.png";
+            hash = "sha256-JGPk+WNT1C4DC4lSMb0K0YmAMT5LvmSOeO0QRzkc7Lk=";
+          };
+          settings = {
+            StartupWMClass = "Audiobookshelf";
+            StartupNotify = "true";
+          };
+        };
         thunderbird-lmu = {
           name = "Thunderbird (LMU)";
           exec = "thunderbird --name thunderbird -P lmu %U";
diff --git a/accounts/gkleen@sif/emacs.el b/accounts/gkleen@sif/emacs.el
index 563c5d0b..3beefba6 100644
--- a/accounts/gkleen@sif/emacs.el
+++ b/accounts/gkleen@sif/emacs.el
@@ -254,3 +254,5 @@ necessarily running."
 (bind-key "C-x C-m" #'move-file)
 
 (let ((ssh_auth_sock (string-chop-newline (shell-command-to-string "gpgconf --list-dirs agent-ssh-socket")))) (setenv "SSH_AUTH_SOCK" ssh_auth_sock))
+(setenv "SSH_ASKPASS_REQUIRE" "prefer")
+(setenv "SSH_ASKPASS" "@ksshaskpass@")
diff --git a/accounts/gkleen@sif/niri/default.nix b/accounts/gkleen@sif/niri/default.nix
index 924d3843..35a3d799 100644
--- a/accounts/gkleen@sif/niri/default.nix
+++ b/accounts/gkleen@sif/niri/default.nix
@@ -3,6 +3,7 @@ let
   cfg = config.programs.niri;
 
   kdl = flakeInputs.niri-flake.lib.kdl;
+  sleaf = name: arg: kdl.node name [arg] [];
 
   niri = cfg.package;
   terminal = lib.getExe config.programs.kitty.package;
@@ -35,7 +36,11 @@ let
           if jq -e '.is_focused' <<<"$window_json" >/dev/null; then
             niri msg action focus-workspace-previous
           else
-            niri msg action focus-window --id "$(jq -r '.id' <<<"$window_json")"
+            if [[ $(jq -r --arg workspace_name "$workspace_name" 'map(select(.name == $workspace_name)) | .[0].is_focused' <<<"$workspaces_json") != "true" ]] && [[ $(jq -r --arg workspace_name "$workspace_name" 'map(select(.name == $workspace_name)) | .[0].id' <<<"$workspaces_json") = $(jq -r '.workspace_id' <<<"$window_json") ]]; then
+                niri msg action focus-workspace "$workspace_name"
+            else
+                niri msg action focus-window --id "$(jq -r '.id' <<<"$window_json")"
+            fi
           fi
           exit 0
         fi
@@ -45,7 +50,6 @@ let
     '';
   };
   focus-or-spawn-action = config.lib.niri.actions.spawn (lib.getExe focus_or_spawn);
-  focus-or-spawn-action-app_id = app_id: focus-or-spawn-action ''select(.app_id == "${app_id}")'';
 
   with_adjacent_workspace = pkgs.writeShellApplication {
     name = "with-adjacent-workspace";
@@ -84,7 +88,7 @@ let
   };
   with-adjacent-workspace-action = config.lib.niri.actions.spawn (lib.getExe with_adjacent_workspace) "^${lib.concatMapStringsSep "|" ({ name, ...}: name) cfg.scratchspaces}$";
   focus-adjacent-workspace = direction: with-adjacent-workspace-action direction ''{"Action":{"FocusWorkspace":{"reference":{"Id": .id}}}}'';
-  move-column-to-adjacent-workspace = direction: with-adjacent-workspace-action direction ''{"Action":{"MoveColumnToWorkspace":{"reference":{"Id": .id}}}}'';
+  move-column-to-adjacent-workspace = direction: with-adjacent-workspace-action direction ''{"Action":{"MoveColumnToWorkspace":{"reference":{"Id": .id}, "focus": true}}}'';
 
   with_unnamed_workspace = pkgs.writeShellApplication {
     name = "with-unnamed-workspace";
@@ -131,7 +135,7 @@ let
 
       windows_json="$(niri msg -j windows)"
       active_workspace="$(jq -r '.[] | select(.is_focused) | .workspace_id' <<<"$windows_json")"
-      window_ix="$(gojq -r --arg active_workspace "$active_workspace" '.[] | select('"$window_select"') | "\(.title)\u0000icon\u001f\(.app_id)"' <<<"$windows_json" | fuzzel --log-level=warning --dmenu --index)"
+      window_ix="$(gojq -r --arg active_workspace "$active_workspace" '.[] | select('"$window_select"') | "\(.title)\u0000icon\u001f\(.app_id)"' <<<"$windows_json" | fuzzel --width=60 --log-level=warning --dmenu --index)"
       # shellcheck disable=SC2016
       window_json="$(gojq -rc --arg active_workspace "$active_workspace" --arg window_ix "$window_ix" 'map(select('"$window_select"')) | .[($window_ix | tonumber)]' <<<"$windows_json")"
 
@@ -141,6 +145,25 @@ let
     '';
   };
   with-select-window-action = config.lib.niri.actions.spawn (lib.getExe with_select_window);
+
+  with_predicate_window = pred: pkgs.writeShellApplication {
+    name = "with-predicate-window";
+    runtimeInputs = [ niri pkgs.gojq pkgs.socat ];
+    text = ''
+      action="$1"
+      shift
+
+      windows_json="$(niri msg -j windows)"
+      window_json="$(gojq -rc 'map(select(${pred})) | .[0]' <<<"$windows_json")"
+
+      [[ -z "$window_json" || $window_json = "null" ]] && exit 1
+
+      jq -c "$action" <<<"$window_json" | socat STDIO "$NIRI_SOCKET"
+    '';
+  };
+
+  with-urgent-window-action = config.lib.niri.actions.spawn (lib.getExe (with_predicate_window ".is_urgent"));
+  with-focused-window-action = config.lib.niri.actions.spawn (lib.getExe (with_predicate_window ".is_focused"));
 in {
   imports = [
     ./waybar.nix
@@ -171,6 +194,17 @@ in {
             type = lib.types.nullOr lib.types.str;
             default = null;
           };
+          moveKey = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = let
+              keys = lib.splitString "+" config.key;
+              defMoveKey = lib.concatStringsSep "+" (lib.flatten [
+                (lib.take (lib.length keys - 1) keys)
+                ["Shift"]
+                (lib.takeEnd 1 keys)
+              ]);
+            in if config.key == null then null else defMoveKey;
+          };
           spawn = lib.mkOption {
             type = lib.types.nullOr (lib.types.listOf lib.types.str);
             default = null;
@@ -416,8 +450,8 @@ in {
           { title = "^Access Request.*"; }
           { title = ".*Passkey credentials$"; }
         ];
-        windowRuleExtra = [
-          (kdl.leaf "open-focused" false)
+        windowRuleExtra = with kdl; [
+          (sleaf "open-focused" false)
         ];
         key = "Mod+Control+P";
         app-id = "org.keepassxc.KeePassXC";
@@ -444,6 +478,20 @@ in {
         app-id = "com.github.wwmm.easyeffects";
         spawn = [ "easyeffects" ];
       }
+      { name = "time";
+        key = "Mod+Control+K";
+        app-id = "chrome-kimai.yggdrasil.li__-Default";
+        spawn = [ (toString (pkgs.resholve.writeScript "kimai" {
+          interpreter = pkgs.runtimeShell;
+          inputs = [ pkgs.dex ];
+          execer = [ "cannot:${lib.getExe pkgs.dex}" ];
+        } ''
+          exec dex $HOME/.local/state/nix/profile/share/applications/kimai.desktop
+        '')) ];
+        windowRuleExtra = with kdl; [
+          (sleaf "block-out-from" "screencast")
+        ];
+      }
     ];
     programs.niri.config =
       let
@@ -453,10 +501,12 @@ in {
           then v
           else null;
         opt-props = lib.filterAttrs (lib.const (value: value != null));
+        normalize-nodes = nodes: lib.remove null (lib.flatten nodes);
       in
-        [ (flag "prefer-no-csd")
+        normalize-nodes [
+          (flag "prefer-no-csd")
 
-          (leaf "screenshot-path" "~/screenshots/%Y-%m-%dT%H:%M:%S.png")
+          (sleaf "screenshot-path" "~/screenshots/%Y-%m-%dT%H:%M:%S.png")
 
           (plain "hotkey-overlay" [
             (flag "skip-at-startup")
@@ -464,27 +514,27 @@ in {
 
           (plain "input" [
             (plain "keyboard" [
-              (leaf "repeat-delay" 300)
-              (leaf "repeat-rate" 50)
+              (sleaf "repeat-delay" 300)
+              (sleaf "repeat-rate" 50)
 
               (plain "xkb" [
-                (leaf "layout" "us,us")
-                (leaf "variant" "dvp,")
-                (leaf "options" "compose:caps,grp:win_space_toggle")
+                (sleaf "layout" "us,us")
+                (sleaf "variant" "dvp,")
+                (sleaf "options" "compose:caps,grp:win_space_toggle")
               ])
             ])
 
             (flag "workspace-auto-back-and-forth")
-            # (leaf "focus-follows-mouse" {})
+            # (sleaf "focus-follows-mouse" {})
             # (flag "warp-mouse-to-focus")
 
             # (plain "touchpad" [ (flag "off") ])
             (plain "trackball" [
-              (leaf "scroll-method" "on-button-down")
-              (leaf "scroll-button" 278)
+              (sleaf "scroll-method" "on-button-down")
+              (sleaf "scroll-button" 278)
             ])
             (plain "touch" [
-              (leaf "map-to-output" "eDP-1")
+              (sleaf "map-to-output" "eDP-1")
             ])
           ])
 
@@ -492,7 +542,7 @@ in {
             (plain "hot-corners" [(flag "off")])
           ])
 
-          (plain "environment" (lib.mapAttrsToList leaf {
+          (plain "environment" (lib.mapAttrsToList sleaf {
             NIXOS_OZONE_WL = "1";
             QT_QPA_PLATFORM = "wayland";
             QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
@@ -500,49 +550,52 @@ in {
             SDL_VIDEODRIVER = "wayland";
             DISPLAY = ":0";
             ELECTRON_OZONE_PLATFORM_HINT = "auto";
+            SSH_ASKPASS_REQUIRE = "prefer";
+            SSH_ASKPASS = lib.getExe pkgs.kdePackages.ksshaskpass;
+            SUDO_ASKPASS = lib.getExe pkgs.kdePackages.ksshaskpass;
           }))
 
-          (node "output" "eDP-1" [
-            (leaf "scale" 1.5)
-            (leaf "position" { x = 0; y = 0; })
+          (node "output" ["eDP-1"] [
+            (sleaf "scale" 1.5)
+            (sleaf "position" { x = 0; y = 0; })
           ])
-          (node "output" "Ancor Communications Inc ASUS PB287Q 0x0000DD9B" [
-            (leaf "scale" 1.5)
-            (leaf "position" { x = 2560; y = 0; })
+          (node "output" ["Ancor Communications Inc ASUS PB287Q 0x0000DD9B"] [
+            (sleaf "scale" 1.5)
+            (sleaf "position" { x = 2560; y = 0; })
           ])
-          (node "output" "HP Inc. HP 727pu CN4417143K" [
-            (leaf "mode" "2560x1440@119.998")
-            (leaf "scale" 1)
-            (leaf "position" { x = 2560; y = 0; })
+          (node "output" ["HP Inc. HP 727pu CN4417143K"] [
+            (sleaf "mode" "2560x1440@119.998")
+            (sleaf "scale" 1)
+            (sleaf "position" { x = 2560; y = 0; })
             (flag "variable-refresh-rate")
           ])
 
           (plain "debug" [
-            (leaf "render-drm-device" "/dev/dri/by-path/pci-0000:00:02.0-render")
+            (sleaf "render-drm-device" "/dev/dri/by-path/pci-0000:00:02.0-render")
           ])
 
           (plain "animations" [
-            (leaf "slowdown" 0.5)
+            (sleaf "slowdown" 0.5)
             (plain "workspace-switch" [(flag "off")])
           ])
 
           (plain "layout" [
-            (leaf "gaps" 8)
+            (sleaf "gaps" 8)
             (plain "struts" [
-              (leaf "left" 26)
-              (leaf "right" 26)
-              (leaf "top" 0)
-              (leaf "bottom" 0)
+              (sleaf "left" 26)
+              (sleaf "right" 26)
+              (sleaf "top" 0)
+              (sleaf "bottom" 0)
             ])
             (plain "border" [
-              (leaf "width" 2)
-              (leaf "active-gradient" {
+              (sleaf "width" 2)
+              (sleaf "active-gradient" {
                 from = "hsla(195 100% 45% 1)";
                 to = "hsla(155 100% 37.5% 1)";
                 angle = 29;
                 relative-to = "workspace-view";
               })
-              (leaf "inactive-gradient" {
+              (sleaf "inactive-gradient" {
                 from = "hsla(0 0% 27.7% 1)";
                 to = "hsla(0 0% 23% 1)";
                 angle = 29;
@@ -553,29 +606,29 @@ in {
               (flag "off")
             ])
 
-            (plain "preset-column-widths" (map (prop: leaf "proportion" prop) [
+            (plain "preset-column-widths" (map (prop: sleaf "proportion" prop) [
               (1. / 4.) (1. / 3.) (1. / 2.) (2. / 3.) (3. / 4.) (1.)
             ]))
-            (plain "default-column-width" [ (leaf "proportion" (1. / 2.)) ])
-            (plain "preset-window-heights" (map (prop: leaf "proportion" prop) [
+            (plain "default-column-width" [ (sleaf "proportion" (1. / 2.)) ])
+            (plain "preset-window-heights" (map (prop: sleaf "proportion" prop) [
               (1. / 3.) (1. / 2.) (2. / 3.) (1.)
             ]))
 
             (flag "always-center-single-column")
 
             (plain "tab-indicator" [
-              (leaf "gap" 4)
-              (leaf "width" 8)
-              (leaf "gaps-between-tabs" 4)
+              (sleaf "gap" 4)
+              (sleaf "width" 8)
+              (sleaf "gaps-between-tabs" 4)
               (flag "place-within-column")
-              (leaf "length" { total-proportion = 1.; })
-              (leaf "active-gradient" {
+              (sleaf "length" { total-proportion = 1.; })
+              (sleaf "active-gradient" {
                 from = "hsla(195 100% 60% 0.75)";
                 to = "hsla(155 100% 50% 0.75)";
                 angle = 29;
                 relative-to = "workspace-view";
               })
-              (leaf "inactive-gradient" {
+              (sleaf "inactive-gradient" {
                 from = "hsla(0 0% 42% 0.66)";
                 to = "hsla(0 0% 35% 0.66)";
                 angle = 29;
@@ -589,129 +642,140 @@ in {
           ])
 
           (map (name:
-            (node "workspace" name [
-              (leaf "open-on-output" "eDP-1")
+            (node "workspace" [name] [
+              (sleaf "open-on-output" "eDP-1")
             ])
           ) (map ({name, ...}: name) cfg.scratchspaces))
           (map (name:
-            (leaf "workspace" name)
+            (sleaf "workspace" name)
           ) ["comm" "web" "vid" "bmr"])
 
           (plain "window-rule" [
-            (leaf "clip-to-geometry" true)
+            (sleaf "clip-to-geometry" true)
           ])
 
           (plain "window-rule" [
-            (leaf "match" { is-floating = true; })
-            (leaf "geometry-corner-radius" 8)
+            (sleaf "match" { is-floating = true; })
+            (sleaf "geometry-corner-radius" 8)
             (plain "shadow" [ (flag "on") ])
           ])
 
           (plain "window-rule" [
-            (leaf "match" { app-id = "^org\\.keepassxc\\.KeePassXC$"; })
-            (leaf "block-out-from" "screencast")
+            (sleaf "match" { app-id = "^org\\.keepassxc\\.KeePassXC$"; })
+            (sleaf "block-out-from" "screencast")
           ])
-          (plain "window-rule" [
+          (plain "window-rule" (normalize-nodes [
             (map (title:
-              (leaf "match" { app-id = "^org\\.keepassxc\\.KeePassXC$"; inherit title; })
-            ) ["^Unlock Database.*" "^Access Request.*" ".*Passkey credentials$"])
-            (leaf "open-focused" true)
-            (leaf "open-floating" true)
-          ])
+              (sleaf "match" { app-id = "^org\\.keepassxc\\.KeePassXC$"; inherit title; })
+            ) ["^Unlock Database.*" "^Access Request.*" ".*Passkey credentials$" "Browser Access Request$"])
+            (sleaf "open-focused" true)
+            (sleaf "open-floating" true)
+          ]))
 
           (map ({ name, match, exclude, windowRuleExtra, ... }:
-            (optional-node (match != []) (plain "window-rule" [
-              (map (leaf "match") match)
-              (map (leaf "exclude") exclude)
-              (leaf "open-on-workspace" name)
-              (leaf "open-maximized" true)
+            (optional-node (match != []) (plain "window-rule" (normalize-nodes [
+              (map (sleaf "match") match)
+              (map (sleaf "exclude") exclude)
+              (sleaf "open-on-workspace" name)
+              (sleaf "open-maximized" true)
               windowRuleExtra
-            ]))
+            ])))
           ) cfg.scratchspaces)
 
           (plain "window-rule" [
-            (leaf "match" { app-id = "^emacs$"; })
-            (leaf "match" { app-id = "^firefox$"; })
-            (plain "default-column-width" [(leaf "proportion" (2. / 3.))])
+            (sleaf "match" { app-id = "^emacs$"; })
+            (sleaf "match" { app-id = "^firefox$"; })
+            (plain "default-column-width" [(sleaf "proportion" (2. / 3.))])
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^kitty$"; })
-            (leaf "match" { app-id = "^kitty-play$"; })
-            (plain "default-column-width" [(leaf "proportion" (1. / 3.))])
+            (sleaf "match" { app-id = "^kitty$"; })
+            (sleaf "match" { app-id = "^kitty-play$"; })
+            (plain "default-column-width" [(sleaf "proportion" (1. / 3.))])
           ])
 
           (plain "window-rule" [
-            (leaf "match" { app-id = "^thunderbird$"; })
-            (leaf "match" { app-id = "^Element$"; })
-            (leaf "match" { app-id = "^Rainbow$"; })
-            (leaf "open-on-workspace" "comm")
+            (sleaf "match" { app-id = "^thunderbird$"; })
+            (sleaf "match" { app-id = "^Element$"; })
+            (sleaf "match" { app-id = "^chrome-web\.openrainbow\.com__-Default$"; })
+            (sleaf "open-on-workspace" "comm")
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^firefox$"; })
-            (leaf "open-on-workspace" "web")
-            (leaf "open-maximized" true)
+            (sleaf "match" { app-id = "^firefox$"; })
+            (sleaf "open-on-workspace" "web")
+            (sleaf "open-maximized" true)
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^mpv$"; })
-            (leaf "open-on-workspace" "vid")
-            (plain "default-column-width" [(leaf "proportion" 1.)])
+            (sleaf "match" { app-id = "^mpv$"; })
+            (sleaf "open-on-workspace" "vid")
+            (plain "default-column-width" [(sleaf "proportion" 1.)])
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^kitty-play$"; })
-            (leaf "open-on-workspace" "vid")
-            (leaf "open-focused" false)
+            (sleaf "match" { app-id = "^kitty-play$"; })
+            (sleaf "open-on-workspace" "vid")
+            (sleaf "open-focused" false)
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^pdfpc$"; })
-            (plain "default-column-width" [(leaf "proportion" 1.)])
+            (sleaf "match" { app-id = "^chrome-audiobookshelf\.yggdrasil\.li__-Default$"; })
+            (sleaf "match" { app-id = "^YouTube Music Desktop App$"; })
+            (sleaf "open-on-workspace" "vid")
           ])
           (plain "window-rule" [
-            (leaf "match" { app-id = "^pdfpc$"; title = "^.*presentation.*$"; })
-            (plain "default-column-width" [(leaf "proportion" 1.)])
-            (leaf "open-fullscreen" true)
-            (leaf "open-on-workspace" "bmr")
-            (leaf "open-focused" false)
+            (sleaf "match" { app-id = "^pdfpc$"; })
+            (plain "default-column-width" [(sleaf "proportion" 1.)])
           ])
           (plain "window-rule" [
-            (map (leaf "match") [
+            (sleaf "match" { app-id = "^pdfpc$"; title = "^.*presentation.*$"; })
+            (plain "default-column-width" [(sleaf "proportion" 1.)])
+            (sleaf "open-fullscreen" true)
+            (sleaf "open-on-workspace" "bmr")
+            (sleaf "open-focused" false)
+          ])
+          (plain "window-rule" (normalize-nodes [
+            (map (sleaf "match") [
               { app-id = "^Gimp-"; title = "^Quit GIMP$"; }
               { app-id = "^org\\.kde\\.polkit-kde-authentication-agent-1$"; }
               { app-id = "^xdg-desktop-portal-gtk$"; }
             ])
-            (leaf "open-floating" true)
-          ])
+            (sleaf "open-floating" true)
+          ]))
           (plain "window-rule" [
-            (leaf "match" { app-id = "^org\\.pwmt\\.zathura$"; })
-            (leaf "match" { app-id = "^evince$"; })
-            (leaf "match" { app-id = "^org\\.gnome\\.Papers$"; })
-            (leaf "default-column-display" "tabbed")
+            (sleaf "match" { app-id = "^org\\.pwmt\\.zathura$"; })
+            (sleaf "match" { app-id = "^evince$"; })
+            (sleaf "match" { app-id = "^org\\.gnome\\.Papers$"; })
+            (sleaf "default-column-display" "tabbed")
           ])
 
           (plain "layer-rule" [
-            (leaf "match" { namespace = "^notifications$"; })
-            (leaf "match" { namespace = "^waybar$"; })
-            (leaf "match" { namespace = "^launcher$"; })
-            (leaf "block-out-from" "screencast")
+            (sleaf "match" { namespace = "^notifications$"; })
+            (sleaf "match" { namespace = "^waybar$"; })
+            (sleaf "match" { namespace = "^launcher$"; })
+            (sleaf "block-out-from" "screencast")
           ])
 
           (plain "binds"
             (let
-              bind = name: cfg: node name (opt-props {
-                cooldown-ms = cfg.cooldown-ms or null;
-              }
-              // (lib.optionalAttrs (!(cfg.repeat or true)) {
-                repeat = false;
-              })
-              // (lib.optionalAttrs (cfg.allow-when-locked or false) {
-                allow-when-locked = true;
-              })) (lib.mapAttrsToList leaf (lib.removeAttrs cfg.action ["__functor"]));
+              bind = name: cfg: node name [(lib.removeAttrs cfg ["action"])] (lib.mapAttrsToList leaf (lib.removeAttrs cfg.action ["__functor"]));
             in
-              [
+              normalize-nodes [
                 (lib.mapAttrsToList bind (with config.lib.niri.actions; {
                   "Mod+Slash".action = show-hotkey-overlay;
 
                   "Mod+Return".action = spawn terminal;
-                  "Mod+Shift+Return".action = spawn terminal (lib.getExe config.programs.nushell.package);
+                  "Mod+Shift+Return".action =
+                    let
+                      nushellKitty = pkgs.symlinkJoin {
+                        name = "nushell-kitty";
+                        paths = [ config.programs.kitty.package ];
+                        buildInputs = [ pkgs.makeWrapper ];
+                        postBuild = ''
+                          wrapProgram $out/bin/kitty \
+                            --add-flags "--config ${pkgs.writeText "kitty.conf" ''
+                              include $HOME/${config.xdg.configFile."kitty/kitty.conf".target}
+                              shell ${lib.getExe config.programs.nushell.package}
+                            ''}"
+                        '';
+                      };
+                    in spawn (lib.getExe' nushellKitty "kitty");
                   "Mod+Q".action = close-window;
                   "Mod+O".action = spawn (lib.getExe config.programs.fuzzel.package);
                   "Mod+Shift+O".action = spawn (lib.getExe config.programs.fuzzel.package) "--list-executables-in-path";
@@ -747,12 +811,12 @@ in {
                         done < <(export LC_ALL=C.UTF-8; echo; find "$RESULTS_DIR" -type f -printf $'%T@ %p\n' | sort -n | cut -d' ' -f2- | xargs -r cat)
                         $FOUND || echo
                       }
-                      FUZZEL_RES=$(prev | fuzzel --dmenu --prompt "qalc> ") || exit $?
+                      FUZZEL_RES=$(prev | fuzzel --dmenu --prompt "qalc> " --width=60) || exit $?
                       if [[ "$FUZZEL_RES" =~ .*\ =\ .* ]]; then
                         QALC_RES="$FUZZEL_RES"
                         QALC_RET=0
                       else
-                        QALC_RES=$(qalc "$FUZZEL_RES" 2>&1)
+                        QALC_RES=$(qalc -set "autocalc off" "$FUZZEL_RES" 2>&1)
                         QALC_RET=$?
                       fi
                       [[ -n "$QALC_RES" ]] || exit 1
@@ -772,11 +836,26 @@ in {
                       notify-send "$QALC_RES"
                     '';
                   }));
+                  "Mod+Shift+U".action =
+                    let
+                      qalcKitty = pkgs.symlinkJoin {
+                        name = "qalc-kitty";
+                        paths = [ config.programs.kitty.package ];
+                        buildInputs = [ pkgs.makeWrapper ];
+                        postBuild = ''
+                          wrapProgram $out/bin/kitty \
+                            --add-flags "--config ${pkgs.writeText "kitty.conf" ''
+                              include $HOME/${config.xdg.configFile."kitty/kitty.conf".target}
+                              shell ${lib.getExe pkgs.libqalculate}
+                            ''}"
+                        '';
+                      };
+                    in spawn (lib.getExe' qalcKitty "kitty");
                   "Mod+E".action = spawn (lib.getExe (pkgs.writeShellApplication {
                     name = "emoji-fuzzel";
                     runtimeInputs = with pkgs; [ config.programs.fuzzel.package wtype wl-clipboard-rs ];
                     text = ''
-                      FUZZEL_RES=$(fuzzel --dmenu --prompt "emoji> " <"$HOME"/.local/share/emoji-data/list.txt) || exit $?
+                      FUZZEL_RES=$(fuzzel --dmenu --prompt "emoji> " --cache "$HOME"/.cache/fuzzel-emoji --width=60 <"$HOME"/.local/share/emoji-data/list.txt) || exit $?
                       [[ -n "$FUZZEL_RES" ]] || exit 1
                       wl-copy "$(cut -d ':' -f 1 <<<"$FUZZEL_RES" | tr -d '\n')" && wtype -k XF86Paste
                     '';
@@ -837,7 +916,7 @@ in {
                   "Mod+Shift+Asterisk".action = kdl.magic-leaf "move-column-to-workspace" "vid";
 
                   "Mod+Plus".action = with-unnamed-workspace-action ''{"Action":{"FocusWorkspace":{"reference":{"Id": .id}}}}'';
-                  "Mod+Shift+Plus".action = with-unnamed-workspace-action ''{"Action":{"MoveColumnToWorkspace":{"reference":{"Id": .id}}}}'';
+                  "Mod+Shift+Plus".action = with-unnamed-workspace-action ''{"Action":{"MoveColumnToWorkspace":{"reference":{"Id": .id}, "focus": true}}}'';
 
                   "Mod+M".action = consume-or-expel-window-left;
                   "Mod+W".action = consume-or-expel-window-right;
@@ -909,13 +988,20 @@ in {
                   "Mod+Comma".action = spawn makoctl "restore";
 
                   "Mod+Control+W".action = with-empty-unnamed-workspace-action "{\"Action\":{\"FocusWorkspace\":{\"reference\":{\"Id\": $workspace_id}}}}";
-                  "Mod+Control+Shift+W".action = with-empty-unnamed-workspace-action "{\"Action\":{\"MoveColumnToWorkspace\":{\"reference\":{\"Id\": $workspace_id}}}}";
+                  "Mod+Control+Shift+W".action = with-empty-unnamed-workspace-action "{\"Action\":{\"MoveColumnToWorkspace\":{\"reference\":{\"Id\": $workspace_id}, \"focus\": true}}}";
 
                   "Mod+X".action = set-dynamic-cast-window;
                   "Mod+Shift+X".action = set-dynamic-cast-monitor;
                   "Mod+Control+Shift+X".action = clear-dynamic-cast-target;
+
+                  "Mod+D".action = with-urgent-window-action "{\"Action\":{\"FocusWindow\":{\"id\": .id}}}";
+                  "Mod+Shift+D".action = with-focused-window-action "{\"Action\":{\"UnsetUrgent\":{\"id\": .id}}}";
+
+                  "Mod+K".action = spawn (lib.getExe' pkgs.worktime "worktime-ui");
+                  "Mod+Shift+K".action = spawn (lib.getExe' pkgs.worktime "worktime-stop");
                 }))
                 (map ({ name, selector, spawn, key, ...}: if key != null && selector != null && spawn != null then bind key { action = focus-or-spawn-action selector name spawn; } else null) cfg.scratchspaces)
+                (map ({ name, moveKey, ...}: if moveKey != null then bind moveKey { action = kdl.magic-leaf "move-column-to-workspace" name; } else null) cfg.scratchspaces)
               ]
             ))
         ];
diff --git a/accounts/gkleen@sif/niri/mako.nix b/accounts/gkleen@sif/niri/mako.nix
index 274441ab..eba26caa 100644
--- a/accounts/gkleen@sif/niri/mako.nix
+++ b/accounts/gkleen@sif/niri/mako.nix
@@ -21,9 +21,11 @@
         "urgency=critical".background-color = "#900000dd";
         "app-name=Element".group-by = "summary";
         "app-name=poweralertd" = {
+          history = false;
           ignore-timeout = true;
           default-timeout = 2000;
         };
+        "app-name=worktime".history = false;
         "mode=silent".invisible = true;
       };
       package = pkgs.symlinkJoin {
diff --git a/accounts/gkleen@sif/niri/waybar.nix b/accounts/gkleen@sif/niri/waybar.nix
index cc131c08..c02a9a76 100644
--- a/accounts/gkleen@sif/niri/waybar.nix
+++ b/accounts/gkleen@sif/niri/waybar.nix
@@ -27,8 +27,14 @@ in {
           modules-right = [ "custom/worktime" "custom/worktime-today"
             "custom/weather"
             "custom/keymap"
-            "privacy" "tray" "wireplumber" "backlight" "battery" "idle_inhibitor" "custom/mako" "clock" ];
+            "privacy" "tray" "wireplumber" "backlight" "battery" "idle_inhibitor" "custom/mako" "custom/lid_inhibitor" "clock" ];
 
+          "custom/lid_inhibitor" = {
+            format = "{}";
+            return-type = "json";
+            exec = lib.getExe pkgs.waybar-systemd-inhibit;
+            on-click = lib.getExe' pkgs.waybar-systemd-inhibit "waybar-systemd-inhibit-toggle";
+          };
           "custom/mako" = {
             format = "{}";
             return-type = "json";
@@ -211,7 +217,7 @@ in {
           layer = "top";
           position = "top";
           height = 14;
-          output = [ "!eDP-1" "!DP-2" "!DP-3" ];
+          output = [ "!eDP-1" "!DP-2" "!DP-3" "*" ];
           modules-left = [ "niri/workspaces" ];
           modules-center = [ "niri/window" ];
           modules-right = [ "clock" ];
@@ -293,7 +299,7 @@ in {
         #tray {
           margin: 0;
         }
-        #battery, #idle_inhibitor, #backlight, #wireplumber, #custom-mako {
+        #battery, #idle_inhibitor, #backlight, #wireplumber, #custom-mako, #custom-lid_inhibitor {
           color: @grey;
           margin: 0 5px 0 2px;
         }
@@ -302,7 +308,11 @@ in {
           margin-left: 6px;
         }
         #custom-mako {
-          margin-right: 2px;
+          margin-right: 4px;
+          margin-left: 3px;
+        }
+        #custom-lid_inhibitor {
+          margin-right: 3px;
           margin-left: 3px;
         }
         #battery {
@@ -330,7 +340,7 @@ in {
           color: @orange;
         }
 
-        #idle_inhibitor {
+        #idle_inhibitor, #custom-lid_inhibitor {
           padding-top: 1px;
         }
 
@@ -340,6 +350,7 @@ in {
         }
         #clock {
           /* margin-right: 5px; */
+          font-feature-settings: "tnum";
         }
       '';
     };
diff --git a/accounts/gkleen@sif/synadm/default.nix b/accounts/gkleen@sif/synadm/default.nix
new file mode 100644
index 00000000..0a8e0d4c
--- /dev/null
+++ b/accounts/gkleen@sif/synadm/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [ synadm ];
+  sops.secrets."synadm.yaml" = {
+    format = "binary";
+    sopsFile = ./synadm_yaml;
+    path = config.xdg.configHome + "/synadm.yaml";
+  };
+}
diff --git a/accounts/gkleen@sif/synadm/synadm_yaml b/accounts/gkleen@sif/synadm/synadm_yaml
new file mode 100644
index 00000000..8d951ccc
--- /dev/null
+++ b/accounts/gkleen@sif/synadm/synadm_yaml
@@ -0,0 +1,15 @@
+{
+        "data": "ENC[AES256_GCM,data:qJy4Pmbbxja4jmW7OaHsD0mQZ7anZwLhiVmAgkavb+CqwWGDnUBXdz22/MHCbxng5NshcFSpBoCBhgY6B9V2bUiES6bH9AtMlDcs9ebKGMArBTUTnQ2MjWQGfQTqraWdNgy+n327uj9swwCH8EZXdYH/Hlv0t/re470W+VOHeXhGghQ3Y9IGz2sgfvMGr8QxaJNydZz85rgs5QUP/PglCwWIOw2mY1EX2vYwnmiAo49LmIEaxWvRi++KHaeBveDt0nlkJwzUlipL2VOKWxkgpK3yGucQn2mz+FRe1btp+4KGm8H17eUI9FO9sBwq,iv:kgM921ovwCgDYHQj3c5Rupy/8JxHehxUD2jb1k9Ik2Y=,tag:3TLQkJbv679VWy8V2TMugw==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bzVHUGNxZTF2WC9MYmZr\neGdVVzJXN3lGdEk3cTBER3J6UTFtcUJna2d3CjdNQmRXd2haZW1MYlJzNkk1dWVD\nVTFQc2gvS0JrejJ6SFh2MXpPWDZpRE0KLS0tIE0wTC85bEpvSnlGdGFkZVFhNjFZ\nbzRiZkxMWUg2ODNVUlBmNFlPNGRrZlkK1VXLJWcssv3ETyZSSM/Hhn5VIaI9iov9\nzShZA9Zx/FX6PYTuUMC29pJ57gKourcIxa/7HwSv/xYn1A6WcYfgSg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-05-18T11:03:42Z",
+                "mac": "ENC[AES256_GCM,data:yonJC68PhilAgEHNNJQ8nO53Qo3rx/LnfiOWfuMm24bOUIH9QM3WZZxpigd7bHI4eC4TqRb4LvcSi0nEURTRAhwiTqGNrWbpw2Iv3n5dhLEN9aTcetG5ZuhaXqfVUoML45/ovdBZG/0l8+XIHqxN2M/g/h4JwKoR/6lqzcrVhgo=,iv:xvxBJwy+E5zUdjhGPdZPdy7tnBIEj50hfiDJFsS3wNg=,tag:L4Fas36ZOg4h0QQwC4gjNA==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/accounts/gkleen@sif/systemd.nix b/accounts/gkleen@sif/systemd.nix
index 90cccc58..18c2315f 100644
--- a/accounts/gkleen@sif/systemd.nix
+++ b/accounts/gkleen@sif/systemd.nix
@@ -385,6 +385,8 @@ in {
       };
       Service = {
         ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd --exit-idle-time=60s 127.0.0.1:${toString (port + 1)}";
+        Restart = "always";
+        RestartSec = "23s";
       };
   }) [{ host = "proxy.ssh.math.lmu.de"; port = 8118; } { host = "proxy.vidhar"; port = 8120; } { host = "proxy.mathw0h"; port = 8122; } { host = "proxy.mathw0e"; port = 8124; }]);
   sockets = listToAttrs (map (port: nameValuePair "proxy-to-autossh-socks@${toString port}" {
diff --git a/accounts/gkleen@sif/utils/async-yt-dlp.nix b/accounts/gkleen@sif/utils/async-yt-dlp.nix
new file mode 100644
index 00000000..c3b82ec5
--- /dev/null
+++ b/accounts/gkleen@sif/utils/async-yt-dlp.nix
@@ -0,0 +1,57 @@
+{ writers, python3Packages, ... }:
+
+writers.writePython3Bin "async-yt-dlp" {
+  libraries = with python3Packages; [ yt-dlp ];
+  flakeIgnore = ["E501"];
+} ''
+import sys
+import os
+
+import yt_dlp
+import yt_dlp.options
+from collections import namedtuple
+import socket
+from pathlib import Path
+import json
+
+create_parser = yt_dlp.options.create_parser
+
+
+def parse_patched_options(opts):
+    patched_parser = create_parser()
+    patched_parser.defaults.update({
+        'ignoreerrors': False,
+        'retries': 0,
+        'fragment_retries': 0,
+        'extract_flat': False,
+        'concat_playlist': 'never',
+    })
+    yt_dlp.options.create_parser = lambda: patched_parser
+    try:
+        return yt_dlp.parse_options(opts)
+    finally:
+        yt_dlp.options.create_parser = create_parser
+
+
+default_opts = parse_patched_options([]).ydl_opts
+
+
+def cli_to_api(opts):
+    opts = parse_patched_options(opts)
+    urls = opts.urls
+    opts = opts.ydl_opts
+
+    diff = {k: v for k, v in opts.items() if default_opts[k] != v}
+    if 'postprocessors' in diff:
+        diff['postprocessors'] = [pp for pp in diff['postprocessors']
+                                  if pp not in default_opts['postprocessors']]
+    return namedtuple('Options', ('params', 'urls'))(diff, urls)
+
+
+if __name__ == '__main__':
+    opts = cli_to_api(sys.argv[1:])
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as sock:
+        sock.connect(str(Path(os.environ["XDG_RUNTIME_DIR"]) / "yt-dlp.sock").encode('utf-8'))
+        with sock.makefile(mode='w', buffering=1, encoding='utf-8') as fh:
+            json.dump(opts._asdict(), fh)
+''
diff --git a/accounts/gkleen@sif/zshrc b/accounts/gkleen@sif/zshrc
index abc200c6..b24ff257 100644
--- a/accounts/gkleen@sif/zshrc
+++ b/accounts/gkleen@sif/zshrc
@@ -93,7 +93,7 @@ dir() {
                 if [[ $curlArchive = "true" ]]; then
                     archiveFile=$(mktemp -t "archive.XXXXXXXXXX.${templateArchive:t}")
 
-                    curl -L -o ${archiveFile} ${templateArchive}
+                    curl -SfL -o ${archiveFile} ${templateArchive}
 
                     templateArchive=${archiveFile}
                 fi
@@ -231,7 +231,7 @@ clock() {
 }
 
 public-ip() {
-    curl -s -H 'Accept: application/json' $@ ifconfig.co | jq -r '.ip'
+    curl -sSf -H 'Accept: application/json' $@ ifconfig.co | jq -r '.ip'
 }
 
 swap() {
diff --git a/flake.lock b/flake.lock
index 64091d39..404d81b6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -6,22 +6,28 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "poetry2nix": [
-          "poetry2nix"
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "pyproject-build-systems": [
+          "pyproject-build-systems"
         ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix"
+        "pyproject-nix": [
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "uv2nix"
+        ]
       },
       "locked": {
-        "lastModified": 1723124245,
-        "narHash": "sha256-ThDq7vOXo6G4+C5FHqUc64CeX2c5n36tln4ZlDao6s4=",
+        "lastModified": 1749560907,
+        "narHash": "sha256-zvAxxnJ5dcnjbuog0W6UvlthD1dLm5t4ZQI25jzNDW4=",
         "owner": "gkleen",
         "repo": "backup-utils",
-        "rev": "74e65090de63fc99f056098677cc490754e2708f",
+        "rev": "8ed6a1d7c2e337cb2e35ed68f6d852f0d1049908",
         "type": "gitlab"
       },
       "original": {
         "owner": "gkleen",
-        "ref": "v0.1.6",
+        "ref": "v0.1.7",
         "repo": "backup-utils",
         "type": "gitlab"
       }
@@ -33,22 +39,26 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "poetry2nix": [
-          "poetry2nix"
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix_2",
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": [
+          "pyproject-nix"
         ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix_2"
+        "uv2nix": [
+          "uv2nix"
+        ]
       },
       "locked": {
-        "lastModified": 1734281899,
-        "narHash": "sha256-9QdIl3sjHY4Xij9KrBUkW1KpLB+jyxlI12UHPitlawI=",
+        "lastModified": 1750599403,
+        "narHash": "sha256-MLQ7CISl00w1xq88TL2wukNq3ukzID4u7BVT4okbUik=",
         "owner": "gkleen",
         "repo": "ca",
-        "rev": "1e4ee9d25a5282ef7bc6774072229784fa0036f3",
+        "rev": "505a29233ada969b2eca76d616b0d7a8767dfb71",
         "type": "gitlab"
       },
       "original": {
         "owner": "gkleen",
-        "ref": "v3.1.3",
+        "ref": "v3.1.5",
         "repo": "ca",
         "type": "gitlab"
       }
@@ -66,11 +76,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727447169,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "lastModified": 1749105467,
+        "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
         "type": "github"
       },
       "original": {
@@ -168,11 +178,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "lastModified": 1749398372,
+        "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
         "type": "github"
       },
       "original": {
@@ -343,16 +353,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1747139300,
-        "narHash": "sha256-V+YnIIM2wMprHGgzOU0HzyeWQEjP6EhG8kc4IffWFeg=",
+        "lastModified": 1749562430,
+        "narHash": "sha256-M5MqsIsf+o7yngakVUW4poBGZaghB6sUpw7SsWA55kU=",
         "owner": "gkleen",
         "repo": "home-manager",
-        "rev": "50182497604587a24bdbe97d6400b1696eac57b1",
+        "rev": "dca5a2df9f8a00cc34bea6ead249a8446f5f069e",
         "type": "github"
       },
       "original": {
         "owner": "gkleen",
-        "ref": "nixos-late-start-23.11",
+        "ref": "nixos-late-start-25.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -376,7 +386,7 @@
     "leapseconds": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-5ZaoY/bScQS7EGJRHu6vj9XWhbObmxNEaGugaGU7+lg=",
+        "narHash": "sha256-FJgbafPB48+5sT+7ZB8pajSsfJoISEOoaJ0d/2Ya7o8=",
         "type": "file",
         "url": "https://data.iana.org/time-zones/tzdb/leap-seconds.list"
       },
@@ -397,11 +407,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1747115632,
-        "narHash": "sha256-SypEtZQsum43HvIT4HqM1RH8CE3wCWFIO5b5IqC/2FA=",
+        "lastModified": 1752078530,
+        "narHash": "sha256-TrRmlYdhWcadWvBpDjB9Xlry4uT4ZUIO46d+o5tjtCQ=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "44eeba852a6671ab1c7be5ca65a58c49794cef4b",
+        "rev": "d231d92313192d4d0c78d6ef04167fed9dee87cf",
         "type": "github"
       },
       "original": {
@@ -414,16 +424,16 @@
     "niri-stable": {
       "flake": false,
       "locked": {
-        "lastModified": 1740117926,
-        "narHash": "sha256-mTTHA0RAaQcdYe+9A3Jx77cmmyLFHmRoZdd8RpWa+m8=",
+        "lastModified": 1748151941,
+        "narHash": "sha256-z4viQZLgC2bIJ3VrzQnR+q2F3gAOEQpU1H5xHtX/2fs=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "b94a5db8790339cf9134873d8b490be69e02ac71",
+        "rev": "8ba57fcf25d2fc9565131684a839d58703f1dae7",
         "type": "github"
       },
       "original": {
         "owner": "YaLTeR",
-        "ref": "v25.02",
+        "ref": "v25.05.1",
         "repo": "niri",
         "type": "github"
       }
@@ -431,11 +441,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1747113435,
-        "narHash": "sha256-9oU1mKAM2BZLSots136UA75RIed53YtYgns9TUkr3ck=",
+        "lastModified": 1750791124,
+        "narHash": "sha256-F5iVU/hjoSHSSe0gllxm0PcAaseEtGNanYK5Ha3k2Tg=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "6d083ea49741d6e8e85d5a1d6b6bcaa837d3b5c0",
+        "rev": "37458d94b288945f6cfbd3c5c233f634d59f246c",
         "type": "github"
       },
       "original": {
@@ -472,11 +482,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746934494,
-        "narHash": "sha256-3n6i+F0sDASjkhbvgFDpPDZGp7z19IrRtjfF9TwJpCA=",
+        "lastModified": 1751774635,
+        "narHash": "sha256-DuOznGdgMxeSlPpUu6Wkq0ZD5e2Cfv9XRZeZlHWMd1s=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "e9b21b01e4307176b9718a29ac514838e7f6f4ff",
+        "rev": "85686025ba6d18df31cc651a91d5adef63378978",
         "type": "github"
       },
       "original": {
@@ -514,11 +524,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741549407,
-        "narHash": "sha256-f9SXK+/rvlryDNlc++Eva/hYjbkf7OCalWwmwifRhtI=",
+        "lastModified": 1748140003,
+        "narHash": "sha256-DNBZmuk1YRM2PmwbHzVdXumRjCUzQkMarg4iI/37rOQ=",
         "owner": "AshleyYakeley",
         "repo": "NixVirt",
-        "rev": "9950b932dce4ae6b9bda7c83d41705c1a14e10f0",
+        "rev": "5dfe108fd859b122f9a96981cb6bc12297653d6c",
         "type": "github"
       },
       "original": {
@@ -529,11 +539,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1747083103,
-        "narHash": "sha256-dMx20S2molwqJxbmMB4pGjNfgp5H1IOHNa1Eby6xL+0=",
+        "lastModified": 1752048960,
+        "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d1d68fe8b00248caaa5b3bbe4984c12b47e0867d",
+        "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
         "type": "github"
       },
       "original": {
@@ -561,16 +571,16 @@
     },
     "nixpkgs-eostre": {
       "locked": {
-        "lastModified": 1701282334,
-        "narHash": "sha256-MxCVrXY6v4QmfTwIysjjaX0XUhqBbxTWWB4HXtDYsdk=",
+        "lastModified": 1748026580,
+        "narHash": "sha256-rWtXrcIzU5wm/C8F9LWvUfBGu5U5E7cFzPYT1pHIJaQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "057f9aecfb71c4437d2b27d3323df7f93c010b7e",
+        "rev": "11cb3517b3af6af300dd6c055aeda73c9bf52c48",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "23.11",
+        "ref": "25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -589,14 +599,17 @@
     },
     "nixpkgs-lib_2": {
       "locked": {
-        "lastModified": 1733096140,
-        "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+        "lastModified": 1748740939,
+        "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "656a64127e9d791a334452c6b6606d17539476e2",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
       }
     },
     "nixpkgs-lib_3": {
@@ -651,32 +664,32 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1746957726,
-        "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=",
+        "lastModified": 1751943650,
+        "narHash": "sha256-7orTnNqkGGru8Je6Un6mq1T8YVVU/O5kyW4+f9C1mZQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94",
+        "rev": "88983d4b665fb491861005137ce2b11a9f89f203",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1717179513,
-        "narHash": "sha256-vboIEwIQojofItm2xGCdZCzW96U85l9nDW3ifMuAIdM=",
+        "lastModified": 1748026580,
+        "narHash": "sha256-rWtXrcIzU5wm/C8F9LWvUfBGu5U5E7cFzPYT1pHIJaQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "63dacb46bf939521bdc93981b4cbb7ecb58427a0",
+        "rev": "11cb3517b3af6af300dd6c055aeda73c9bf52c48",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "24.05",
+        "ref": "25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -699,11 +712,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1746904237,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "lastModified": 1751984180,
+        "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
         "type": "github"
       },
       "original": {
@@ -811,18 +824,14 @@
         "nixpkgs": [
           "ca-util",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "ca-util",
-          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1734261738,
-        "narHash": "sha256-3Lzk+7QyX8v60+km26D3dln7NMSA13vW+KYTkMkds6Q=",
+        "lastModified": 1749636823,
+        "narHash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "4c8e75efbbdcc6f9203f64b1f21f8a55d2285264",
+        "rev": "623c56286de5a3193aa38891a6991b28f9bab056",
         "type": "github"
       },
       "original": {
@@ -882,21 +891,50 @@
     "pyproject-build-systems": {
       "inputs": {
         "nixpkgs": [
+          "ca-util",
           "nixpkgs"
         ],
         "pyproject-nix": [
+          "ca-util",
           "pyproject-nix"
         ],
         "uv2nix": [
+          "ca-util",
           "uv2nix"
         ]
       },
       "locked": {
-        "lastModified": 1744599653,
-        "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
+        "lastModified": 1749519371,
+        "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=",
         "owner": "pyproject-nix",
         "repo": "build-system-pkgs",
-        "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
+        "rev": "7c06967eca687f3482624250428cc12f43c92523",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-build-systems_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749519371,
+        "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "7c06967eca687f3482624250428cc12f43c92523",
         "type": "github"
       },
       "original": {
@@ -912,11 +950,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746540146,
-        "narHash": "sha256-QxdHGNpbicIrw5t6U3x+ZxeY/7IEJ6lYbvsjXmcxFIM=",
+        "lastModified": 1751557494,
+        "narHash": "sha256-dnueIffmEKtG0V4feifalsOYaHXXsrGMaoKI+4O7v/8=",
         "owner": "pyproject-nix",
         "repo": "pyproject.nix",
-        "rev": "e09c10c24ebb955125fda449939bfba664c467fd",
+        "rev": "939ef94aea81c17bfd2f388465309eab76c45c37",
         "type": "github"
       },
       "original": {
@@ -948,7 +986,7 @@
         "nvfetcher": "nvfetcher",
         "poetry2nix": "poetry2nix",
         "prometheus-borg-exporter": "prometheus-borg-exporter",
-        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-build-systems": "pyproject-build-systems_2",
         "pyproject-nix": "pyproject-nix",
         "sops-nix": "sops-nix",
         "uv2nix": "uv2nix",
@@ -962,11 +1000,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746485181,
-        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
         "type": "github"
       },
       "original": {
@@ -1037,11 +1075,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746649034,
-        "narHash": "sha256-gmv+ZiY3pQnwgI0Gm3Z1tNSux1CnOJ0De+xeDOol1+0=",
+        "lastModified": 1752195249,
+        "narHash": "sha256-xJ4P6Ekm1tQTtUHboca+vqosXQZHPCDTYOq/HfZ6o1M=",
         "owner": "pyproject-nix",
         "repo": "uv2nix",
-        "rev": "fe540e91c26f378c62bf6da365a97e848434d0cd",
+        "rev": "06b039bb2fa0bc57ac6e611e05de70d36bb1af8b",
         "type": "github"
       },
       "original": {
@@ -1060,16 +1098,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1742140394,
-        "narHash": "sha256-U1Lp5HZbpnWQRetOLzQl3dURplY2BRfAZYkjBawYrVM=",
+        "lastModified": 1752562190,
+        "narHash": "sha256-zWOMCNe56H2PHUd3rJZ6tklZUZBLgRo85jd9IlK1g9o=",
         "owner": "gkleen",
         "repo": "Waybar",
-        "rev": "f310667db199c570b599a08152d49b7f80db93f2",
+        "rev": "d008cd998369c40f2344a856caf39cdbbd7bd068",
         "type": "github"
       },
       "original": {
         "owner": "gkleen",
-        "ref": "feat/niri-workspaces-hide",
+        "ref": "feat/niri-urgency",
         "repo": "Waybar",
         "type": "github"
       }
@@ -1077,16 +1115,16 @@
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {
-        "lastModified": 1739246919,
-        "narHash": "sha256-/hBM43/Gd0/tW+egrhlWgOIISeJxEs2uAOIYVpfDKeU=",
+        "lastModified": 1748488455,
+        "narHash": "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI=",
         "owner": "Supreeeme",
         "repo": "xwayland-satellite",
-        "rev": "44590a416d4a3e8220e19e29e0b6efe64a80315d",
+        "rev": "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73",
         "type": "github"
       },
       "original": {
         "owner": "Supreeeme",
-        "ref": "v0.5.1",
+        "ref": "v0.6",
         "repo": "xwayland-satellite",
         "type": "github"
       }
@@ -1094,11 +1132,11 @@
     "xwayland-satellite-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1747111562,
-        "narHash": "sha256-GAqhWoxaBIk0tgoecZPa8gTHDHxNc0JtlwWHZN2iOOo=",
+        "lastModified": 1751228685,
+        "narHash": "sha256-MENtauGBhJ+kDeFaawvWGXaFG3Il6qQzjaP0RmtfM0k=",
         "owner": "Supreeeme",
         "repo": "xwayland-satellite",
-        "rev": "ec9ff64c1e0cbec42710b580b7c0f759b1694e72",
+        "rev": "557ebeb616e03d5e4a8049862bbbd1f02c6f020b",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 0745d37c..8380f9c7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,13 +29,13 @@
       type = "github";
       owner = "NixOS";
       repo = "nixpkgs";
-      ref = "24.05";
+      ref = "25.05";
     };
     nixpkgs-eostre = {
       type = "github";
       owner = "NixOS";
       repo = "nixpkgs";
-      ref = "23.11";
+      ref = "25.05";
     };
     home-manager = {
       type = "github";
@@ -53,7 +53,7 @@
       type = "github";
       owner = "gkleen";
       repo = "home-manager";
-      ref = "nixos-late-start-23.11";
+      ref = "nixos-late-start-25.05";
       inputs = {
         nixpkgs.follows = "nixpkgs-eostre";
       };
@@ -145,20 +145,23 @@
       type = "gitlab";
       owner = "gkleen";
       repo = "ca";
-      ref = "v3.1.3";
+      ref = "v3.1.5";
       inputs = {
+        pyproject-nix.follows = "pyproject-nix";
+        uv2nix.follows = "uv2nix";
         nixpkgs.follows = "nixpkgs";
-        poetry2nix.follows = "poetry2nix";
       };
     };
     backup-utils = {
       type = "gitlab";
       owner = "gkleen";
       repo = "backup-utils";
-      ref = "v0.1.6";
+      ref = "v0.1.7";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        poetry2nix.follows = "poetry2nix";
+        pyproject-nix.follows = "pyproject-nix";
+        uv2nix.follows = "uv2nix";
+        pyproject-build-systems.follows = "pyproject-build-systems";
       };
     };
     prometheus-borg-exporter = {
@@ -187,7 +190,7 @@
       type = "github";
       owner = "gkleen";
       repo = "Waybar";
-      ref = "feat/niri-workspaces-hide";
+      ref = "feat/niri-urgency";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-compat.follows = "flake-compat";
@@ -363,7 +366,7 @@
 
         overlays = mapAttrs (_name: path: mkOverlay path) overlayPaths;
 
-        packages = forAllSystems (system: systemPkgs: nixImport rec { dir = ./tools; _import = _path: name: import "${toString dir}/${name}" ({ inherit system; } // inputs); });
+        packages = forAllSystems (system: systemPkgs: nixImport rec { dir = ./tools; _import = name: _base: import (dir + "/${name}") ({ inherit system; } // inputs); });
 
         # packages = mapAttrs (_name: filterAttrs (_name: isDerivation)) packages;
         # packages' = mapAttrs (_name: filterAttrs (_name: value: !(isDerivation value))) packages;
@@ -375,6 +378,8 @@
           activateNixosConfigurations activateHomeManagerConfigurations
         ];
 
+        lib = nixImport rec { dir = ./lib; _import = name: _base: import (dir + "/${name}") inputs; };
+
         devShells = forAllSystems (system: systemPkgs: { default = import ./shell.nix ({ inherit system; } // inputs); } // installerShells system systemPkgs);
 
         templates.default = {
@@ -398,7 +403,7 @@
             #   path = activateHomeManager (self.nixosConfigurations.${hostname}.config.nixpkgs.system) usercfg.home;
             # }) self.nixosConfigurations.${hostname}.config.home-manager.users);
           }) (nixImport { dir = ./hosts; _import = (_path: name: name); });
-          overrides = if pathExists ./deploy then nixImport { dir = ./deploy; _import = path: _name: import (./deploy + "/${path}") inputs; } else {};
+          overrides = if pathExists ./deploy then nixImport rec { dir = ./deploy; _import = path: _name: import (dir + "/${path}") inputs; } else {};
           filterEnabled = attrs: mapAttrs (_n: v: filterAttrs (n: _v: n != "enabled") v) (filterAttrs (_n: v: v.enabled or true) attrs);
         in mapAttrs (_n: v: if v ? "profiles" then v // { profiles = filterEnabled v.profiles; } else v) (filterEnabled (recursiveUpdate defaults overrides));
 
diff --git a/home-modules/nixpkgs-release-check.nix b/home-modules/nixpkgs-release-check.nix
new file mode 100644
index 00000000..baf2713a
--- /dev/null
+++ b/home-modules/nixpkgs-release-check.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  config.home.enableNixpkgsReleaseCheck = false;
+}
diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix
index fd4b15f2..d4113024 100644
--- a/hosts/eostre/default.nix
+++ b/hosts/eostre/default.nix
@@ -37,14 +37,10 @@ with lib;
         powerManagement.enable = true;
       };
 
-      opengl.enable = true;
+      graphics.enable = true;
     };
 
-    environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
-
     networking = {
-      hostId = "f457b213";
-
       domain = "lan.yggdrasil";
       search = [ "lan.yggdrasil" "yggdrasil" ];
 
@@ -83,19 +79,14 @@ with lib;
       ];
     };
 
-
-    services.xserver = {
+    services.displayManager.sddm = {
       enable = true;
-      displayManager.sddm = {
-        enable = true;
-        settings = {
-          Users.HideUsers = "gkleen";
-        };
+      wayland.enable = true;
+      settings = {
+        Users.HideUsers = "gkleen";
       };
-      desktopManager.plasma5.enable = true;
-
-      videoDrivers = [ "nvidia" ];
     };
+    services.desktopManager.plasma6.enable = true;
 
 
     services.openssh = {
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index f4de24e8..b0d2fd78 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,7 +12,7 @@ let
 in {
   imports = with flake.nixosModules.systemProfiles; [
     ./hw.nix
-    ./mail ./libvirt ./greetd
+    ./email ./libvirt ./greetd
     tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
     flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
     flakeInputs.impermanence.nixosModules.impermanence
@@ -98,6 +98,8 @@ in {
         server ptbtime2.ptb.de prefer iburst nts
         server ptbtime3.ptb.de prefer iburst nts
         server ptbtime4.ptb.de prefer iburst nts
+        pool ntppool1.time.nl prefer iburst nts
+        pool ntppool2.time.nl prefer iburst nts
 
         authselectmode require
         minsources 3
@@ -130,6 +132,12 @@ in {
       useNetworkd = true;
     };
 
+    environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
+      text = ''
+        conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
+        dnssec
+      '';
+    };
     environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
       text = ''
         except-interface=virbr0
@@ -372,19 +380,6 @@ in {
     ];
 
     services = {
-      uucp = {
-        enable = true;
-        nodeName = "sif";
-        remoteNodes = {
-          "ymir" = {
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
-            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-          };
-        };
-
-        defaultCommands = lib.mkForce [];
-      };
-
       avahi.enable = true;
 
       fwupd.enable = true;
@@ -403,8 +398,8 @@ in {
 
       logind = {
         lidSwitch = "suspend";
-        lidSwitchDocked = "lock";
-        lidSwitchExternalPower = "lock";
+        lidSwitchDocked = "ignore";
+        lidSwitchExternalPower = "ignore";
       };
 
       atd = {
@@ -610,25 +605,6 @@ in {
 
     environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
 
-    systemd.services."ac-plugged" = {
-      description = "Inhibit handling of lid-switch and sleep";
-
-      path = with pkgs; [ systemd coreutils ];
-
-      script = ''
-        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
-      '';
-
-      serviceConfig = {
-        Type = "simple";
-      };
-    };
-
-    services.udev.extraRules = with pkgs; lib.mkAfter ''
-      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
-      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
-    '';
-
     systemd.services."nix-daemon".serviceConfig = {
       MemoryAccounting = true;
       MemoryHigh = "50%";
@@ -688,7 +664,7 @@ in {
       directories = [
         "/nix"
         "/root"
-        "/home"
+        "/home"
         "/var/log"
         "/var/lib/sops-nix"
         "/var/lib/nixos"
@@ -699,8 +675,6 @@ in {
         "/var/lib/upower"
         "/var/lib/postfix"
         "/etc/NetworkManager/system-connections"
-        { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
-        { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
       ];
       files = [
       ];
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..4eda236e
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = false;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    recipientDelimiter = "+";
+    config = {
+      mydomain = "yggdrasil.li";
+
+      local_transport = "error:5.1.1 No local delivery";
+      alias_database = [];
+      alias_maps = [];
+      local_recipient_maps = [];
+
+      inet_interfaces = "loopback-only";
+
+      message_size_limit = "0";
+
+      authorized_submit_users = "inline:{ gkleen= }";
+      authorized_flush_users = "inline:{ gkleen= }";
+      authorized_mailq_users = "inline:{ gkleen= }";
+
+      smtp_generic_maps = "inline:{ root=root+sif }";
+
+      mynetworks = ["127.0.0.0/8" "[::1]/128"];
+      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
+      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
+
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      relayhost = "[surtr.yggdrasil.li]:465";
+      default_transport = "relay";
+
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    masterConfig = {
+      submission = {
+        type = "inet";
+        private = false;
+        command = "smtpd";
+        args = [
+          "-o" "syslog_name=postfix/$service_name"
+        ];
+      };
+      smtp = { };
+      smtps = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "smtp";
+        args = [
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_security_level=encrypt"
+        ];
+      };
+      relay = {
+        command = "smtp";
+        args = [
+          "-o" "smtp_fallback_relay="
+          "-o" "smtp_tls_security_level=verify"
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_cert_file=${./relay.crt}"
+          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
+        ];
+      };
+    };
+  };
+
+  systemd.services.postfix = {
+    serviceConfig.LoadCredential = [
+      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
+      "relay.key:${config.sops.secrets."relay-key".path}"
+    ];
+  };
+
+  sops.secrets = {
+    postfix-sasl-passwd = {
+      key = "sasl-passwd";
+      sopsFile = ./secrets.yaml;
+    };
+    relay-key = {
+      format = "binary";
+      sopsFile = ./relay.key;
+    };
+  };
+}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
+DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
+MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
+m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
+l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
+6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
+0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
+kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
+yauId0cXHvN6g5RLAMsMAA==
+-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-04-25T12:14:44Z",
+                "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.postfix = {
-    enable = true;
-    enableSmtp = true;
-    enableSubmission = false;
-    setSendmail = true;
-    networksStyle = "host";
-    hostname = "sif.midgard.yggdrasil";
-    destination = [];
-    relayHost = "uucp:ymir";
-    recipientDelimiter = "+";
-    masterConfig = {
-      uucp = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "pipe";
-        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
-      };
-      smtps = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "smtp";
-        args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
-      };
-    };
-    config = {
-      default_transport = "uucp:ymir";
-
-      inet_interfaces = "loopback-only";
-
-      authorized_submit_users = ["!uucp" "static:anyone"];
-      message_size_limit = "0";
-
-      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
-        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
-        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
-        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
-        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
-      ''}'';
-      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
-        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
-        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
-      ''}'';
-
-      smtp_sasl_auth_enable = true;
-      smtp_sender_dependent_authentication = true;
-      smtp_sasl_tls_security_options = "noanonymous";
-      smtp_sasl_mechanism_filter = ["plain"];
-      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
-      smtp_cname_overrides_servername = false;
-      smtp_always_send_ehlo = true;
-      smtp_tls_security_level = "dane";
-
-      smtp_tls_loglevel = "1";
-      smtp_dns_support_level = "dnssec";
-    };
-  };
-
-  sops.secrets.postfix-sasl-passwd = {
-    key = "sasl-passwd";
-    path = "/var/db/postfix/sasl_passwd";
-    owner = "postfix";
-    sopsFile = ./secrets.yaml;
-  };
-}
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
index fbfde757..52ab43f5 100644
--- a/hosts/surtr/bifrost/default.nix
+++ b/hosts/surtr/bifrost/default.nix
@@ -18,7 +18,7 @@ in {
             ListenPort = 51822;
           };
           wireguardPeers = [
-            { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
+            { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" "2a03:4000:52:ada:6::/80" ];
               PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
             }
           ];
@@ -34,6 +34,8 @@ in {
           routes = [
             { Destination = "2a03:4000:52:ada:4::/80";
             }
+            { Destination = "2a03:4000:52:ada:6::/80";
+            }
           ];
           linkConfig = {
             RequiredForOnline = false;
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index d420040a..63beece3 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -7,7 +7,7 @@ with lib;
     tmpfs-root qemu-guest openssh rebuild-machines zfs
     ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
     ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
-    ./paperless.nix ./hledger.nix ./audiobookshelf.nix
+    ./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix
   ];
 
   config = {
@@ -22,7 +22,6 @@ with lib;
         device = "/dev/vda";
       };
 
-
       tmp.useTmpfs = true;
 
       zfs.devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 7aa3fb00..8aca2b97 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
         ${concatMapStringsSep "\n" mkZone [
           { domain = "yggdrasil.li";
             addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
-            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li"];
+            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li"];
           }
           { domain = "nights.email";
             addACLs = { "nights.email" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme b/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme
new file mode 100644
index 00000000..bdfb135a
--- /dev/null
+++ b/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:sKFt4pH0Xn7Qm6JFMg/2N7Ht7jtMJukfN+U3dQaoYXPbhRJ+heEtDpXV/WP4AlfbfpIOgTPW3mcmQCwKFNhS00vEsQA4728FfXZzDDmZCa3hwg51wDbL7XUOr0OePgzi86lt0Q193K6CkGqEAa1vFIb//ElEfBYIwdATbmcoAsM3mHhz58X7c1qf8LNuB93o/1N2xXXZI3NWOhOjlviTc2DAhffXDwlMJSYUhldnwtDKmLM1mooJzLgm2p9w7gRD7WPqEqZFq9uFDK69P9uX5T9hFHg=,iv:rAE4sYxxLou4tyD4RWTp3LjQP0cya95coy1MvwfEK/U=,tag:u4SSk8SZFlj0ks7d6tDocw==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2KzdNUWhEcDB6QmtUTnVh\nNS9Nc2I4UjAzekxhRXo1UmY3SklPejV1TURJCm9NY2lVOERoMDFKTU56Mmh1NHEr\naGV4M1RoVldHV0xyc3Z0MnVqakpjMFUKLS0tIEYxSk9OUm9kMkdtcG5POWRGQVkx\nY1FEaXYwMGo0L0Z0aTVTZDA5aUFDWEUKJ+e/7lR/rNPNVnIy+wkiKiAYMxWp4L7q\nwnSTx451vSnxv9j3JWB43Y7XQC08cisWDj06ULw8FnEbKYOvTYj9mQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwOTU3dUEzaXM5T1VkbDRO\nMm14OG1mUkk2bDRhdnBsMHBkc3kvUzlyNlQwCktFSHJhMnhoQ2J6bC9vUHNLWTRC\nRFpYeHo3N2xjWUhjQnRwQ2Nrc1pRUmsKLS0tIDdPeFBVdkxDd1JWSmcxQ0tLMTBD\ncHU3VExZOUhYUlJvbGNoK3FMK2VIbGMKFk94P9aBY04CPIi983f3Aalgh4fnU+/K\n2mxawSMf9jz8704N5XJfmr2hwNy8hqLIn8bjsEMAPTfE1YBGga4w0g==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-05-24T09:42:23Z",
+                "mac": "ENC[AES256_GCM,data:diCeJGvBmM0Ng722eKoFwDe7pqZrdLPSLn5j9LfdaFI64BAbSbA5bAq4NFXqdJ1vttarD2A5rEafYoXUxP8228x2GhNyWUGW5AWgBjVPUc59gjs4wYKR5HlkVMIadhTwNheEyoEjrxX40GNBgCG7X3ocOtOYKbKECp433gdAPDg=,iv:d+yJMWj2RyFnveo2ZNrpNeV+amXM+H7vdC0A2F7mwjA=,tag:yjibG2iusdprp0ORghYWhw==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa
index 913a88d4..34209a99 100644
--- a/hosts/surtr/dns/zones/email.nights.soa
+++ b/hosts/surtr/dns/zones/email.nights.soa
@@ -1,7 +1,7 @@
 $ORIGIN nights.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060700 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -27,11 +27,7 @@ $TTL 3600
 
 _acme-challenge         IN      NS      ns.yggdrasil.li.
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index ab117f09..78d137bb 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
 $ORIGIN 141.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025020900 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -45,11 +45,8 @@ ymir                    IN      AAAA    2a03:4000:6:d004::
 ymir                    IN      MX      0 ymir.yggdrasil.li
 ymir                    IN      TXT     "v=spf1 redirect=ymir.yggdrasil.li"
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
index a1c7d35a..5dd3e697 100644
--- a/hosts/surtr/dns/zones/li.kleen.soa
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -1,7 +1,7 @@
 $ORIGIN kleen.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -27,11 +27,8 @@ $TTL 3600
 
 _acme-challenge         IN      NS      ns.yggdrasil.li.
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index 086d4a85..247cf025 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
 $ORIGIN synapse.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023092100 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 7273827b..500194ae 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025050900 ; serial
+  2025060700 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -101,12 +101,22 @@ _acme-challenge.audiobookshelf	IN	NS	ns.yggdrasil.li.
 
 audiobookshelf                  IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
 
+kimai                 IN      A       202.61.241.61
+kimai                 IN      AAAA    2a03:4000:52:ada::
+kimai                 IN      MX      0 surtr.yggdrasil.li
+kimai                 IN      TXT     "v=spf1 redirect=surtr.yggdrasil.li"
+_acme-challenge.kimai   IN      NS      ns.yggdrasil.li.
+
+kimai                   IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
+
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
 
 mailout                 IN      A       188.68.51.254
 mailout                 IN      AAAA    2a03:4000:6:d004::
+mailout                 IN      A       202.61.241.61
+mailout                 IN      AAAA    2a03:4000:52:ada::
 mailout                 IN      MX      0 ymir.yggdrasil.li
 mailout                 IN      TXT     "v=spf1 redirect=yggdrasil.li"
 
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
index df505b4c..2b97ca19 100644
--- a/hosts/surtr/dns/zones/org.praseodym.soa
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
 $ORIGIN praseodym.org.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023013000 ; serial
+  2025060701 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -32,11 +32,8 @@ surtr			IN	AAAA	2a03:4000:52:ada::
 surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=yggdrasil.li"
 
-ymir._domainkey         IN      TXT     ( 
-  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
-  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
-  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
-)
+ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
+surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
 
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 00182523..7c931559 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,10 +28,12 @@ class PolicyHandler(StreamRequestHandler):
 
         allowed = False
         user = None
+        relay_eligible = False
         if self.args['sasl_username']:
             user = self.args['sasl_username']
         if self.args['ccert_subject']:
             user = self.args['ccert_subject']
+            relay_eligible = True
 
         if user:
             with self.server.db_pool.connection() as conn:
@@ -44,10 +46,16 @@ class PolicyHandler(StreamRequestHandler):
 
                 with conn.cursor() as cur:
                     cur.row_factory = namedtuple_row
-                    cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    for record in cur:
-                        logger.debug('Received result: %s', record)
-                        allowed = True
+
+                    if relay_eligible:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
 
         action = '550 5.7.0 Sender address not authorized for current user'
         if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 845f6455..fa7ddac6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, flakeInputs, ... }:
+{ config, pkgs, lib, flake, flakeInputs, ... }:
 
 with lib;
 
@@ -15,7 +15,7 @@ let
 
       for file in $out/pipe/bin/*; do
         wrapProgram $file \
-          --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
+          --set PATH "${makeBinPath (with pkgs; [coreutils rspamd])}"
       done
     '';
   };
@@ -33,12 +33,28 @@ let
         });
       });
     };
+  internal-policy-server =
+    let
+      workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; };
+      pythonSet = flake.lib.pythonSet {
+        inherit pkgs;
+        python = pkgs.python312;
+        overlay = workspace.mkPyprojectOverlay {
+          sourcePreference = "wheel";
+        };
+      };
+      virtualEnv = pythonSet.mkVirtualEnv "internal-policy-server-env" workspace.deps.default;
+    in virtualEnv.overrideAttrs (oldAttrs: {
+      meta = (oldAttrs.meta or {}) // {
+        mainProgram = "internal-policy-server";
+      };
+    });
 
-  nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
-    #!${pkgs.zsh}/bin/zsh
-
+  nftables-nologin-script = pkgs.resholve.writeScript "nftables-mail-nologin" {
+    inputs = with pkgs; [inetutils nftables gnugrep findutils];
+    interpreter = lib.getExe pkgs.zsh;
+  } ''
     set -e
-    export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
 
     typeset -a as_sets mnt_bys route route6
     as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets})
@@ -51,7 +67,7 @@ let
             elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
                 route6+=($match[1])
             fi
-        done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
+        done < <(whois -h whois.radb.net "!i''${as_set},1" | grep -Eo 'AS[0-9]+' | xargs whois -h whois.radb.net -- -i origin)
     done
     for mnt_by in $mnt_bys; do
         while IFS=$'\n' read line; do
@@ -113,14 +129,14 @@ in {
       setSendmail = true;
       postmasterAlias = ""; rootAlias = ""; extraAliases = "";
       destination = [];
-      sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem";
-      sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem";
       networks = [];
-      config = let
-        relay_ccert = "texthash:${pkgs.writeText "relay_ccert" ""}";
-      in {
+      config = {
         smtpd_tls_security_level = "may";
 
+        smtpd_tls_chain_files = [
+          "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
+        ];
+
         #the dh params
         smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
         smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
@@ -155,12 +171,7 @@ in {
 
         smtp_tls_connection_reuse = true;
 
-        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
-          concatMapStringsSep "\n\n" (domain:
-            concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${removePrefix "." subdomain}.full.pem")
-              [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
-          ) emailDomains
-        )}'';
+        tls_server_sni_maps = "inline:{${concatMapStringsSep ", " (domain: "{ ${domain} = /run/credentials/postfix.service/${removePrefix "." domain}.full.pem }") (concatMap (domain: [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]) emailDomains)}}";
 
         smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
 
@@ -184,12 +195,12 @@ in {
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s'
           ''}"
-          "check_ccert_access ${relay_ccert}"
           "reject_non_fqdn_helo_hostname"
           "reject_invalid_helo_hostname"
           "reject_unauth_destination"
           "reject_unknown_recipient_domain"
           "reject_unverified_recipient"
+          "check_policy_service unix:/run/postfix-internal-policy.sock"
         ];
         unverified_recipient_reject_code = "550";
         unverified_recipient_reject_reason = "Recipient address lookup failed";
@@ -204,7 +215,6 @@ in {
         address_verify_sender_ttl = "30045s";
 
         smtpd_relay_restrictions = [
-          "check_ccert_access ${relay_ccert}"
           "reject_unauth_destination"
         ];
 
@@ -251,11 +261,24 @@ in {
         virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
         smtputf8_enable = false;
 
-        authorized_submit_users = "inline:{ root= postfwd= }";
+        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
+        authorized_flush_users = "inline:{ root= }";
+        authorized_mailq_users = "inline:{ root= }";
 
         postscreen_access_list = "";
         postscreen_denylist_action = "drop";
         postscreen_greet_action = "enforce";
+
+        sender_bcc_maps = ''pgsql:${pkgs.writeText "sender_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM sender_bcc_maps WHERE key = '%s'
+        ''}'';
+        recipient_bcc_maps = ''pgsql:${pkgs.writeText "recipient_bcc_maps.cf" ''
+          hosts = postgresql:///email
+          dbname = email
+          query = SELECT value FROM recipient_bcc_maps WHERE key = '%s'
+        ''}'';
       };
       masterConfig = {
         "465" = {
@@ -280,7 +303,7 @@ in {
             hosts = postgresql:///email
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
-          ''},permit_tls_all_clientcerts,reject}''
+          ''},check_policy_service unix:/run/postfix-internal-policy.sock,permit_tls_all_clientcerts,reject}''
             "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
             "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
             "-o" "unverified_sender_reject_code=550"
@@ -310,7 +333,7 @@ in {
             hosts = postgresql:///email
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
-          ''},permit_sasl_authenticated,reject}''
+          ''},check_policy_service unix:/run/postfix-internal-policy.sock,permit_sasl_authenticated,reject}''
             "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
             "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
             "-o" "unverified_sender_reject_code=550"
@@ -325,7 +348,10 @@ in {
           maxproc = 0;
           args = [
             "-o" "header_checks=pcre:${pkgs.writeText "header_checks_submission" ''
+              if /^Received: /
+              !/by surtr\.yggdrasil\.li/ STRIP
               /^Received: from [^ ]+ \([^ ]+ [^ ]+\)\s+(.*)$/ REPLACE Received: $1
+              endif
             ''}"
           ];
         };
@@ -373,7 +399,7 @@ in {
       enable = true;
       user = "postfix"; group = "postfix";
       socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
       selector = "surtr";
       configFile = builtins.toFile "opendkim.conf" ''
         Syslog true
@@ -477,7 +503,7 @@ in {
       };
     };
 
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
 
     services.redis.servers.rspamd.enable = true;
 
@@ -487,8 +513,8 @@ in {
     services.dovecot2 = {
       enable = true;
       enablePAM = false;
-      sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
-      sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
+      sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
+      sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
       sslCACert = toString ./ca/ca.crt;
       mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
       mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
@@ -501,8 +527,8 @@ in {
         dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
           driver = pgsql
           connect = dbname=email
-          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
-          user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
+          user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
           iterate_query = SELECT "user" FROM imap_user
         '';
       in ''
@@ -510,16 +536,16 @@ in {
 
         mail_plugins = $mail_plugins quota
 
-        first_valid_uid = ${toString config.users.users.dovecot2.uid}
-        last_valid_uid = ${toString config.users.users.dovecot2.uid}
-        first_valid_gid = ${toString config.users.groups.dovecot2.gid}
-        last_valid_gid = ${toString config.users.groups.dovecot2.gid}
+        first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
+        last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
 
         ${concatMapStringsSep "\n\n" (domain:
           concatMapStringsSep "\n" (subdomain: ''
             local_name ${subdomain} {
-              ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
-              ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
+              ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
+              ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
             }
           '') ["imap.${domain}" domain]
         ) emailDomains}
@@ -540,10 +566,10 @@ in {
         auth_debug = yes
 
         service auth {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
         service auth-worker {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
 
         userdb {
@@ -564,7 +590,7 @@ in {
             args = ${pkgs.writeText "dovecot-sql.conf" ''
               driver = pgsql
               connect = dbname=email
-              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
+              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
             ''}
 
             skip = never
@@ -672,7 +698,7 @@ in {
         plugin {
           plugin = fts fts_xapian
           fts = xapian
-          fts_xapian = partial=2 full=20 attachments=1 verbose=1
+          fts_xapian = partial=3 full=20 attachments=1 verbose=1
 
           fts_autoindex = yes
 
@@ -687,12 +713,12 @@ in {
 
     systemd.services.dovecot-fts-xapian-optimize = {
       description = "Optimize dovecot indices for fts_xapian";
-      requisite = [ "dovecot2.service" ];
-      after = [ "dovecot2.service" ];
+      requisite = [ "dovecot.service" ];
+      after = [ "dovecot.service" ];
       startAt = "*-*-* 22:00:00 Europe/Berlin";
       serviceConfig = {
         Type = "oneshot";
-        ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
+        ExecStart = "${getExe' pkgs.dovecot "doveadm"} fts optimize -A";
         PrivateDevices = true;
         PrivateNetwork = true;
         ProtectKernelTunables = true;
@@ -753,31 +779,29 @@ in {
 
     security.acme.rfc2136Domains = {
       "surtr.yggdrasil.li" = {
-        restartUnits = [ "postfix.service" "dovecot2.service" ];
+        restartUnits = [ "postfix.service" "dovecot.service" ];
       };
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)
     // listToAttrs (concatMap (domain: [
-      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; })
+      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot.service"]; })
       (nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })
       (nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })
-      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; })
+      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot.service"]; })
       (nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })
     ]) emailDomains);
 
     systemd.services.postfix = {
-      serviceConfig.LoadCredential = [
-        "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
-        "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-      ] ++ concatMap (domain:
-        map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
-          [domain "mailin.${domain}" "mailsub.${domain}"]
-      ) emailDomains;
+      serviceConfig.LoadCredential = let
+        tlsCredential = domain: "${domain}.full.pem:${config.security.acme.certs.${domain}.directory}/full.pem";
+      in [
+        (tlsCredential "surtr.yggdrasil.li")
+      ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
     };
 
-    systemd.services.dovecot2 = {
+    systemd.services.dovecot = {
       preStart = ''
         for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
-          ${pkgs.dovecot_pigeonhole}/bin/sievec $f
+          ${getExe' pkgs.dovecot_pigeonhole "sievec"} $f
         done
       '';
 
@@ -844,15 +868,16 @@ in {
               charset utf-8;
               source_charset utf-8;
             '';
-            root = pkgs.runCommand "mta-sts.${domain}" {} ''
-              mkdir -p $out/.well-known
-              cp ${pkgs.writeText "mta-sts.${domain}.txt" ''
+            root = pkgs.writeTextFile {
+              name = "mta-sts.${domain}";
+              destination = "/.well-known/mta-sts.txt";
+              text = ''
                 version: STSv1
                 mode: enforce
                 max_age: 2419200
                 mx: mailin.${domain}
-              ''} $out/.well-known/mta-sts.txt
-            '';
+              '';
+            };
           };
       }) emailDomains);
     };
@@ -869,7 +894,7 @@ in {
     systemd.services.spm = {
       serviceConfig = {
         Type = "notify";
-        ExecStart = "${pkgs.spm}/bin/spm-server";
+        ExecStart = getExe' pkgs.spm "spm-server";
         User = "spm";
         Group = "spm";
 
@@ -927,7 +952,7 @@ in {
       serviceConfig = {
         Type = "notify";
 
-        ExecStart = "${ccert-policy-server}/bin/ccert-policy-server";
+        ExecStart = getExe' ccert-policy-server "ccert-policy-server";
 
         Environment = [
           "PGDATABASE=email"
@@ -960,6 +985,53 @@ in {
     };
     users.groups."postfix-ccert-sender-policy" = {};
 
+    systemd.sockets."postfix-internal-policy" = {
+      requiredBy = ["postfix.service"];
+      wants = ["postfix-internal-policy.service"];
+      socketConfig = {
+        ListenStream = "/run/postfix-internal-policy.sock";
+      };
+    };
+    systemd.services."postfix-internal-policy" = {
+      after = [ "postgresql.service" ];
+      bindsTo = [ "postgresql.service" ];
+
+      serviceConfig = {
+        Type = "notify";
+
+        ExecStart = lib.getExe internal-policy-server;
+
+        Environment = [
+          "PGDATABASE=email"
+        ];
+
+        DynamicUser = false;
+        User = "postfix-internal-policy";
+        Group = "postfix-internal-policy";
+        ProtectSystem = "strict";
+        SystemCallFilter = "@system-service";
+        NoNewPrivileges = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictSUIDSGID = true;
+        KeyringMode = "private";
+        ProtectClock = true;
+        RestrictRealtime = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectHostname = true;
+        ReadWritePaths = ["/run/postgresql"];
+      };
+    };
+    users.users."postfix-internal-policy" = {
+      isSystemUser = true;
+      group = "postfix-internal-policy";
+    };
+    users.groups."postfix-internal-policy" = {};
+
     services.postfwd = {
       enable = true;
       cache = false;
diff --git a/hosts/surtr/email/internal-policy-server/.envrc b/hosts/surtr/email/internal-policy-server/.envrc
new file mode 100644
index 00000000..2c909235
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/.envrc
@@ -0,0 +1,4 @@
+use flake
+
+[[ -d ".venv" ]] || ( uv venv && uv sync )
+. .venv/bin/activate
diff --git a/hosts/surtr/email/internal-policy-server/.gitignore b/hosts/surtr/email/internal-policy-server/.gitignore
new file mode 100644
index 00000000..4ccfae70
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/.gitignore
@@ -0,0 +1,2 @@
+.venv
+**/__pycache__
diff --git a/hosts/surtr/email/internal-policy-server/internal_policy_server/__init__.py b/hosts/surtr/email/internal-policy-server/internal_policy_server/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/internal_policy_server/__init__.py
diff --git a/hosts/surtr/email/internal-policy-server/internal_policy_server/__main__.py b/hosts/surtr/email/internal-policy-server/internal_policy_server/__main__.py
new file mode 100644
index 00000000..04f1a59a
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/internal_policy_server/__main__.py
@@ -0,0 +1,106 @@
+from systemd.daemon import listen_fds
+from sdnotify import SystemdNotifier
+from socketserver import StreamRequestHandler, ThreadingMixIn
+from systemd_socketserver import SystemdSocketServer
+import sys
+from threading import Thread
+from psycopg_pool import ConnectionPool
+from psycopg.rows import namedtuple_row
+
+import logging
+
+
+class PolicyHandler(StreamRequestHandler):
+    def handle(self):
+        logger.debug('Handling new connection...')
+
+        self.args = dict()
+
+        line = None
+        while line := self.rfile.readline().removesuffix(b'\n'):
+            if b'=' not in line:
+                break
+
+            key, val = line.split(sep=b'=', maxsplit=1)
+            self.args[key.decode()] = val.decode()
+
+        logger.info('Connection parameters: %s', self.args)
+
+        allowed = False
+        user = None
+        if self.args['sasl_username']:
+            user = self.args['sasl_username']
+        if self.args['ccert_subject']:
+            user = self.args['ccert_subject']
+
+        with self.server.db_pool.connection() as conn:
+            local, domain = self.args['recipient'].split(sep='@', maxsplit=1)
+            extension = None
+            if '+' in local:
+                local, extension = local.split(sep='+', maxsplit=1)
+
+            logger.debug('Parsed recipient address: %s', {'local': local, 'extension': extension, 'domain': domain})
+
+            with conn.cursor() as cur:
+                cur.row_factory = namedtuple_row
+                cur.execute('SELECT id, internal FROM "mailbox_mapping" WHERE ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare = True)
+                if (row := cur.fetchone()) is not None:
+                    if not row.internal:
+                        logger.debug('Recipient mailbox is not internal')
+                        allowed = True
+                    elif user:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox_mapping_access" INNER JOIN "mailbox" ON "mailbox".id = "mailbox_mapping_access"."mailbox" WHERE mailbox_mapping = %(mailbox_mapping)s AND "mailbox"."mailbox" = %(user)s) as "exists"', params = { 'mailbox_mapping': row.id, 'user': user }, prepare = True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                else:
+                    logger.debug('Recipient is not local')
+                    allowed = True
+
+        action = '550 5.7.0 Recipient mailbox mapping not authorized for current user'
+        if allowed:
+            action = 'DUNNO'
+
+        logger.info('Reached verdict: %s', {'allowed': allowed, 'action': action})
+        self.wfile.write(f'action={action}\n\n'.encode())
+
+class ThreadedSystemdSocketServer(ThreadingMixIn, SystemdSocketServer):
+    def __init__(self, fd, RequestHandlerClass):
+        super().__init__(fd, RequestHandlerClass)
+
+        self.db_pool = ConnectionPool(min_size=1)
+        self.db_pool.wait()
+
+def main():
+    global logger
+    logger = logging.getLogger(__name__)
+    console_handler = logging.StreamHandler()
+    console_handler.setFormatter( logging.Formatter('[%(levelname)s](%(name)s): %(message)s') )
+    if sys.stderr.isatty():
+        console_handler.setFormatter( logging.Formatter('%(asctime)s [%(levelname)s](%(name)s): %(message)s') )
+    logger.addHandler(console_handler)
+    logger.setLevel(logging.DEBUG)
+
+    # log uncaught exceptions
+    def log_exceptions(type, value, tb):
+        global logger
+
+        logger.error(value)
+        sys.__excepthook__(type, value, tb) # calls default excepthook
+
+    sys.excepthook = log_exceptions
+
+    fds = listen_fds()
+    servers = [ThreadedSystemdSocketServer(fd, PolicyHandler) for fd in fds]
+
+    if servers:
+        for server in servers:
+            Thread(name=f'Server for fd{server.fileno()}', target=server.serve_forever).start()
+    else:
+        return 2
+
+    SystemdNotifier().notify('READY=1')
+
+    return 0
+
+if __name__ == '__main__':
+    sys.exit(main())
diff --git a/hosts/surtr/email/internal-policy-server/pyproject.toml b/hosts/surtr/email/internal-policy-server/pyproject.toml
new file mode 100644
index 00000000..c697cd01
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/pyproject.toml
@@ -0,0 +1,18 @@
+[project]
+name = "internal-policy-server"
+version = "0.1.0"
+requires-python = ">=3.12"
+dependencies = [
+    "psycopg>=3.2.9",
+    "psycopg-binary>=3.2.9",
+    "psycopg-pool>=3.2.6",
+    "sdnotify>=0.3.2",
+    "systemd-socketserver>=1.0",
+]
+
+[project.scripts]
+internal-policy-server = "internal_policy_server.__main__:main"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
diff --git a/hosts/surtr/email/internal-policy-server/uv.lock b/hosts/surtr/email/internal-policy-server/uv.lock
new file mode 100644
index 00000000..f7a4e729
--- /dev/null
+++ b/hosts/surtr/email/internal-policy-server/uv.lock
@@ -0,0 +1,119 @@
+version = 1
+revision = 2
+requires-python = ">=3.12"
+
+[[package]]
+name = "internal-policy-server"
+version = "0.1.0"
+source = { editable = "." }
+dependencies = [
+    { name = "psycopg" },
+    { name = "psycopg-binary" },
+    { name = "psycopg-pool" },
+    { name = "sdnotify" },
+    { name = "systemd-socketserver" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "psycopg", specifier = ">=3.2.9" },
+    { name = "psycopg-binary", specifier = ">=3.2.9" },
+    { name = "psycopg-pool", specifier = ">=3.2.6" },
+    { name = "sdnotify", specifier = ">=0.3.2" },
+    { name = "systemd-socketserver", specifier = ">=1.0" },
+]
+
+[[package]]
+name = "psycopg"
+version = "3.2.9"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+    { name = "tzdata", marker = "sys_platform == 'win32'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/27/4a/93a6ab570a8d1a4ad171a1f4256e205ce48d828781312c0bbaff36380ecb/psycopg-3.2.9.tar.gz", hash = "sha256:2fbb46fcd17bc81f993f28c47f1ebea38d66ae97cc2dbc3cad73b37cefbff700", size = 158122, upload-time = "2025-05-13T16:11:15.533Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/44/b0/a73c195a56eb6b92e937a5ca58521a5c3346fb233345adc80fd3e2f542e2/psycopg-3.2.9-py3-none-any.whl", hash = "sha256:01a8dadccdaac2123c916208c96e06631641c0566b22005493f09663c7a8d3b6", size = 202705, upload-time = "2025-05-13T16:06:26.584Z" },
+]
+
+[[package]]
+name = "psycopg-binary"
+version = "3.2.9"
+source = { registry = "https://pypi.org/simple" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/29/6f/ec9957e37a606cd7564412e03f41f1b3c3637a5be018d0849914cb06e674/psycopg_binary-3.2.9-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:be7d650a434921a6b1ebe3fff324dbc2364393eb29d7672e638ce3e21076974e", size = 4022205, upload-time = "2025-05-13T16:07:48.195Z" },
+    { url = "https://files.pythonhosted.org/packages/6b/ba/497b8bea72b20a862ac95a94386967b745a472d9ddc88bc3f32d5d5f0d43/psycopg_binary-3.2.9-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6a76b4722a529390683c0304501f238b365a46b1e5fb6b7249dbc0ad6fea51a0", size = 4083795, upload-time = "2025-05-13T16:07:50.917Z" },
+    { url = "https://files.pythonhosted.org/packages/42/07/af9503e8e8bdad3911fd88e10e6a29240f9feaa99f57d6fac4a18b16f5a0/psycopg_binary-3.2.9-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:96a551e4683f1c307cfc3d9a05fec62c00a7264f320c9962a67a543e3ce0d8ff", size = 4655043, upload-time = "2025-05-13T16:07:54.857Z" },
+    { url = "https://files.pythonhosted.org/packages/28/ed/aff8c9850df1648cc6a5cc7a381f11ee78d98a6b807edd4a5ae276ad60ad/psycopg_binary-3.2.9-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:61d0a6ceed8f08c75a395bc28cb648a81cf8dee75ba4650093ad1a24a51c8724", size = 4477972, upload-time = "2025-05-13T16:07:57.925Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/bd/8e9d1b77ec1a632818fe2f457c3a65af83c68710c4c162d6866947d08cc5/psycopg_binary-3.2.9-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ad280bbd409bf598683dda82232f5215cfc5f2b1bf0854e409b4d0c44a113b1d", size = 4737516, upload-time = "2025-05-13T16:08:01.616Z" },
+    { url = "https://files.pythonhosted.org/packages/46/ec/222238f774cd5a0881f3f3b18fb86daceae89cc410f91ef6a9fb4556f236/psycopg_binary-3.2.9-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:76eddaf7fef1d0994e3d536ad48aa75034663d3a07f6f7e3e601105ae73aeff6", size = 4436160, upload-time = "2025-05-13T16:08:04.278Z" },
+    { url = "https://files.pythonhosted.org/packages/37/78/af5af2a1b296eeca54ea7592cd19284739a844974c9747e516707e7b3b39/psycopg_binary-3.2.9-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:52e239cd66c4158e412318fbe028cd94b0ef21b0707f56dcb4bdc250ee58fd40", size = 3753518, upload-time = "2025-05-13T16:08:07.567Z" },
+    { url = "https://files.pythonhosted.org/packages/ec/ac/8a3ed39ea069402e9e6e6a2f79d81a71879708b31cc3454283314994b1ae/psycopg_binary-3.2.9-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:08bf9d5eabba160dd4f6ad247cf12f229cc19d2458511cab2eb9647f42fa6795", size = 3313598, upload-time = "2025-05-13T16:08:09.999Z" },
+    { url = "https://files.pythonhosted.org/packages/da/43/26549af068347c808fbfe5f07d2fa8cef747cfff7c695136172991d2378b/psycopg_binary-3.2.9-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:1b2cf018168cad87580e67bdde38ff5e51511112f1ce6ce9a8336871f465c19a", size = 3407289, upload-time = "2025-05-13T16:08:12.66Z" },
+    { url = "https://files.pythonhosted.org/packages/67/55/ea8d227c77df8e8aec880ded398316735add8fda5eb4ff5cc96fac11e964/psycopg_binary-3.2.9-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:14f64d1ac6942ff089fc7e926440f7a5ced062e2ed0949d7d2d680dc5c00e2d4", size = 3472493, upload-time = "2025-05-13T16:08:15.672Z" },
+    { url = "https://files.pythonhosted.org/packages/3c/02/6ff2a5bc53c3cd653d281666728e29121149179c73fddefb1e437024c192/psycopg_binary-3.2.9-cp312-cp312-win_amd64.whl", hash = "sha256:7a838852e5afb6b4126f93eb409516a8c02a49b788f4df8b6469a40c2157fa21", size = 2927400, upload-time = "2025-05-13T16:08:18.652Z" },
+    { url = "https://files.pythonhosted.org/packages/28/0b/f61ff4e9f23396aca674ed4d5c9a5b7323738021d5d72d36d8b865b3deaf/psycopg_binary-3.2.9-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:98bbe35b5ad24a782c7bf267596638d78aa0e87abc7837bdac5b2a2ab954179e", size = 4017127, upload-time = "2025-05-13T16:08:21.391Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/00/7e181fb1179fbfc24493738b61efd0453d4b70a0c4b12728e2b82db355fd/psycopg_binary-3.2.9-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:72691a1615ebb42da8b636c5ca9f2b71f266be9e172f66209a361c175b7842c5", size = 4080322, upload-time = "2025-05-13T16:08:24.049Z" },
+    { url = "https://files.pythonhosted.org/packages/58/fd/94fc267c1d1392c4211e54ccb943be96ea4032e761573cf1047951887494/psycopg_binary-3.2.9-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:25ab464bfba8c401f5536d5aa95f0ca1dd8257b5202eede04019b4415f491351", size = 4655097, upload-time = "2025-05-13T16:08:27.376Z" },
+    { url = "https://files.pythonhosted.org/packages/41/17/31b3acf43de0b2ba83eac5878ff0dea5a608ca2a5c5dd48067999503a9de/psycopg_binary-3.2.9-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0e8aeefebe752f46e3c4b769e53f1d4ad71208fe1150975ef7662c22cca80fab", size = 4482114, upload-time = "2025-05-13T16:08:30.781Z" },
+    { url = "https://files.pythonhosted.org/packages/85/78/b4d75e5fd5a85e17f2beb977abbba3389d11a4536b116205846b0e1cf744/psycopg_binary-3.2.9-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b7e4e4dd177a8665c9ce86bc9caae2ab3aa9360b7ce7ec01827ea1baea9ff748", size = 4737693, upload-time = "2025-05-13T16:08:34.625Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/95/7325a8550e3388b00b5e54f4ced5e7346b531eb4573bf054c3dbbfdc14fe/psycopg_binary-3.2.9-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7fc2915949e5c1ea27a851f7a472a7da7d0a40d679f0a31e42f1022f3c562e87", size = 4437423, upload-time = "2025-05-13T16:08:37.444Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/db/cef77d08e59910d483df4ee6da8af51c03bb597f500f1fe818f0f3b925d3/psycopg_binary-3.2.9-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:a1fa38a4687b14f517f049477178093c39c2a10fdcced21116f47c017516498f", size = 3758667, upload-time = "2025-05-13T16:08:40.116Z" },
+    { url = "https://files.pythonhosted.org/packages/95/3e/252fcbffb47189aa84d723b54682e1bb6d05c8875fa50ce1ada914ae6e28/psycopg_binary-3.2.9-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:5be8292d07a3ab828dc95b5ee6b69ca0a5b2e579a577b39671f4f5b47116dfd2", size = 3320576, upload-time = "2025-05-13T16:08:43.243Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/cd/9b5583936515d085a1bec32b45289ceb53b80d9ce1cea0fef4c782dc41a7/psycopg_binary-3.2.9-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:778588ca9897b6c6bab39b0d3034efff4c5438f5e3bd52fda3914175498202f9", size = 3411439, upload-time = "2025-05-13T16:08:47.321Z" },
+    { url = "https://files.pythonhosted.org/packages/45/6b/6f1164ea1634c87956cdb6db759e0b8c5827f989ee3cdff0f5c70e8331f2/psycopg_binary-3.2.9-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:f0d5b3af045a187aedbd7ed5fc513bd933a97aaff78e61c3745b330792c4345b", size = 3477477, upload-time = "2025-05-13T16:08:51.166Z" },
+    { url = "https://files.pythonhosted.org/packages/7b/1d/bf54cfec79377929da600c16114f0da77a5f1670f45e0c3af9fcd36879bc/psycopg_binary-3.2.9-cp313-cp313-win_amd64.whl", hash = "sha256:2290bc146a1b6a9730350f695e8b670e1d1feb8446597bed0bbe7c3c30e0abcb", size = 2928009, upload-time = "2025-05-13T16:08:53.67Z" },
+]
+
+[[package]]
+name = "psycopg-pool"
+version = "3.2.6"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "typing-extensions" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/cf/13/1e7850bb2c69a63267c3dbf37387d3f71a00fd0e2fa55c5db14d64ba1af4/psycopg_pool-3.2.6.tar.gz", hash = "sha256:0f92a7817719517212fbfe2fd58b8c35c1850cdd2a80d36b581ba2085d9148e5", size = 29770, upload-time = "2025-02-26T12:03:47.129Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/47/fd/4feb52a55c1a4bd748f2acaed1903ab54a723c47f6d0242780f4d97104d4/psycopg_pool-3.2.6-py3-none-any.whl", hash = "sha256:5887318a9f6af906d041a0b1dc1c60f8f0dda8340c2572b74e10907b51ed5da7", size = 38252, upload-time = "2025-02-26T12:03:45.073Z" },
+]
+
+[[package]]
+name = "sdnotify"
+version = "0.3.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/ce/d8/9fdc36b2a912bf78106de4b3f0de3891ff8f369e7a6f80be842b8b0b6bd5/sdnotify-0.3.2.tar.gz", hash = "sha256:73977fc746b36cc41184dd43c3fe81323e7b8b06c2bb0826c4f59a20c56bb9f1", size = 2459, upload-time = "2017-08-02T20:03:44.395Z" }
+
+[[package]]
+name = "systemd-python"
+version = "235"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/9e/ab4458e00367223bda2dd7ccf0849a72235ee3e29b36dce732685d9b7ad9/systemd-python-235.tar.gz", hash = "sha256:4e57f39797fd5d9e2d22b8806a252d7c0106c936039d1e71c8c6b8008e695c0a", size = 61677, upload-time = "2023-02-11T13:42:16.588Z" }
+
+[[package]]
+name = "systemd-socketserver"
+version = "1.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "systemd-python" },
+]
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d8/4f/b28b7f08880120a26669b080ca74487c8c67e8b54dcb0467a8f0c9f38ed6/systemd_socketserver-1.0-py3-none-any.whl", hash = "sha256:987a8bfbf28d959e7c2966c742ad7bad482f05e121077defcf95bb38267db9a8", size = 3248, upload-time = "2020-04-26T05:26:40.661Z" },
+]
+
+[[package]]
+name = "typing-extensions"
+version = "4.13.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f6/37/23083fcd6e35492953e8d2aaaa68b860eb422b34627b13f2ce3eb6106061/typing_extensions-4.13.2.tar.gz", hash = "sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef", size = 106967, upload-time = "2025-04-10T14:19:05.416Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/8b/54/b1ae86c0973cc6f0210b53d508ca3641fb6d0c56823f288d108bc7ab3cc8/typing_extensions-4.13.2-py3-none-any.whl", hash = "sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c", size = 45806, upload-time = "2025-04-10T14:19:03.967Z" },
+]
+
+[[package]]
+name = "tzdata"
+version = "2025.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/95/32/1a225d6164441be760d75c2c42e2780dc0873fe382da3e98a2e1e48361e5/tzdata-2025.2.tar.gz", hash = "sha256:b60a638fcc0daffadf82fe0f57e53d06bdec2f36c4df66280ae79bce6bd6f2b9", size = 196380, upload-time = "2025-03-23T13:54:43.652Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/5c/23/c7abc0ca0a1526a0774eca151daeb8de62ec457e77262b66b359c3c7679e/tzdata-2025.2-py2.py3-none-any.whl", hash = "sha256:1a403fada01ff9221ca8044d701868fa132215d84beb92242d9acd2147f667a8", size = 347839, upload-time = "2025-03-23T13:54:41.845Z" },
+]
diff --git a/hosts/surtr/kimai.nix b/hosts/surtr/kimai.nix
new file mode 100644
index 00000000..454b3d80
--- /dev/null
+++ b/hosts/surtr/kimai.nix
@@ -0,0 +1,68 @@
+{ config, ... }:
+
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "kimai.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+
+    services.nginx = {
+      upstreams."kimai" = {
+        servers = {
+          "[2a03:4000:52:ada:6::2]:80" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "kimai.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/kimai.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/kimai.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/kimai.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://kimai;
+
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+
+              proxy_read_timeout 300;
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "kimai.yggdrasil.li.key.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/key.pem"
+          "kimai.yggdrasil.li.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/fullchain.pem"
+          "kimai.yggdrasil.li.chain.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index 059f4088..3786ea7c 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -280,6 +280,64 @@ in {
           CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox;
 
           COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('013-internal', ARRAY['000-base'], null);
+
+          ALTER TABLE mailbox_mapping ADD COLUMN internal bool NOT NULL DEFAULT false;
+          CREATE TABLE mailbox_mapping_access (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            mailbox_mapping uuid REFERENCES mailbox_mapping(id),
+            mailbox uuid REFERENCES mailbox(id)
+          );
+          CREATE USER "postfix-internal-policy";
+          GRANT CONNECT ON DATABASE "email" TO "postfix-internal-policy";
+          ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "postfix-internal-policy";
+          GRANT SELECT ON ALL TABLES IN SCHEMA public TO "postfix-internal-policy";
+
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('014-relay', ARRAY['000-base'], null);
+
+          CREATE TABLE relay_access (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            mailbox uuid REFERENCES mailbox(id),
+            domain citext NOT NULL CONSTRAINT domain_non_empty CHECK (domain <> ''')
+          );
+
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('015-relay-unique', ARRAY['000-base', '014-relay'], null);
+
+          CREATE UNIQUE INDEX relay_unique ON relay_access (mailbox, domain);
+
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('015-sender_bcc', null, null);
+
+          CREATE TABLE sender_bcc_maps (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            key text NOT NULL CONSTRAINT key_not_empty CHECK (key <> '''),
+            value text NOT NULL CONSTRAINT value_not_empty CHECK (value <> '''),
+            CONSTRAINT key_unique UNIQUE (key)
+          );
+
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('016-recipient_bcc', null, null);
+
+          CREATE TABLE recipient_bcc_maps (
+            id uuid PRIMARY KEY NOT NULL DEFAULT gen_random_uuid(),
+            key text NOT NULL CONSTRAINT key_not_empty CHECK (key <> '''),
+            value text NOT NULL CONSTRAINT value_not_empty CHECK (value <> '''),
+            CONSTRAINT recipient_bcc_maps_key_unique UNIQUE (key)
+          );
+
+          COMMIT;
         ''}
 
         psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''
diff --git a/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li b/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li
new file mode 100644
index 00000000..b9199975
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:ATcU3Ix7o5d/49rD5H8je1ozTjoghrloMh5DIZ5WE3oYauUAknpGfr9xq92V,iv:vy9YK5Ot7CCjMtgAGVeAUQuaSw4F5kmmZ0GJYV9kCdQ=,tag:F/MXTUM2AI1fGXa9Ewn8yQ==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMEF0cUdydERYVzJCa3pW\nTlo0NUFON0d5RGJFVnVTNVg3cjNEUERQMEdFClEvQW5odlNEd2F1VTFmMWQrL2RB\ncllFZVpIVVJrNTJsSGF4UEdZMnVmQzAKLS0tIFUrQkkzRVZiOFNiTnFCT1pEYVRM\nQm8wV1JkQ3RrR1dkL0FsNkhsY2kxa1kKGnAo/6oibgXexUU31THdLu6X+pRtrkjD\nZnXGPZ2xaESDVUVEYQPVpNrjt9brZGJBI1BasrkEwHAXMbJC236yYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MGs1Z2ZqK2pqWHdVYTJH\naTlncHdPa3Zld0JhQW5Ccmc1SStWSnlDR0JrCmpML2d4TGdldUdoZCtaWVpPZVl0\nVm4waWVBS1orRS90ZS96N0Y2M29LY0UKLS0tIEI1Z2VVbVVxRUpOZEN4NnBRRklC\nQXloelZCb04xbmduTlVuL005TlRGMHMKfLB6zA3sj3HgDBC7VGfGVB6I1zJpt0PV\nkCV2yADgvAA2pT9HPg9IWAEpTPysOBiuE2jPNtFvylZYwTDHoumFnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-05-24T09:42:23Z",
+                "mac": "ENC[AES256_GCM,data:0pk1LpWPmX9td/TwJFxwWp5pTDyW78UtHXMDah+V9Tmgi8hH7ONdysgjwpDwS/c4zGnMA3qtobEL286U3//CTXt2qVsiUGLsnngzs2E6yBg8oGMYlGrch4M355Fl5ZxYsc8QLA6qWcuZ4H3QW8PnoqdJixcHoYLoxG01dzh4Bc0=,iv:zchk4enI1D80BkJLji5RLm7OTk3GeF8nYHuwqBxCXIM=,tag:bgkknPMqkSidi6bDFfv6UQ==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index c9470ee9..547572c6 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
@@ -136,7 +136,7 @@ with lib;
       wantedBy = ["basic.target"];
       serviceConfig = {
         ExecStart = pkgs.writeShellScript "limit-pstate-start" ''
-          echo 50 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
+          echo 40 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
         '';
         RemainAfterExit = true;
         ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''
diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix
new file mode 100644
index 00000000..0258697b
--- /dev/null
+++ b/hosts/vidhar/kimai/default.nix
@@ -0,0 +1,89 @@
+{ flake, config, ... }:
+
+{
+  config = {
+    boot.enableContainers = true;
+    boot.kernel.sysctl = {
+      "net.netfilter.nf_log_all_netns" = true;
+    };
+
+    containers."kimai" = {
+      autoStart = true;
+      ephemeral = true;
+      bindMounts = {
+        "/var/lib/kimai" = {
+          hostPath = "/var/lib/kimai/state";
+          isReadOnly = false;
+        };
+        "/var/lib/mysql" = {
+          hostPath = "/var/lib/kimai/mysql";
+          isReadOnly = false;
+        };
+      };
+      privateNetwork = true;
+      # forwardPorts = [
+      #   { containerPort = 80;
+      #     hostPort = 28983;
+      #   }
+      # ];
+      hostAddress = "192.168.52.113";
+      localAddress = "192.168.52.114";
+      hostAddress6 = "2a03:4000:52:ada:6::1";
+      localAddress6 = "2a03:4000:52:ada:6::2";
+      config = let hostConfig = config; in { config, pkgs, lib, ... }: {
+        system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release;
+        system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
+        nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
+
+        services.kimai.sites."kimai.yggdrasil.li" = {
+          database.socket = "/run/mysqld/mysqld.sock";
+        };
+
+        networking = {
+          useDHCP = false;
+          useNetworkd = true;
+          useHostResolvConf = false;
+          firewall.enable = false;
+          nftables = {
+            enable = true;
+            rulesetFile = ./ruleset.nft;
+          };
+        };
+
+        services.resolved.fallbackDns = [
+          "9.9.9.10#dns10.quad9.net"
+          "149.112.112.10#dns10.quad9.net"
+          "2620:fe::10#dns10.quad9.net"
+          "2620:fe::fe:10#dns10.quad9.net"
+        ];
+
+        systemd.network = {
+          networks.upstream = {
+            name = "eth0";
+            matchConfig = {
+              Name = "eth0";
+            };
+            linkConfig = {
+              RequiredForOnline = true;
+            };
+            networkConfig = {
+              Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ];
+              LLMNR = false;
+              MulticastDNS = false;
+            };
+            routes = [
+              { Destination = "192.168.52.113/32"; }
+              { Destination = "2a03:4000:52:ada:6::1/128"; }
+              { Destination = "0.0.0.0/0";
+                Gateway = "192.168.52.113";
+              }
+              { Destination = "::/0";
+                Gateway = "2a03:4000:52:ada:6::1";
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft
new file mode 100644
index 00000000..ad4db6d5
--- /dev/null
+++ b/hosts/vidhar/kimai/ruleset.nft
@@ -0,0 +1,149 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter arp-rx {}
+  counter arp-tx {}
+
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-rx drop
+
+    counter name arp-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-tx drop
+
+    counter name arp-tx
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter invalid-fw {}
+  counter fw-lo {}
+
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+
+  counter drop-fw {}
+
+  counter invalid-rx {}
+
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+
+  counter kimai-rx {}
+
+  counter established-rx {}
+
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+
+  counter drop-rx {}
+
+  counter tx-lo {}
+
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+
+  counter kimai-tx {}
+
+  counter tx {}
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop
+
+
+    iifname lo counter name fw-lo accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "kimai: reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+
+
+    counter name drop-fw
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop
+
+
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+
+
+    tcp dport 80 counter name kimai-rx accept
+
+
+    ct state { established, related } counter name established-rx accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "kimai: reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+
+
+    counter name drop-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter name tx-lo accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+
+
+    tcp sport 80 counter name kimai-tx
+
+
+    counter name tx
+  }
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 6b0ac9fc..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
   counter fw-lo {}
   counter fw-lan {}
   counter fw-gpon {}
+  counter fw-kimai {}
 
   counter fw-cups {}
 
@@ -95,6 +96,7 @@ table inet filter {
   counter paperless-rx {}
   counter hledger-rx {}
   counter audiobookshelf-rx {}
+  counter kimai-rx {}
 
   counter established-rx {}
 
@@ -127,6 +129,7 @@ table inet filter {
   counter paperless-tx {}
   counter hledger-tx {}
   counter audiobookshelf-tx {}
+  counter kimai-tx {}
 
   counter tx {}
 
@@ -150,8 +153,13 @@ table inet filter {
 
     oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
     iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
 
     iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -266,7 +274,7 @@ table inet filter {
 
 table inet nat {
   counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
 
   chain postrouting {
     type nat hook postrouting priority srcnat
@@ -274,7 +282,7 @@ table inet nat {
 
 
     meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
   }
 }
 
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index b1d90d47..094f9f7a 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -27,6 +27,7 @@ in {
 
       extraFlags = [
         "--web.enable-remote-write-receiver"
+        "--storage.tsdb.retention.size=35GB"
       ];
 
       exporters = {
diff --git a/lib/pythonSet.nix b/lib/pythonSet.nix
new file mode 100644
index 00000000..c69216cc
--- /dev/null
+++ b/lib/pythonSet.nix
@@ -0,0 +1,42 @@
+{ uv2nix, pyproject-nix, pyproject-build-systems, ... }:
+{ pkgs, python, overlay, lib ? pkgs.lib }:
+(pkgs.callPackage pyproject-nix.build.packages {
+  inherit python;
+}).overrideScope
+  (
+    lib.composeManyExtensions [
+      pyproject-build-systems.overlays.default
+      overlay
+      (final: prev: {
+        sdnotify = (prev.sdnotify.override {
+          sourcePreference = "sdist";
+        }).overrideAttrs (oldAttrs: {
+          nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [
+            (final.resolveBuildSystem { setuptools = []; })
+          ];
+        });
+        systemd-python = (prev.systemd-python.override {
+          sourcePreference = "sdist";
+        }).overrideAttrs (oldAttrs: {
+          nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [
+            pkgs.pkg-config pkgs.systemd.dev
+            (final.resolveBuildSystem { setuptools = []; })
+          ];
+        });
+        halo = (prev.halo.override {
+          sourcePreference = "sdist";
+        }).overrideAttrs (oldAttrs: {
+          nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [
+            (final.resolveBuildSystem { setuptools = []; })
+          ];
+        });
+        unshare = (prev.unshare.override {
+          sourcePreference = "sdist";
+        }).overrideAttrs (oldAttrs: {
+          nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [
+            (final.resolveBuildSystem { setuptools = []; })
+          ];
+        });
+      })
+    ]
+  )
diff --git a/modules/abs-podcast-autoplaylist.nix b/modules/abs-podcast-autoplaylist.nix
index 2532cfc3..f526a434 100644
--- a/modules/abs-podcast-autoplaylist.nix
+++ b/modules/abs-podcast-autoplaylist.nix
@@ -37,6 +37,7 @@ in {
           PrivateDevices = true;
           Type = "oneshot";
           ExecStart = "${lib.getExe pkgs.abs-podcast-autoplaylist} %I.toml";
+          TimeoutSec = "5min";
         };
       };
     } // lib.mapAttrs' (name: { configSecret, ... }: lib.nameValuePair "abs-podcast-autoplaylist@${utils.escapeSystemdPath name}" {
diff --git a/modules/borgcopy/.envrc b/modules/borgcopy/.envrc
new file mode 100644
index 00000000..01e755c1
--- /dev/null
+++ b/modules/borgcopy/.envrc
@@ -0,0 +1,4 @@
+use flake
+
+uv venv && uv sync
+. .venv/bin/activate
diff --git a/modules/borgcopy/.gitignore b/modules/borgcopy/.gitignore
new file mode 100644
index 00000000..4ccfae70
--- /dev/null
+++ b/modules/borgcopy/.gitignore
@@ -0,0 +1,2 @@
+.venv
+**/__pycache__
diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix
index 8e1afc27..af021777 100644
--- a/modules/borgcopy/default.nix
+++ b/modules/borgcopy/default.nix
@@ -1,25 +1,32 @@
-{ config, pkgs, lib, utils, flakeInputs, ... }:
+{ config, pkgs, lib, utils, flake, flakeInputs, ... }:
 
 with lib;
 
 let
-  copyBorg =
-    with pkgs.poetry2nix;
-    mkPoetryApplication {
-      projectDir = cleanPythonSources { src = ./.; };
+  copyBorg = let
+    workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./.; };
+    pythonSet = flake.lib.pythonSet {
+      inherit pkgs;
+      python = pkgs.python312;
+      overlay = workspace.mkPyprojectOverlay {
+        sourcePreference = "wheel";
+      };
+    };
+    virtualEnv = pythonSet.mkVirtualEnv "copy_borg" workspace.deps.default;
+  in virtualEnv.overrideAttrs (oldAttrs: {
+    meta = (oldAttrs.meta or {}) // {
+      mainProgram = "copy_borg";
+    };
 
-      overrides = overrides.withDefaults (self: super: {
-        pyprctl = super.pyprctl.overridePythonAttrs (oldAttrs: {
-          buildInputs = (oldAttrs.buildInputs or []) ++ [super.setuptools];
-        });
-        inherit (pkgs.python3Packages) python-unshare;
-      });
+    nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ pkgs.makeWrapper ];
 
-      postInstall = ''
-        wrapProgram $out/bin/copy_borg \
-          --prefix PATH : ${makeBinPath (with pkgs; [util-linux borgbackup])}:${config.security.wrapperDir}
-      '';
-    };
+    postInstall = ''
+      ${oldAttrs.postInstall or ""}
+
+      wrapProgram $out/bin/copy_borg \
+        --prefix PATH : ${makeBinPath (with pkgs; [util-linux borgbackup])}:${config.security.wrapperDir}
+    '';
+  });
 
   copyService = name: opts: nameValuePair "copy-borg@${utils.escapeSystemdPath name}" {
     restartIfChanged = false;
diff --git a/modules/borgcopy/poetry.lock b/modules/borgcopy/poetry.lock
deleted file mode 100644
index 759ecfe9..00000000
--- a/modules/borgcopy/poetry.lock
+++ /dev/null
@@ -1,180 +0,0 @@
-# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
-
-[[package]]
-name = "colorama"
-version = "0.4.6"
-description = "Cross-platform colored terminal text."
-category = "main"
-optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
-files = [
-    {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
-    {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
-]
-
-[[package]]
-name = "halo"
-version = "0.0.31"
-description = "Beautiful terminal spinners in Python"
-category = "main"
-optional = false
-python-versions = ">=3.4"
-files = [
-    {file = "halo-0.0.31-py2-none-any.whl", hash = "sha256:5350488fb7d2aa7c31a1344120cee67a872901ce8858f60da7946cef96c208ab"},
-    {file = "halo-0.0.31.tar.gz", hash = "sha256:7b67a3521ee91d53b7152d4ee3452811e1d2a6321975137762eb3d70063cc9d6"},
-]
-
-[package.dependencies]
-colorama = ">=0.3.9"
-log-symbols = ">=0.0.14"
-six = ">=1.12.0"
-spinners = ">=0.0.24"
-termcolor = ">=1.1.0"
-
-[package.extras]
-ipython = ["IPython (==5.7.0)", "ipywidgets (==7.1.0)"]
-
-[[package]]
-name = "humanize"
-version = "4.6.0"
-description = "Python humanize utilities"
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "humanize-4.6.0-py3-none-any.whl", hash = "sha256:401201aca462749773f02920139f302450cb548b70489b9b4b92be39fe3c3c50"},
-    {file = "humanize-4.6.0.tar.gz", hash = "sha256:5f1f22bc65911eb1a6ffe7659bd6598e33dcfeeb904eb16ee1e705a09bf75916"},
-]
-
-[package.extras]
-tests = ["freezegun", "pytest", "pytest-cov"]
-
-[[package]]
-name = "log-symbols"
-version = "0.0.14"
-description = "Colored symbols for various log levels for Python"
-category = "main"
-optional = false
-python-versions = "*"
-files = [
-    {file = "log_symbols-0.0.14-py3-none-any.whl", hash = "sha256:4952106ff8b605ab7d5081dd2c7e6ca7374584eff7086f499c06edd1ce56dcca"},
-    {file = "log_symbols-0.0.14.tar.gz", hash = "sha256:cf0bbc6fe1a8e53f0d174a716bc625c4f87043cc21eb55dd8a740cfe22680556"},
-]
-
-[package.dependencies]
-colorama = ">=0.3.9"
-
-[[package]]
-name = "pyprctl"
-version = "0.1.3"
-description = "An interface to Linux's prctl() syscall written in pure Python using ctypes."
-category = "main"
-optional = false
-python-versions = ">=3.6"
-files = [
-    {file = "pyprctl-0.1.3-py3-none-any.whl", hash = "sha256:6302e5114f078fb33e5799835d0a69e2fc180bb6b28ad073515fa40c5272f1dd"},
-    {file = "pyprctl-0.1.3.tar.gz", hash = "sha256:1fb54d3ab030ec02e4afc38fb9662d6634c12834e91ae7959de56a9c09f69c26"},
-]
-
-[[package]]
-name = "python-dateutil"
-version = "2.8.2"
-description = "Extensions to the standard Python datetime module"
-category = "main"
-optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
-files = [
-    {file = "python-dateutil-2.8.2.tar.gz", hash = "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86"},
-    {file = "python_dateutil-2.8.2-py2.py3-none-any.whl", hash = "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"},
-]
-
-[package.dependencies]
-six = ">=1.5"
-
-[[package]]
-name = "python-unshare"
-version = "0.2"
-description = "Python bindings for the Linux unshare() syscall"
-category = "main"
-optional = false
-python-versions = "*"
-files = [
-    {file = "python-unshare-0.2.tar.gz", hash = "sha256:f79b7de441b6c27930b775085a6a4fd2f378b628737aaaebc2a6c519023fd47a"},
-]
-
-[[package]]
-name = "six"
-version = "1.16.0"
-description = "Python 2 and 3 compatibility utilities"
-category = "main"
-optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*"
-files = [
-    {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"},
-    {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"},
-]
-
-[[package]]
-name = "spinners"
-version = "0.0.24"
-description = "Spinners for terminals"
-category = "main"
-optional = false
-python-versions = "*"
-files = [
-    {file = "spinners-0.0.24-py3-none-any.whl", hash = "sha256:2fa30d0b72c9650ad12bbe031c9943b8d441e41b4f5602b0ec977a19f3290e98"},
-    {file = "spinners-0.0.24.tar.gz", hash = "sha256:1eb6aeb4781d72ab42ed8a01dcf20f3002bf50740d7154d12fb8c9769bf9e27f"},
-]
-
-[[package]]
-name = "termcolor"
-version = "2.2.0"
-description = "ANSI color formatting for output in terminal"
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "termcolor-2.2.0-py3-none-any.whl", hash = "sha256:91ddd848e7251200eac969846cbae2dacd7d71c2871e92733289e7e3666f48e7"},
-    {file = "termcolor-2.2.0.tar.gz", hash = "sha256:dfc8ac3f350788f23b2947b3e6cfa5a53b630b612e6cd8965a015a776020b99a"},
-]
-
-[package.extras]
-tests = ["pytest", "pytest-cov"]
-
-[[package]]
-name = "tqdm"
-version = "4.65.0"
-description = "Fast, Extensible Progress Meter"
-category = "main"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "tqdm-4.65.0-py3-none-any.whl", hash = "sha256:c4f53a17fe37e132815abceec022631be8ffe1b9381c2e6e30aa70edc99e9671"},
-    {file = "tqdm-4.65.0.tar.gz", hash = "sha256:1871fb68a86b8fb3b59ca4cdd3dcccbc7e6d613eeed31f4c332531977b89beb5"},
-]
-
-[package.dependencies]
-colorama = {version = "*", markers = "platform_system == \"Windows\""}
-
-[package.extras]
-dev = ["py-make (>=0.1.0)", "twine", "wheel"]
-notebook = ["ipywidgets (>=6)"]
-slack = ["slack-sdk"]
-telegram = ["requests"]
-
-[[package]]
-name = "xdg"
-version = "6.0.0"
-description = "Variables defined by the XDG Base Directory Specification"
-category = "main"
-optional = false
-python-versions = ">=3.7,<4.0"
-files = [
-    {file = "xdg-6.0.0-py3-none-any.whl", hash = "sha256:df3510755b4395157fc04fc3b02467c777f3b3ca383257397f09ab0d4c16f936"},
-    {file = "xdg-6.0.0.tar.gz", hash = "sha256:24278094f2d45e846d1eb28a2ebb92d7b67fc0cab5249ee3ce88c95f649a1c92"},
-]
-
-[metadata]
-lock-version = "2.0"
-python-versions = ">=3.10.0,<3.12"
-content-hash = "3c6b538852447a8f3ae34e1be122716d47e669a2b44f7c5d3d850e5d877353c7"
diff --git a/modules/borgcopy/pyproject.toml b/modules/borgcopy/pyproject.toml
index f3401ed2..d76d73c6 100644
--- a/modules/borgcopy/pyproject.toml
+++ b/modules/borgcopy/pyproject.toml
@@ -1,22 +1,25 @@
-[tool.poetry]
+[project]
 name = "copy_borg"
 version = "0.0.0"
-authors = ["Gregor Kleen <gkleen@yggdrasil.li>"]
 description = ""
+authors = [{ name = "Gregor Kleen", email = "gkleen@yggdrasil.li" }]
+requires-python = "~=3.12"
+dependencies = [
+    "humanize>=4.6.0,<5",
+    "tqdm>=4.65.0,<5",
+    "python-dateutil>=2.8.2,<3",
+    "xdg>=6.0.0,<7",
+    "pyprctl>=0.1.3,<0.2",
+    "halo>=0.0.31,<0.0.32",
+    "unshare>=0.22",
+]
 
-[tool.poetry.scripts]
+[project.scripts]
 copy_borg = "copy_borg.__main__:main"
 
-[tool.poetry.dependencies]
-python = ">=3.10.0,<3.12"
-humanize = "^4.6.0"
-tqdm = "^4.65.0"
-python-dateutil = "^2.8.2"
-xdg = "^6.0.0"
-python-unshare = "^0.2"
-pyprctl = "^0.1.3"
-halo = "^0.0.31"
-
 [build-system]
-requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"
\ No newline at end of file
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["copy_borg"]
diff --git a/modules/borgcopy/uv.lock b/modules/borgcopy/uv.lock
new file mode 100644
index 00000000..1a282598
--- /dev/null
+++ b/modules/borgcopy/uv.lock
@@ -0,0 +1,146 @@
+version = 1
+revision = 2
+requires-python = ">=3.12, <4"
+
+[[package]]
+name = "colorama"
+version = "0.4.6"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" },
+]
+
+[[package]]
+name = "copy-borg"
+version = "0.0.0"
+source = { editable = "." }
+dependencies = [
+    { name = "halo" },
+    { name = "humanize" },
+    { name = "pyprctl" },
+    { name = "python-dateutil" },
+    { name = "tqdm" },
+    { name = "unshare" },
+    { name = "xdg" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "halo", specifier = ">=0.0.31,<0.0.32" },
+    { name = "humanize", specifier = ">=4.6.0,<5" },
+    { name = "pyprctl", specifier = ">=0.1.3,<0.2" },
+    { name = "python-dateutil", specifier = ">=2.8.2,<3" },
+    { name = "tqdm", specifier = ">=4.65.0,<5" },
+    { name = "unshare", specifier = ">=0.22" },
+    { name = "xdg", specifier = ">=6.0.0,<7" },
+]
+
+[[package]]
+name = "halo"
+version = "0.0.31"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama" },
+    { name = "log-symbols" },
+    { name = "six" },
+    { name = "spinners" },
+    { name = "termcolor" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/ee/48/d53580d30b1fabf25d0d1fcc3f5b26d08d2ac75a1890ff6d262f9f027436/halo-0.0.31.tar.gz", hash = "sha256:7b67a3521ee91d53b7152d4ee3452811e1d2a6321975137762eb3d70063cc9d6", size = 11666, upload-time = "2020-11-10T02:36:48.335Z" }
+
+[[package]]
+name = "humanize"
+version = "4.12.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/22/d1/bbc4d251187a43f69844f7fd8941426549bbe4723e8ff0a7441796b0789f/humanize-4.12.3.tar.gz", hash = "sha256:8430be3a615106fdfceb0b2c1b41c4c98c6b0fc5cc59663a5539b111dd325fb0", size = 80514, upload-time = "2025-04-30T11:51:07.98Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/a0/1e/62a2ec3104394a2975a2629eec89276ede9dbe717092f6966fcf963e1bf0/humanize-4.12.3-py3-none-any.whl", hash = "sha256:2cbf6370af06568fa6d2da77c86edb7886f3160ecd19ee1ffef07979efc597f6", size = 128487, upload-time = "2025-04-30T11:51:06.468Z" },
+]
+
+[[package]]
+name = "log-symbols"
+version = "0.0.14"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/45/87/e86645d758a4401c8c81914b6a88470634d1785c9ad09823fa4a1bd89250/log_symbols-0.0.14.tar.gz", hash = "sha256:cf0bbc6fe1a8e53f0d174a716bc625c4f87043cc21eb55dd8a740cfe22680556", size = 3211, upload-time = "2019-08-08T06:32:22.538Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/28/5d/d710c38be68b0fb54e645048fe359c3904cc3cb64b2de9d40e1712bf110c/log_symbols-0.0.14-py3-none-any.whl", hash = "sha256:4952106ff8b605ab7d5081dd2c7e6ca7374584eff7086f499c06edd1ce56dcca", size = 3081, upload-time = "2019-08-08T06:32:20.604Z" },
+]
+
+[[package]]
+name = "pyprctl"
+version = "0.1.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/c9/16/6ed71ebcad76c1cd5f22185bcc6b31c0ee62fc5e693b626febea8fedeba3/pyprctl-0.1.3.tar.gz", hash = "sha256:1fb54d3ab030ec02e4afc38fb9662d6634c12834e91ae7959de56a9c09f69c26", size = 18739, upload-time = "2021-10-26T23:52:03.87Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/bf/5e/62765de39bbce8111fb1f4453a4a804913bf49179fa265fb713ed66c9d15/pyprctl-0.1.3-py3-none-any.whl", hash = "sha256:6302e5114f078fb33e5799835d0a69e2fc180bb6b28ad073515fa40c5272f1dd", size = 20016, upload-time = "2021-10-26T23:52:02.986Z" },
+]
+
+[[package]]
+name = "python-dateutil"
+version = "2.9.0.post0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "six" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/66/c0/0c8b6ad9f17a802ee498c46e004a0eb49bc148f2fd230864601a86dcf6db/python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3", size = 342432, upload-time = "2024-03-01T18:36:20.211Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427", size = 229892, upload-time = "2024-03-01T18:36:18.57Z" },
+]
+
+[[package]]
+name = "six"
+version = "1.17.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/94/e7/b2c673351809dca68a0e064b6af791aa332cf192da575fd474ed7d6f16a2/six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81", size = 34031, upload-time = "2024-12-04T17:35:28.174Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050, upload-time = "2024-12-04T17:35:26.475Z" },
+]
+
+[[package]]
+name = "spinners"
+version = "0.0.24"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d3/91/bb331f0a43e04d950a710f402a0986a54147a35818df0e1658551c8d12e1/spinners-0.0.24.tar.gz", hash = "sha256:1eb6aeb4781d72ab42ed8a01dcf20f3002bf50740d7154d12fb8c9769bf9e27f", size = 5308, upload-time = "2020-02-19T21:42:32.326Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/9f/8e/3310207a68118000ca27ac878b8386123628b335ecb3d4bec4743357f0d1/spinners-0.0.24-py3-none-any.whl", hash = "sha256:2fa30d0b72c9650ad12bbe031c9943b8d441e41b4f5602b0ec977a19f3290e98", size = 5499, upload-time = "2020-02-19T21:42:30.876Z" },
+]
+
+[[package]]
+name = "termcolor"
+version = "3.1.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/ca/6c/3d75c196ac07ac8749600b60b03f4f6094d54e132c4d94ebac6ee0e0add0/termcolor-3.1.0.tar.gz", hash = "sha256:6a6dd7fbee581909eeec6a756cff1d7f7c376063b14e4a298dc4980309e55970", size = 14324, upload-time = "2025-04-30T11:37:53.791Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/4f/bd/de8d508070629b6d84a30d01d57e4a65c69aa7f5abe7560b8fad3b50ea59/termcolor-3.1.0-py3-none-any.whl", hash = "sha256:591dd26b5c2ce03b9e43f391264626557873ce1d379019786f99b0c2bee140aa", size = 7684, upload-time = "2025-04-30T11:37:52.382Z" },
+]
+
+[[package]]
+name = "tqdm"
+version = "4.67.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/a8/4b/29b4ef32e036bb34e4ab51796dd745cdba7ed47ad142a9f4a1eb8e0c744d/tqdm-4.67.1.tar.gz", hash = "sha256:f8aef9c52c08c13a65f30ea34f4e5aac3fd1a34959879d7e59e63027286627f2", size = 169737, upload-time = "2024-11-24T20:12:22.481Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d0/30/dc54f88dd4a2b5dc8a0279bdd7270e735851848b762aeb1c1184ed1f6b14/tqdm-4.67.1-py3-none-any.whl", hash = "sha256:26445eca388f82e72884e0d580d5464cd801a3ea01e63e5601bdff9ba6a48de2", size = 78540, upload-time = "2024-11-24T20:12:19.698Z" },
+]
+
+[[package]]
+name = "unshare"
+version = "0.22"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/15/85/2ba218129c95b894efe87506489b525f859c40f6e21cb0521ff3cec754f4/unshare-0.22.tar.gz", hash = "sha256:d521d72cca6e876f22cbd5ff5eb51f1beef75e8f9c53b599b55fa05fba1dd3a6", size = 2041, upload-time = "2019-10-17T12:58:31.498Z" }
+
+[[package]]
+name = "xdg"
+version = "6.0.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/2a/b9/0e6e6f19fb75cf5e1758f4f33c1256738f718966700cffc0fde2f966218b/xdg-6.0.0.tar.gz", hash = "sha256:24278094f2d45e846d1eb28a2ebb92d7b67fc0cab5249ee3ce88c95f649a1c92", size = 3453, upload-time = "2023-02-27T19:27:44.309Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/dd/54/3516c1cf349060fc3578686d271eba242f10ec00b4530c2985af9faac49b/xdg-6.0.0-py3-none-any.whl", hash = "sha256:df3510755b4395157fc04fc3b02467c777f3b3ca383257397f09ab0d4c16f936", size = 3855, upload-time = "2023-02-27T19:27:42.151Z" },
+]
diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix
index 81c74a8e..550e970b 100644
--- a/modules/pgbackrest.nix
+++ b/modules/pgbackrest.nix
@@ -43,6 +43,8 @@ let
   loglevelType = types.enum ["off" "error" "warn" "info" "detail" "debug" "trace"];
   inherit (utils.systemdUtils.unitOptions) unitOption;
 in {
+  disabledModules = ["services/backup/pgbackrest.nix"];
+
   options = {
     services.pgbackrest = {
       enable = mkEnableOption "pgBackRest";
diff --git a/modules/systemd-run0.nix b/modules/systemd-run0.nix
new file mode 100644
index 00000000..8575ec7c
--- /dev/null
+++ b/modules/systemd-run0.nix
@@ -0,0 +1,4 @@
+{ config, lib, ... }:
+{
+  config.security.pam.services.systemd-run0 = lib.mkIf (lib.versionAtLeast config.systemd.package.version "256") {};
+}
diff --git a/modules/uucp.nix b/modules/uucp.nix
deleted file mode 100644
index 10f7297b..00000000
--- a/modules/uucp.nix
+++ /dev/null
@@ -1,373 +0,0 @@
-{ flake, config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  portSpec = name: node: concatStringsSep "\n" (map (port: ''
-    port ${name}.${port}
-    type pipe
-    protocol ${node.protocols}
-    reliable true
-    command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name}.${port}
-  '') node.hostnames);
-  sysSpec = name: node: ''
-    system ${name}
-    time any
-    chat-seven-bit false
-    chat . ""
-    protocol ${node.protocols}
-    command-path ${concatStringsSep " " cfg.commandPath}
-    commands ${concatStringsSep " " node.commands}
-    ${concatStringsSep "\nalternate\n" (map (port: ''
-      port ${name}.${port}
-    '') node.hostnames)}
-  '';
-  sshConfig = name: node: concatStringsSep "\n" (map (port: ''
-    Host ${name}.${port}
-      Hostname ${port}
-      IdentitiesOnly Yes
-      IdentityFile ${cfg.sshKeyDir}/${name}
-  '') node.hostnames);
-  sshKeyGen = name: node: ''
-    if [[ ! -e ${cfg.sshKeyDir}/${name} ]]; then
-      ${pkgs.openssh}/bin/ssh-keygen ${escapeShellArgs node.generateKey} -f ${cfg.sshKeyDir}/${name}
-    fi
-  '';
-  restrictKey = key: ''
-    restrict,command="${chat}" ${key}
-  '';
-  chat = pkgs.writeScript "chat" ''
-    #!${pkgs.stdenv.shell}
-
-    echo .
-    exec ${config.security.wrapperDir}/uucico
-  '';
-
-  nodeCfg = {
-    options = {
-      commands = mkOption {
-        type = types.listOf types.str;
-        default = cfg.defaultCommands;
-        defaultText = literalExpression "config.services.uucp.defaultCommands";
-        description = "Commands to allow for this remote";
-      };
-
-      protocols = mkOption {
-        type = types.separatedString "";
-              default = cfg.defaultProtocols;
-        defaultText = literalExpression "config.services.uucp.defaultProtocols";
-              description = "UUCP protocols to use for this remote";
-      };
-
-      publicKeys = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "SSH client public keys for this node";
-      };
-
-      generateKey = mkOption {
-        type = types.listOf types.str;
-        default = [ "-t" "ed25519" "-N" "" ];
-        description = "Arguments to pass to `ssh-keygen` to generate a keypair for communication with this host";
-      };
-
-      hostnames = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = "Hostnames to try in order when connecting";
-      };
-    };
-  };
-
-  cfg = config.services.uucp;
-in {
-  options = {
-    services.uucp = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          If enabled we set up an account accesible via uucp over ssh
-        '';
-      };
-
-      nodeName = mkOption {
-        type = types.str;
-        default = "nixos";
-        description = "uucp node name";
-      };
-
-      sshUser = mkOption { 
-        type = types.attrs;
-        default = {};
-        description = "Overrides for the local uucp linux-user";
-      };
-
-      extraSSHConfig = mkOption {
-        type = types.str;
-        default = "";
-        description = "Extra SSH config";
-      };
-
-      remoteNodes = mkOption {
-        type = types.attrsOf (types.submodule nodeCfg);
-        default = {};
-        description = ''
-          Ports to set up
-          Names will probably need to be configured in sshConfig
-        '';
-      };
-
-      commandPath = mkOption {
-        type = types.listOf types.path;
-        default = [ "${pkgs.rmail}/bin" ];
-        defaultText = literalExpression ''[ "''${pkgs.rmail}/bin" ]'';
-        description = ''
-          Command search path for all systems
-        '';
-      };
-
-      defaultCommands = mkOption {
-        type = types.listOf types.str;
-        default = ["rmail"];
-        description = "Commands allowed for remotes without explicit override";
-      };
-
-      defaultProtocols = mkOption {
-        type = types.separatedString "";
-              default = "te";
-              description = "UUCP protocol to use within ssh unless overriden";
-      };
-
-      incomingProtocols = mkOption {
-        type = types.separatedString "";
-        default = "te";
-        description = "UUCP protocols to use when called";
-      };
-
-      homeDir = mkOption {
-        type = types.path;
-        default = "/var/uucp";
-        description = "Home of the uucp user";
-      };
-
-      sshKeyDir = mkOption {
-        type = types.path;
-        default = "${cfg.homeDir}/.ssh/";
-        defaultText = literalExpression ''''${config.services.uucp.homeDir}/.ssh/'';
-        description = "Directory to store ssh keypairs";
-      };
-
-      spoolDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucp";
-        description = "Spool directory";
-      };
-
-      lockDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucp";
-        description = "Lock directory";
-      };
-
-      pubDir = mkOption {
-        type = types.path;
-        default = "/var/spool/uucppublic";
-        description = "Public directory";
-      };
-
-      logFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp";
-        description = "Log file";
-      };
-
-      statFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp.stat";
-        description = "Statistics file";
-      };
-
-      debugFile = mkOption {
-        type = types.path;
-        default = "/var/log/uucp.debug";
-        description = "Debug file";
-      };
-
-      interval = mkOption {
-        type = types.nullOr types.str;
-        default = "1h";
-        description = ''
-          Specification of when to run `uucico' in format used by systemd timers
-          The default is to do so every hour
-        '';
-      };
-
-      nmDispatch = mkOption {
-        type = types.bool;
-        default = config.networking.networkmanager.enable;
-        defaultText = literalExpression "config.networking.networkmanager.enable";
-        description = ''
-          Install a network-manager dispatcher script to automatically
-          call all remotes when networking is available
-        '';
-      };
-
-      extraConfig = mkOption {
-        type = types.lines;
-        default = ''
-          run-uuxqt 1
-        '';
-        description = "Extra configuration to append verbatim to `/etc/uucp/config'";
-      };
-
-      extraSys = mkOption {
-        type = types.lines;
-        default = ''
-          protocol-parameter g packet-size 4096
-        '';
-              description = "Extra configuration to prepend verbatim to `/etc/uucp/sys`";
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.etc."uucp/config" = {
-      text = ''
-        hostname ${cfg.nodeName}
-      
-        spool ${cfg.spoolDir}
-        lockdir ${cfg.lockDir}
-        pubdir ${cfg.pubDir}
-        logfile ${cfg.logFile}
-        statfile ${cfg.statFile}
-        debugfile ${cfg.debugFile}
-        
-        ${cfg.extraConfig}
-      '';
-    };
-
-    users.groups."uucp" = {};
-    users.users."uucp" = {
-      name = "uucp";
-      group = "uucp";
-      isSystemUser = true;
-      isNormalUser = false;
-      createHome = true;
-      home = cfg.homeDir;
-      description = "User for uucp over ssh";
-      useDefaultShell = true;
-      openssh.authorizedKeys.keys = map restrictKey (concatLists (mapAttrsToList (name: node: node.publicKeys) cfg.remoteNodes));
-    } // cfg.sshUser;
-
-    system.activationScripts."uucp-sshconfig" = ''
-      mkdir -p ${config.users.users."uucp".home}/.ssh
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh
-      chmod 700 ${config.users.users."uucp".home}/.ssh
-      ln -fs ${builtins.toFile "ssh-config" ''
-        ${concatStringsSep "\n" (mapAttrsToList sshConfig cfg.remoteNodes)}
-      
-        ${cfg.extraSSHConfig}
-      ''} ${config.users.users."uucp".home}/.ssh/config
-
-      mkdir -p ${cfg.sshKeyDir}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.sshKeyDir}
-      chmod 700 ${cfg.sshKeyDir}
-
-      ${concatStringsSep "\n" (mapAttrsToList sshKeyGen cfg.remoteNodes)}
-    '';
-
-    system.activationScripts."uucp-logs" = ''
-      touch ${cfg.logFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.logFile}
-      chmod 644 ${cfg.logFile}
-      touch ${cfg.statFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.statFile}
-      chmod 644 ${cfg.statFile}
-      touch ${cfg.debugFile}
-      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.debugFile}
-      chmod 644 ${cfg.debugFile}
-    '';
-
-    environment.etc."uucp/port" = {
-      text = ''
-        port ssh
-        type stdin
-        protocol ${cfg.incomingProtocols}
-      '' + concatStringsSep "\n" (mapAttrsToList portSpec cfg.remoteNodes);
-    };
-    environment.etc."uucp/sys" = {
-      text = cfg.extraSys + "\n" + concatStringsSep "\n" (mapAttrsToList sysSpec cfg.remoteNodes);
-    };
-
-    security.wrappers = let
-      wrapper = p: {
-        name = p;
-        value = {
-          source = "${pkgs.uucp}/bin/${p}";
-          owner = "root";
-          group = "root";
-          setuid = true;
-          setgid = false;
-        };
-      };
-    in listToAttrs (map wrapper ["uucico" "cu" "uucp" "uuname" "uustat" "uux" "uuxqt"]);
-
-    nixpkgs.overlays = [(self: super: {
-      rmail = super.writeShellScriptBin "rmail" ''
-          # Dummy UUCP rmail command for postfix/qmail systems
-
-          IFS=" " read junk from junk junk junk junk junk junk junk relay
-
-          case "$from" in
-            *[@!]*) ;;
-            *) from="$from@$relay";;
-          esac
-
-          exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@"
-        '';
-    })];
-
-    environment.systemPackages = with pkgs; [
-      uucp
-    ];
-
-    systemd.services."uucico@" = {
-      serviceConfig = {
-        User = "uucp";
-        Type = "oneshot";
-        ExecStart = "${config.security.wrapperDir}/uucico -D -S %i";
-      };
-    };
-
-    systemd.timers."uucico@" = {
-      timerConfig.OnActiveSec = cfg.interval;
-      timerConfig.OnUnitActiveSec = cfg.interval;
-    };
-
-    systemd.targets."multi-user" = {
-      wants = mapAttrsToList (name: node: "uucico@${name}.timer") cfg.remoteNodes;
-    };
-
-    systemd.kill-user.enable = true;
-    systemd.targets."sleep" = {
-      after = [ "kill-user@uucp.service" ];
-      wants = [ "kill-user@uucp.service" ];
-    };
-    
-    networking.networkmanager.dispatcherScripts = optional cfg.nmDispatch {
-      type = "basic";
-      source = pkgs.writeScript "callRemotes.sh" ''
-        #!${pkgs.stdenv.shell}
-
-        shopt -s extglob
-
-        case "''${2}" in
-          (?(vpn-)up)
-            ${concatStringsSep "\n    " (mapAttrsToList (name: node: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes)}
-            ;;
-        esac
-      '';
-    };
-  };
-}
diff --git a/overlays/abs-podcast-autoplaylist/default.nix b/overlays/abs-podcast-autoplaylist/default.nix
index 075e0ba0..843f1b65 100644
--- a/overlays/abs-podcast-autoplaylist/default.nix
+++ b/overlays/abs-podcast-autoplaylist/default.nix
@@ -1,23 +1,14 @@
-{ prev, final, flakeInputs, ... }:
-
-with flakeInputs;
+{ prev, final, flake, flakeInputs, ... }:
 
 let
-  workspace = uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./.; };
-  overlay = workspace.mkPyprojectOverlay {
-    sourcePreference = "wheel";
+  workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./.; };
+  pythonSet = flake.lib.pythonSet {
+    pkgs = final;
+    python = final.python312;
+    overlay = workspace.mkPyprojectOverlay {
+      sourcePreference = "wheel";
+    };
   };
-  python = final.python312;
-  pythonSet =
-    (final.callPackage pyproject-nix.build.packages {
-      inherit python;
-    }).overrideScope
-      (
-        prev.lib.composeManyExtensions [
-          pyproject-build-systems.overlays.default
-          overlay
-        ]
-      );
   virtualEnv = pythonSet.mkVirtualEnv "abs-podcast-autoplaylist-env" workspace.deps.default;
 in {
   abs-podcast-autoplaylist = virtualEnv.overrideAttrs (oldAttrs: {
diff --git a/overlays/deploy-rs.nix b/overlays/deploy-rs.nix
index 0bf1c3b2..678c6f5f 100644
--- a/overlays/deploy-rs.nix
+++ b/overlays/deploy-rs.nix
@@ -2,13 +2,15 @@
   flakeInputs.deploy-rs.overlays.default
   (final: prev: {
     deploy-rs = prev.deploy-rs // {
-      deploy-rs = prev.deploy-rs.deploy-rs.overrideAttrs (oldAttrs: {
-        nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [final.makeWrapper];
-        preFixup = ''
+      deploy-rs = prev.symlinkJoin {
+        name = "${prev.deploy-rs.deploy-rs.name}-wrapped";
+        paths = [ prev.deploy-rs.deploy-rs ];
+        buildInputs = [ prev.makeWrapper ];
+        postBuild = ''
           wrapProgram $out/bin/deploy \
             --prefix PATH : ${prev.lib.makeBinPath (with final; [ nix-monitored ])}
         '';
-      });
+      };
     };
   })
   final prev
diff --git a/overlays/etesync-dav.nix b/overlays/etesync-dav.nix
index cec216e2..f7a5146f 100644
--- a/overlays/etesync-dav.nix
+++ b/overlays/etesync-dav.nix
@@ -1,54 +1,29 @@
 { final, prev, ... }: {
-  etesync-dav = prev.python3Packages.buildPythonApplication rec {
+  etesync-dav = final.python3Packages.buildPythonApplication rec {
     pname = "etesync-dav";
-    version = "0.33.4";
+    version = "0.35.0";
+    format = "pyproject";
 
     src = prev.fetchFromGitHub {
       owner = "etesync";
       repo = "etesync-dav";
-      rev = "v${version}";
-      hash = "sha256-g+rK762tSWPDaBsaTwpTzfK/lqVs+Z/Qrpq2HCpipQE=";
+      tag = "v${version}";
+      hash = "sha256-CD02nuA9GD/oe7mjExUHIftkPxM1pZQKyDalXSoOhXY=";
     };
 
-    dependencies = with prev.python3Packages; [
+    build-system = with final.python3Packages; [ setuptools ];
+
+    pythonRelaxDeps = [ "radicale" ];
+
+    dependencies = with final.python3Packages; [
       appdirs
       etebase
       etesync
       flask
       flask-wtf
       msgpack
-      setuptools
-      (toPythonModule (buildPythonApplication rec {
-        pname = "radicale";
-        version = "3.2.3";
-        pyproject = true;
-
-        src = prev.fetchFromGitHub {
-          owner = "Kozea";
-          repo = "Radicale";
-          rev = "refs/tags/v${version}";
-          hash = "sha256-1IlnXVetQQuKBt6+QVKNeMM6qBQAiUhqc+4x3xOnSdE=";
-        };
-
-        build-system = [
-          setuptools
-        ];
-
-        dependencies =
-          [
-            defusedxml
-            passlib
-            vobject
-            pika
-            python-dateutil
-            pytz # https://github.com/Kozea/Radicale/issues/816
-          ]
-          ++ passlib.optional-dependencies.bcrypt;
-
-        doCheck = false;
-      }))
+      (final.python3Packages.toPythonModule (final.radicale.override { inherit (final) python3; }))
       requests
-      types-setuptools
       requests.optional-dependencies.socks
     ];
 
diff --git a/overlays/prometheus-lvm-exporter.nix b/overlays/prometheus-lvm-exporter.nix
index 240f8d85..cae45003 100644
--- a/overlays/prometheus-lvm-exporter.nix
+++ b/overlays/prometheus-lvm-exporter.nix
@@ -3,7 +3,7 @@
     pname = "prometheus-lvm-exporter";
     inherit (sources.prometheus-lvm-exporter) version src;
 
-    vendorHash = "sha256-z/fV0PzoWSDTJ44En19o7zJPPPox5ymFw7sw0Ab9t00=";
+    vendorHash = "sha256-QpJM11Rg+TUV0GWYlvIkwuQqiTsfSdQNtPpD6zT08ew=";
 
     doCheck = false;
 
diff --git a/overlays/spice-record.nix b/overlays/spice-record.nix
index 06a114da..2d37079b 100644
--- a/overlays/spice-record.nix
+++ b/overlays/spice-record.nix
@@ -8,5 +8,7 @@
       wrapProgram $out/bin/spice-record \
         --prefix PATH : ${prev.lib.makeBinPath (with prev; [ ffmpeg-full ])}
     '';
+    pyproject = true;
+    build-system = [ prev.python3Packages.setuptools ];
   };
 }
diff --git a/overlays/swayosd/default.nix b/overlays/swayosd/default.nix
index b4601a03..5e715dae 100644
--- a/overlays/swayosd/default.nix
+++ b/overlays/swayosd/default.nix
@@ -4,7 +4,7 @@
     cargoDeps = prev.rustPlatform.fetchCargoVendor {
       inherit (oldAttrs) pname;
       inherit version src;
-      hash = "sha256-yWybf4GKxHrk4WrW5SmjfPD0Gv79tpXOwNLlWeykYy0=";
+      hash = "sha256-J2sl6/4+bRWlkvaTJtFsMqvvOxYtWLRjJcYWcu0loRE=";
     };
     patches = (oldAttrs.patches or []) ++ [
       ./exponential.patch
diff --git a/overlays/uucp/default.nix b/overlays/uucp/default.nix
deleted file mode 100644
index 4189dbcc..00000000
--- a/overlays/uucp/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ final, prev, ... }: {
-  uucp = prev.uucp.overrideAttrs (oldAttrs: {
-    configureFlags = (oldAttrs.configureFlags or []) ++ ["--with-newconfigdir=/etc/uucp"];
-    patches = (oldAttrs.patches or []) ++ [
-      ./mailprogram.patch
-    ];
-    NIX_CFLAGS_COMPILE = "${oldAttrs.NIX_CFLAGS_COMPILE or ""} -Wno-error=incompatible-pointer-types";
-  });
-}
diff --git a/overlays/uucp/mailprogram.patch b/overlays/uucp/mailprogram.patch
deleted file mode 100644
index 89ac8f31..00000000
--- a/overlays/uucp/mailprogram.patch
+++ /dev/null
@@ -1,16 +0,0 @@
- policy.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy.h b/policy.h
-index 5afe34b..8e92c8b 100644
---- a/policy.h
-+++ b/policy.h
-@@ -240,7 +240,7 @@
-    the sendmail choice below.  Otherwise, select one of the other
-    choices as appropriate.  */
- #if 1
--#define MAIL_PROGRAM "/usr/lib/sendmail -t"
-+#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t"
- /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */
- #define MAIL_PROGRAM_TO_BODY 1
- #define MAIL_PROGRAM_SUBJECT_BODY 1
diff --git a/overlays/waybar-systemd-inhibit/.envrc b/overlays/waybar-systemd-inhibit/.envrc
new file mode 100644
index 00000000..2c909235
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/.envrc
@@ -0,0 +1,4 @@
+use flake
+
+[[ -d ".venv" ]] || ( uv venv && uv sync )
+. .venv/bin/activate
diff --git a/overlays/waybar-systemd-inhibit/.gitignore b/overlays/waybar-systemd-inhibit/.gitignore
new file mode 100644
index 00000000..4ccfae70
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/.gitignore
@@ -0,0 +1,2 @@
+.venv
+**/__pycache__
diff --git a/overlays/waybar-systemd-inhibit/default.nix b/overlays/waybar-systemd-inhibit/default.nix
new file mode 100644
index 00000000..ae6b8c75
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/default.nix
@@ -0,0 +1,20 @@
+{ prev, final, flake, flakeInputs, ... }:
+
+let
+  workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./.; };
+  pythonSet = flake.lib.pythonSet {
+    pkgs = final;
+    python = final.python312;
+    overlay = workspace.mkPyprojectOverlay {
+      sourcePreference = "wheel";
+    };
+  };
+  virtualEnv = pythonSet.mkVirtualEnv "waybar-systemd-inhibit-env" workspace.deps.default;
+in {
+  waybar-systemd-inhibit = virtualEnv.overrideAttrs (oldAttrs: {
+    meta = (oldAttrs.meta or {}) // {
+      mainProgram = "waybar-systemd-inhibit";
+    };
+    nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.gobject-introspection final.wrapGAppsHook ];
+  });
+}
diff --git a/overlays/waybar-systemd-inhibit/pyproject.toml b/overlays/waybar-systemd-inhibit/pyproject.toml
new file mode 100644
index 00000000..6c6240b8
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/pyproject.toml
@@ -0,0 +1,17 @@
+[project]
+name = "waybar-systemd-inhibit"
+version = "0.1.0"
+requires-python = ">=3.12"
+dependencies = [
+    "asyncclick>=8.1.8",
+    "asyncio>=3.4.3",
+    "dbus-next>=0.2.3",
+]
+
+[project.scripts]
+waybar-systemd-inhibit = "waybar_systemd_inhibit.__main__:main"
+waybar-systemd-inhibit-toggle = "waybar_systemd_inhibit.__main__:toggle"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
diff --git a/overlays/waybar-systemd-inhibit/uv.lock b/overlays/waybar-systemd-inhibit/uv.lock
new file mode 100644
index 00000000..4e10d145
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/uv.lock
@@ -0,0 +1,102 @@
+version = 1
+revision = 2
+requires-python = ">=3.12"
+
+[[package]]
+name = "anyio"
+version = "4.9.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "idna" },
+    { name = "sniffio" },
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/95/7d/4c1bd541d4dffa1b52bd83fb8527089e097a106fc90b467a7313b105f840/anyio-4.9.0.tar.gz", hash = "sha256:673c0c244e15788651a4ff38710fea9675823028a6f08a5eda409e0c9840a028", size = 190949, upload-time = "2025-03-17T00:02:54.77Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/a1/ee/48ca1a7c89ffec8b6a0c5d02b89c305671d5ffd8d3c94acf8b8c408575bb/anyio-4.9.0-py3-none-any.whl", hash = "sha256:9f76d541cad6e36af7beb62e978876f3b41e3e04f2c1fbf0884604c0a9c4d93c", size = 100916, upload-time = "2025-03-17T00:02:52.713Z" },
+]
+
+[[package]]
+name = "asyncclick"
+version = "8.1.8"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "anyio" },
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/cb/b5/e1e5fdf1c1bb7e6e614987c120a98d9324bf8edfaa5f5cd16a6235c9d91b/asyncclick-8.1.8.tar.gz", hash = "sha256:0f0eb0f280e04919d67cf71b9fcdfb4db2d9ff7203669c40284485c149578e4c", size = 232900, upload-time = "2025-01-06T09:46:52.694Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/14/cc/a436f0fc2d04e57a0697e0f87a03b9eaed03ad043d2d5f887f8eebcec95f/asyncclick-8.1.8-py3-none-any.whl", hash = "sha256:eb1ccb44bc767f8f0695d592c7806fdf5bd575605b4ee246ffd5fadbcfdbd7c6", size = 99093, upload-time = "2025-01-06T09:46:51.046Z" },
+    { url = "https://files.pythonhosted.org/packages/92/c4/ae9e9d25522c6dc96ff167903880a0fe94d7bd31ed999198ee5017d977ed/asyncclick-8.1.8.0-py3-none-any.whl", hash = "sha256:be146a2d8075d4fe372ff4e877f23c8b5af269d16705c1948123b9415f6fd678", size = 99115, upload-time = "2025-01-06T09:50:52.72Z" },
+]
+
+[[package]]
+name = "asyncio"
+version = "3.4.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/da/54/054bafaf2c0fb8473d423743e191fcdf49b2c1fd5e9af3524efbe097bafd/asyncio-3.4.3.tar.gz", hash = "sha256:83360ff8bc97980e4ff25c964c7bd3923d333d177aa4f7fb736b019f26c7cb41", size = 204411, upload-time = "2015-03-10T14:11:26.494Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/22/74/07679c5b9f98a7cb0fc147b1ef1cc1853bc07a4eb9cb5731e24732c5f773/asyncio-3.4.3-py3-none-any.whl", hash = "sha256:c4d18b22701821de07bd6aea8b53d21449ec0ec5680645e5317062ea21817d2d", size = 101767, upload-time = "2015-03-10T14:05:10.959Z" },
+]
+
+[[package]]
+name = "colorama"
+version = "0.4.6"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" },
+]
+
+[[package]]
+name = "dbus-next"
+version = "0.2.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/ce/45/6a40fbe886d60a8c26f480e7d12535502b5ba123814b3b9a0b002ebca198/dbus_next-0.2.3.tar.gz", hash = "sha256:f4eae26909332ada528c0a3549dda8d4f088f9b365153952a408e28023a626a5", size = 71112, upload-time = "2021-07-25T22:11:28.398Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d2/fc/c0a3f4c4eaa5a22fbef91713474666e13d0ea2a69c84532579490a9f2cc8/dbus_next-0.2.3-py3-none-any.whl", hash = "sha256:58948f9aff9db08316734c0be2a120f6dc502124d9642f55e90ac82ffb16a18b", size = 57885, upload-time = "2021-07-25T22:11:25.466Z" },
+]
+
+[[package]]
+name = "idna"
+version = "3.10"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", size = 190490, upload-time = "2024-09-15T18:07:39.745Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", size = 70442, upload-time = "2024-09-15T18:07:37.964Z" },
+]
+
+[[package]]
+name = "sniffio"
+version = "1.3.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/a2/87/a6771e1546d97e7e041b6ae58d80074f81b7d5121207425c964ddf5cfdbd/sniffio-1.3.1.tar.gz", hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc", size = 20372, upload-time = "2024-02-25T23:20:04.057Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e9/44/75a9c9421471a6c4805dbf2356f7c181a29c1879239abab1ea2cc8f38b40/sniffio-1.3.1-py3-none-any.whl", hash = "sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2", size = 10235, upload-time = "2024-02-25T23:20:01.196Z" },
+]
+
+[[package]]
+name = "typing-extensions"
+version = "4.13.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f6/37/23083fcd6e35492953e8d2aaaa68b860eb422b34627b13f2ce3eb6106061/typing_extensions-4.13.2.tar.gz", hash = "sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef", size = 106967, upload-time = "2025-04-10T14:19:05.416Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/8b/54/b1ae86c0973cc6f0210b53d508ca3641fb6d0c56823f288d108bc7ab3cc8/typing_extensions-4.13.2-py3-none-any.whl", hash = "sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c", size = 45806, upload-time = "2025-04-10T14:19:03.967Z" },
+]
+
+[[package]]
+name = "waybar-systemd-inhibit"
+version = "0.1.0"
+source = { editable = "." }
+dependencies = [
+    { name = "asyncclick" },
+    { name = "asyncio" },
+    { name = "dbus-next" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "asyncclick", specifier = ">=8.1.8" },
+    { name = "asyncio", specifier = ">=3.4.3" },
+    { name = "dbus-next", specifier = ">=0.2.3" },
+]
diff --git a/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__init__.py b/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__init__.py
diff --git a/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__main__.py b/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__main__.py
new file mode 100644
index 00000000..35cc7fd1
--- /dev/null
+++ b/overlays/waybar-systemd-inhibit/waybar_systemd_inhibit/__main__.py
@@ -0,0 +1,117 @@
+import asyncclick as click
+from dbus_next.aio import MessageBus
+from dbus_next import BusType, Message, PropertyAccess
+import asyncio
+from functools import update_wrapper
+from dbus_next.service import ServiceInterface, method, dbus_property
+from dbus_next import Variant, DBusError
+import os
+import json
+
+class BlockInterface(ServiceInterface):
+    def __init__(self, system_bus, logind):
+        super().__init__('li.yggdrasil.WaybarSystemdInhibit')
+        self.system_bus = system_bus
+        self.logind = logind
+        self.fd = None
+
+    def Release(self):
+        if not self.fd:
+            return
+
+        os.close(self.fd)
+        self.fd = None
+        self.emit_properties_changed({'IsAcquired': False})
+
+    async def Acquire(self):
+        if self.fd:
+            return
+
+        res = await self.system_bus.call(Message(
+            destination='org.freedesktop.login1',
+            path='/org/freedesktop/login1',
+            interface='org.freedesktop.login1.Manager',
+            member='Inhibit',
+            signature='ssss',
+            body=[
+                "handle-lid-switch",
+                "waybar-systemd-inhibit",
+                "User request",
+                "block",
+            ],
+        ))
+        self.fd = res.unix_fds[res.body[0]]
+        self.emit_properties_changed({'IsAcquired': True})
+
+    @method()
+    async def ToggleBlock(self):
+        if self.fd:
+            self.Release()
+        else:
+            await self.Acquire()
+
+    @dbus_property(access=PropertyAccess.READ)
+    def IsAcquired(self) -> 'b':
+        return self.fd is not None
+
+
+@click.command()
+async def main():
+    system_bus = await MessageBus(bus_type=BusType.SYSTEM, negotiate_unix_fd=True).connect()
+    session_bus = await MessageBus(bus_type=BusType.SESSION).connect()
+
+    introspection = await system_bus.introspect('org.freedesktop.login1', '/org/freedesktop/login1')
+    obj = system_bus.get_proxy_object('org.freedesktop.login1', '/org/freedesktop/login1', introspection)
+    logind = obj.get_interface('org.freedesktop.login1.Manager')
+    properties = obj.get_interface('org.freedesktop.DBus.Properties')
+
+    def is_blocked_logind(what: str):
+        return "handle-lid-switch" in what.split(':')
+
+    def print_state(is_blocked: bool, is_acquired: bool = False):
+        icon = "&#xf0322;" if is_blocked else "&#xf06e7;"
+        text = f"<span font=\"Symbols Nerd Font Mono\">{icon}</span>"
+        if is_acquired:
+            text = f"<span color=\"#f28a21\">{text}</span>"
+        elif is_blocked:
+            text = f"<span color=\"#ffffff\">{text}</span>"
+        print(json.dumps({'text': text, 'tooltip': ("Manually inhibited" if is_acquired else None)}, separators=(',', ':')), flush=True)
+
+    print_state(is_blocked_logind(await logind.get_block_inhibited()))
+
+    async def get_inhibit():
+        introspection = await session_bus.introspect('li.yggdrasil.WaybarSystemdInhibit', '/li/yggdrasil/WaybarSystemdInhibit')
+        return session_bus.get_proxy_object('li.yggdrasil.WaybarSystemdInhibit', '/li/yggdrasil/WaybarSystemdInhibit', introspection)
+
+    async def on_logind_properties_changed(interface_name, changed_properties, invalidated_properties):
+        if 'BlockInhibited' not in changed_properties:
+            return
+
+        properties = (await get_inhibit()).get_interface('li.yggdrasil.WaybarSystemdInhibit')
+
+        print_state(is_blocked_logind(changed_properties['BlockInhibited'].value), await properties.get_is_acquired())
+
+    properties.on_properties_changed(on_logind_properties_changed)
+
+    session_bus.export('/li/yggdrasil/WaybarSystemdInhibit', BlockInterface(system_bus, logind))
+    await session_bus.request_name('li.yggdrasil.WaybarSystemdInhibit')
+
+    properties = (await get_inhibit()).get_interface('org.freedesktop.DBus.Properties')
+
+    async def on_inhibit_properties_changed(interface_name, changed_properties, invalidated_properties):
+        if 'IsAcquired' not in changed_properties:
+            return
+
+        print_state(is_blocked_logind(await logind.get_block_inhibited()), changed_properties['IsAcquired'].value)
+
+    properties.on_properties_changed(on_inhibit_properties_changed)
+
+    await session_bus.wait_for_disconnect()
+
+@click.command()
+async def toggle():
+    session_bus = await MessageBus(bus_type=BusType.SESSION).connect()
+    introspection = await session_bus.introspect('li.yggdrasil.WaybarSystemdInhibit', '/li/yggdrasil/WaybarSystemdInhibit')
+    obj = session_bus.get_proxy_object('li.yggdrasil.WaybarSystemdInhibit', '/li/yggdrasil/WaybarSystemdInhibit', introspection)
+    interface = obj.get_interface('li.yggdrasil.WaybarSystemdInhibit')
+    await interface.call_toggle_block()
diff --git a/overlays/worktime/.envrc b/overlays/worktime/.envrc
new file mode 100644
index 00000000..2c909235
--- /dev/null
+++ b/overlays/worktime/.envrc
@@ -0,0 +1,4 @@
+use flake
+
+[[ -d ".venv" ]] || ( uv venv && uv sync )
+. .venv/bin/activate
diff --git a/overlays/worktime/.gitignore b/overlays/worktime/.gitignore
new file mode 100644
index 00000000..4ccfae70
--- /dev/null
+++ b/overlays/worktime/.gitignore
@@ -0,0 +1,2 @@
+.venv
+**/__pycache__
diff --git a/overlays/worktime/default.nix b/overlays/worktime/default.nix
index 1d8433af..579cf7ad 100644
--- a/overlays/worktime/default.nix
+++ b/overlays/worktime/default.nix
@@ -1,13 +1,19 @@
-{ prev, ... }:
+{ prev, final, flake, flakeInputs, ... }:
 
-with prev.poetry2nix;
-
-{
-  worktime = mkPoetryApplication {
-    python = prev.python312;
-
-    projectDir = cleanPythonSources { src = ./.; };
-
-    meta.mainProgram = "worktime";
+let
+  workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./.; };
+  pythonSet = flake.lib.pythonSet {
+    pkgs = final;
+    python = final.python312;
+    overlay = workspace.mkPyprojectOverlay {
+      sourcePreference = "wheel";
+    };
   };
+  virtualEnv = pythonSet.mkVirtualEnv "worktime" workspace.deps.default;
+in {
+  worktime = virtualEnv.overrideAttrs (oldAttrs: {
+    meta = (oldAttrs.meta or {}) // {
+      mainProgram = "worktime";
+    };
+  });
 }
diff --git a/overlays/worktime/poetry.lock b/overlays/worktime/poetry.lock
deleted file mode 100644
index 7c1ca91d..00000000
--- a/overlays/worktime/poetry.lock
+++ /dev/null
@@ -1,284 +0,0 @@
-# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
-
-[[package]]
-name = "backoff"
-version = "2.2.1"
-description = "Function decoration for backoff and retry"
-optional = false
-python-versions = ">=3.7,<4.0"
-groups = ["main"]
-files = [
-    {file = "backoff-2.2.1-py3-none-any.whl", hash = "sha256:63579f9a0628e06278f7e47b7d7d5b6ce20dc65c5e96a6f3ca99a6adca0396e8"},
-    {file = "backoff-2.2.1.tar.gz", hash = "sha256:03f829f5bb1923180821643f8753b0502c3b682293992485b0eef2807afa5cba"},
-]
-
-[[package]]
-name = "certifi"
-version = "2025.1.31"
-description = "Python package for providing Mozilla's CA Bundle."
-optional = false
-python-versions = ">=3.6"
-groups = ["main"]
-files = [
-    {file = "certifi-2025.1.31-py3-none-any.whl", hash = "sha256:ca78db4565a652026a4db2bcdf68f2fb589ea80d0be70e03929ed730746b84fe"},
-    {file = "certifi-2025.1.31.tar.gz", hash = "sha256:3d5da6925056f6f18f119200434a4780a94263f10d1c21d032a6f6b2baa20651"},
-]
-
-[[package]]
-name = "charset-normalizer"
-version = "3.4.1"
-description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet."
-optional = false
-python-versions = ">=3.7"
-groups = ["main"]
-files = [
-    {file = "charset_normalizer-3.4.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:91b36a978b5ae0ee86c394f5a54d6ef44db1de0815eb43de826d41d21e4af3de"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7461baadb4dc00fd9e0acbe254e3d7d2112e7f92ced2adc96e54ef6501c5f176"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e218488cd232553829be0664c2292d3af2eeeb94b32bea483cf79ac6a694e037"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:80ed5e856eb7f30115aaf94e4a08114ccc8813e6ed1b5efa74f9f82e8509858f"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b010a7a4fd316c3c484d482922d13044979e78d1861f0e0650423144c616a46a"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4532bff1b8421fd0a320463030c7520f56a79c9024a4e88f01c537316019005a"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:d973f03c0cb71c5ed99037b870f2be986c3c05e63622c017ea9816881d2dd247"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:3a3bd0dcd373514dcec91c411ddb9632c0d7d92aed7093b8c3bbb6d69ca74408"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:d9c3cdf5390dcd29aa8056d13e8e99526cda0305acc038b96b30352aff5ff2bb"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:2bdfe3ac2e1bbe5b59a1a63721eb3b95fc9b6817ae4a46debbb4e11f6232428d"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:eab677309cdb30d047996b36d34caeda1dc91149e4fdca0b1a039b3f79d9a807"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-win32.whl", hash = "sha256:c0429126cf75e16c4f0ad00ee0eae4242dc652290f940152ca8c75c3a4b6ee8f"},
-    {file = "charset_normalizer-3.4.1-cp310-cp310-win_amd64.whl", hash = "sha256:9f0b8b1c6d84c8034a44893aba5e767bf9c7a211e313a9605d9c617d7083829f"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8bfa33f4f2672964266e940dd22a195989ba31669bd84629f05fab3ef4e2d125"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:28bf57629c75e810b6ae989f03c0828d64d6b26a5e205535585f96093e405ed1"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f08ff5e948271dc7e18a35641d2f11a4cd8dfd5634f55228b691e62b37125eb3"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:234ac59ea147c59ee4da87a0c0f098e9c8d169f4dc2a159ef720f1a61bbe27cd"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd4ec41f914fa74ad1b8304bbc634b3de73d2a0889bd32076342a573e0779e00"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eea6ee1db730b3483adf394ea72f808b6e18cf3cb6454b4d86e04fa8c4327a12"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:c96836c97b1238e9c9e3fe90844c947d5afbf4f4c92762679acfe19927d81d77"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:4d86f7aff21ee58f26dcf5ae81a9addbd914115cdebcbb2217e4f0ed8982e146"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:09b5e6733cbd160dcc09589227187e242a30a49ca5cefa5a7edd3f9d19ed53fd"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:5777ee0881f9499ed0f71cc82cf873d9a0ca8af166dfa0af8ec4e675b7df48e6"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:237bdbe6159cff53b4f24f397d43c6336c6b0b42affbe857970cefbb620911c8"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-win32.whl", hash = "sha256:8417cb1f36cc0bc7eaba8ccb0e04d55f0ee52df06df3ad55259b9a323555fc8b"},
-    {file = "charset_normalizer-3.4.1-cp311-cp311-win_amd64.whl", hash = "sha256:d7f50a1f8c450f3925cb367d011448c39239bb3eb4117c36a6d354794de4ce76"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:73d94b58ec7fecbc7366247d3b0b10a21681004153238750bb67bd9012414545"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dad3e487649f498dd991eeb901125411559b22e8d7ab25d3aeb1af367df5efd7"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c30197aa96e8eed02200a83fba2657b4c3acd0f0aa4bdc9f6c1af8e8962e0757"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2369eea1ee4a7610a860d88f268eb39b95cb588acd7235e02fd5a5601773d4fa"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc2722592d8998c870fa4e290c2eec2c1569b87fe58618e67d38b4665dfa680d"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffc9202a29ab3920fa812879e95a9e78b2465fd10be7fcbd042899695d75e616"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:804a4d582ba6e5b747c625bf1255e6b1507465494a40a2130978bda7b932c90b"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:0f55e69f030f7163dffe9fd0752b32f070566451afe180f99dbeeb81f511ad8d"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:c4c3e6da02df6fa1410a7680bd3f63d4f710232d3139089536310d027950696a"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:5df196eb874dae23dcfb968c83d4f8fdccb333330fe1fc278ac5ceeb101003a9"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e358e64305fe12299a08e08978f51fc21fac060dcfcddd95453eabe5b93ed0e1"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-win32.whl", hash = "sha256:9b23ca7ef998bc739bf6ffc077c2116917eabcc901f88da1b9856b210ef63f35"},
-    {file = "charset_normalizer-3.4.1-cp312-cp312-win_amd64.whl", hash = "sha256:6ff8a4a60c227ad87030d76e99cd1698345d4491638dfa6673027c48b3cd395f"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:aabfa34badd18f1da5ec1bc2715cadc8dca465868a4e73a0173466b688f29dda"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22e14b5d70560b8dd51ec22863f370d1e595ac3d024cb8ad7d308b4cd95f8313"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8436c508b408b82d87dc5f62496973a1805cd46727c34440b0d29d8a2f50a6c9"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2d074908e1aecee37a7635990b2c6d504cd4766c7bc9fc86d63f9c09af3fa11b"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:955f8851919303c92343d2f66165294848d57e9bba6cf6e3625485a70a038d11"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:44ecbf16649486d4aebafeaa7ec4c9fed8b88101f4dd612dcaf65d5e815f837f"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0924e81d3d5e70f8126529951dac65c1010cdf117bb75eb02dd12339b57749dd"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:2967f74ad52c3b98de4c3b32e1a44e32975e008a9cd2a8cc8966d6a5218c5cb2"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:c75cb2a3e389853835e84a2d8fb2b81a10645b503eca9bcb98df6b5a43eb8886"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:09b26ae6b1abf0d27570633b2b078a2a20419c99d66fb2823173d73f188ce601"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:fa88b843d6e211393a37219e6a1c1df99d35e8fd90446f1118f4216e307e48cd"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-win32.whl", hash = "sha256:eb8178fe3dba6450a3e024e95ac49ed3400e506fd4e9e5c32d30adda88cbd407"},
-    {file = "charset_normalizer-3.4.1-cp313-cp313-win_amd64.whl", hash = "sha256:b1ac5992a838106edb89654e0aebfc24f5848ae2547d22c2c3f66454daa11971"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f30bf9fd9be89ecb2360c7d94a711f00c09b976258846efe40db3d05828e8089"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:97f68b8d6831127e4787ad15e6757232e14e12060bec17091b85eb1486b91d8d"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7974a0b5ecd505609e3b19742b60cee7aa2aa2fb3151bc917e6e2646d7667dcf"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fc54db6c8593ef7d4b2a331b58653356cf04f67c960f584edb7c3d8c97e8f39e"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:311f30128d7d333eebd7896965bfcfbd0065f1716ec92bd5638d7748eb6f936a"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-musllinux_1_2_aarch64.whl", hash = "sha256:7d053096f67cd1241601111b698f5cad775f97ab25d81567d3f59219b5f1adbd"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-musllinux_1_2_i686.whl", hash = "sha256:807f52c1f798eef6cf26beb819eeb8819b1622ddfeef9d0977a8502d4db6d534"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-musllinux_1_2_ppc64le.whl", hash = "sha256:dccbe65bd2f7f7ec22c4ff99ed56faa1e9f785482b9bbd7c717e26fd723a1d1e"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-musllinux_1_2_s390x.whl", hash = "sha256:2fb9bd477fdea8684f78791a6de97a953c51831ee2981f8e4f583ff3b9d9687e"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-musllinux_1_2_x86_64.whl", hash = "sha256:01732659ba9b5b873fc117534143e4feefecf3b2078b0a6a2e925271bb6f4cfa"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-win32.whl", hash = "sha256:7a4f97a081603d2050bfaffdefa5b02a9ec823f8348a572e39032caa8404a487"},
-    {file = "charset_normalizer-3.4.1-cp37-cp37m-win_amd64.whl", hash = "sha256:7b1bef6280950ee6c177b326508f86cad7ad4dff12454483b51d8b7d673a2c5d"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:ecddf25bee22fe4fe3737a399d0d177d72bc22be6913acfab364b40bce1ba83c"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8c60ca7339acd497a55b0ea5d506b2a2612afb2826560416f6894e8b5770d4a9"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b7b2d86dd06bfc2ade3312a83a5c364c7ec2e3498f8734282c6c3d4b07b346b8"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:dd78cfcda14a1ef52584dbb008f7ac81c1328c0f58184bf9a84c49c605002da6"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e27f48bcd0957c6d4cb9d6fa6b61d192d0b13d5ef563e5f2ae35feafc0d179c"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:01ad647cdd609225c5350561d084b42ddf732f4eeefe6e678765636791e78b9a"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:619a609aa74ae43d90ed2e89bdd784765de0a25ca761b93e196d938b8fd1dbbd"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:89149166622f4db9b4b6a449256291dc87a99ee53151c74cbd82a53c8c2f6ccd"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:7709f51f5f7c853f0fb938bcd3bc59cdfdc5203635ffd18bf354f6967ea0f824"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:345b0426edd4e18138d6528aed636de7a9ed169b4aaf9d61a8c19e39d26838ca"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:0907f11d019260cdc3f94fbdb23ff9125f6b5d1039b76003b5b0ac9d6a6c9d5b"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-win32.whl", hash = "sha256:ea0d8d539afa5eb2728aa1932a988a9a7af94f18582ffae4bc10b3fbdad0626e"},
-    {file = "charset_normalizer-3.4.1-cp38-cp38-win_amd64.whl", hash = "sha256:329ce159e82018d646c7ac45b01a430369d526569ec08516081727a20e9e4af4"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:b97e690a2118911e39b4042088092771b4ae3fc3aa86518f84b8cf6888dbdb41"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:78baa6d91634dfb69ec52a463534bc0df05dbd546209b79a3880a34487f4b84f"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1a2bc9f351a75ef49d664206d51f8e5ede9da246602dc2d2726837620ea034b2"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:75832c08354f595c760a804588b9357d34ec00ba1c940c15e31e96d902093770"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0af291f4fe114be0280cdd29d533696a77b5b49cfde5467176ecab32353395c4"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0167ddc8ab6508fe81860a57dd472b2ef4060e8d378f0cc555707126830f2537"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2a75d49014d118e4198bcee5ee0a6f25856b29b12dbf7cd012791f8a6cc5c496"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:363e2f92b0f0174b2f8238240a1a30142e3db7b957a5dd5689b0e75fb717cc78"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:ab36c8eb7e454e34e60eb55ca5d241a5d18b2c6244f6827a30e451c42410b5f7"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:4c0907b1928a36d5a998d72d64d8eaa7244989f7aaaf947500d3a800c83a3fd6"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:04432ad9479fa40ec0f387795ddad4437a2b50417c69fa275e212933519ff294"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-win32.whl", hash = "sha256:3bed14e9c89dcb10e8f3a29f9ccac4955aebe93c71ae803af79265c9ca5644c5"},
-    {file = "charset_normalizer-3.4.1-cp39-cp39-win_amd64.whl", hash = "sha256:49402233c892a461407c512a19435d1ce275543138294f7ef013f0b63d5d3765"},
-    {file = "charset_normalizer-3.4.1-py3-none-any.whl", hash = "sha256:d98b1668f06378c6dbefec3b92299716b931cd4e6061f3c875a71ced1780ab85"},
-    {file = "charset_normalizer-3.4.1.tar.gz", hash = "sha256:44251f18cd68a75b56585dd00dae26183e102cd5e0f9f1466e6df5da2ed64ea3"},
-]
-
-[[package]]
-name = "idna"
-version = "3.10"
-description = "Internationalized Domain Names in Applications (IDNA)"
-optional = false
-python-versions = ">=3.6"
-groups = ["main"]
-files = [
-    {file = "idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"},
-    {file = "idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"},
-]
-
-[package.extras]
-all = ["flake8 (>=7.1.1)", "mypy (>=1.11.2)", "pytest (>=8.3.2)", "ruff (>=0.6.2)"]
-
-[[package]]
-name = "jsonpickle"
-version = "4.0.5"
-description = "jsonpickle encodes/decodes any Python object to/from JSON"
-optional = false
-python-versions = ">=3.8"
-groups = ["main"]
-files = [
-    {file = "jsonpickle-4.0.5-py3-none-any.whl", hash = "sha256:b4ac7d0a75ddcdfd93445737f1d36ff28768690d43e54bf5d0ddb1d915e580df"},
-    {file = "jsonpickle-4.0.5.tar.gz", hash = "sha256:f299818b39367c361b3f26bdba827d4249ab5d383cd93144d0f94b5417aacb35"},
-]
-
-[package.extras]
-cov = ["pytest-cov"]
-dev = ["black", "pyupgrade"]
-docs = ["furo", "rst.linker (>=1.9)", "sphinx (>=3.5)"]
-packaging = ["build", "setuptools (>=61.2)", "setuptools-scm[toml] (>=6.0)", "twine"]
-testing = ["PyYAML", "atheris (>=2.3.0,<2.4.0) ; python_version < \"3.12\"", "bson", "ecdsa", "feedparser", "gmpy2", "numpy", "pandas", "pymongo", "pytest (>=6.0,!=8.1.*)", "pytest-benchmark", "pytest-benchmark[histogram]", "pytest-checkdocs (>=1.2.3)", "pytest-enabler (>=1.0.1)", "pytest-ruff (>=0.2.1)", "scikit-learn", "scipy (>=1.9.3) ; python_version > \"3.10\"", "scipy ; python_version <= \"3.10\"", "simplejson", "sqlalchemy", "ujson"]
-
-[[package]]
-name = "python-dateutil"
-version = "2.9.0.post0"
-description = "Extensions to the standard Python datetime module"
-optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
-groups = ["main"]
-files = [
-    {file = "python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3"},
-    {file = "python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"},
-]
-
-[package.dependencies]
-six = ">=1.5"
-
-[[package]]
-name = "pyxdg"
-version = "0.28"
-description = "PyXDG contains implementations of freedesktop.org standards in python."
-optional = false
-python-versions = "*"
-groups = ["main"]
-files = [
-    {file = "pyxdg-0.28-py2.py3-none-any.whl", hash = "sha256:bdaf595999a0178ecea4052b7f4195569c1ff4d344567bccdc12dfdf02d545ab"},
-    {file = "pyxdg-0.28.tar.gz", hash = "sha256:3267bb3074e934df202af2ee0868575484108581e6f3cb006af1da35395e88b4"},
-]
-
-[[package]]
-name = "requests"
-version = "2.32.3"
-description = "Python HTTP for Humans."
-optional = false
-python-versions = ">=3.8"
-groups = ["main"]
-files = [
-    {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"},
-    {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"},
-]
-
-[package.dependencies]
-certifi = ">=2017.4.17"
-charset-normalizer = ">=2,<4"
-idna = ">=2.5,<4"
-urllib3 = ">=1.21.1,<3"
-
-[package.extras]
-socks = ["PySocks (>=1.5.6,!=1.5.7)"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
-
-[[package]]
-name = "six"
-version = "1.17.0"
-description = "Python 2 and 3 compatibility utilities"
-optional = false
-python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
-groups = ["main"]
-files = [
-    {file = "six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"},
-    {file = "six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81"},
-]
-
-[[package]]
-name = "tabulate"
-version = "0.9.0"
-description = "Pretty-print tabular data"
-optional = false
-python-versions = ">=3.7"
-groups = ["main"]
-files = [
-    {file = "tabulate-0.9.0-py3-none-any.whl", hash = "sha256:024ca478df22e9340661486f85298cff5f6dcdba14f3813e8830015b9ed1948f"},
-    {file = "tabulate-0.9.0.tar.gz", hash = "sha256:0095b12bf5966de529c0feb1fa08671671b3368eec77d7ef7ab114be2c068b3c"},
-]
-
-[package.extras]
-widechars = ["wcwidth"]
-
-[[package]]
-name = "toml"
-version = "0.10.2"
-description = "Python Library for Tom's Obvious, Minimal Language"
-optional = false
-python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
-groups = ["main"]
-files = [
-    {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"},
-    {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"},
-]
-
-[[package]]
-name = "uritools"
-version = "4.0.3"
-description = "URI parsing, classification and composition"
-optional = false
-python-versions = ">=3.7"
-groups = ["main"]
-files = [
-    {file = "uritools-4.0.3-py3-none-any.whl", hash = "sha256:bae297d090e69a0451130ffba6f2f1c9477244aa0a5543d66aed2d9f77d0dd9c"},
-    {file = "uritools-4.0.3.tar.gz", hash = "sha256:ee06a182a9c849464ce9d5fa917539aacc8edd2a4924d1b7aabeeecabcae3bc2"},
-]
-
-[[package]]
-name = "urllib3"
-version = "2.3.0"
-description = "HTTP library with thread-safe connection pooling, file post, and more."
-optional = false
-python-versions = ">=3.9"
-groups = ["main"]
-files = [
-    {file = "urllib3-2.3.0-py3-none-any.whl", hash = "sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df"},
-    {file = "urllib3-2.3.0.tar.gz", hash = "sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d"},
-]
-
-[package.extras]
-brotli = ["brotli (>=1.0.9) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=0.8.0) ; platform_python_implementation != \"CPython\""]
-h2 = ["h2 (>=4,<5)"]
-socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"]
-zstd = ["zstandard (>=0.18.0)"]
-
-[metadata]
-lock-version = "2.1"
-python-versions = "^3.12"
-content-hash = "2b335da94bf3e2d2bee7d8ca6e84cdb56e97ac29d1224d8c8dca98d93bbdcea2"
diff --git a/overlays/worktime/pyproject.toml b/overlays/worktime/pyproject.toml
index de4b9fd4..42da51f5 100644
--- a/overlays/worktime/pyproject.toml
+++ b/overlays/worktime/pyproject.toml
@@ -1,23 +1,28 @@
-[tool.poetry]
+[project]
 name = "worktime"
-version = "0.1.0"
-description = ""
-authors = ["Gregor Kleen <gkleen@yggdrasil.li>"]
+version = "1.0.0"
+requires-python = "~=3.12"
+dependencies = [
+    "pyxdg>=0.28,<0.29",
+    "python-dateutil>=2.9.0.post0,<3",
+    "uritools>=4.0.3,<5",
+    "requests>=2.32.3,<3",
+    "tabulate>=0.9.0,<0.10",
+    "toml>=0.10.2,<0.11",
+    "jsonpickle>=4.0.5,<5",
+    "frozendict>=2.4.6",
+    "atomicwriter>=0.2.5",
+    "desktop-notify>=1.3.3",
+]
 
-[tool.poetry.dependencies]
-python = "^3.12"
-pyxdg = "^0.28"
-python-dateutil = "^2.9.0.post0"
-uritools = "^4.0.3"
-requests = "^2.32.3"
-tabulate = "^0.9.0"
-backoff = "^2.2.1"
-toml = "^0.10.2"
-jsonpickle = "^4.0.5"
-
-[tool.poetry.scripts]
+[project.scripts]
 worktime = "worktime.__main__:main"
+worktime-ui = "worktime.__main__:ui"
+worktime-stop = "worktime.__main__:stop"
 
 [build-system]
-requires = ["poetry-core"]
-build-backend = "poetry.core.masonry.api"
\ No newline at end of file
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[dependency-groups]
+dev = []
diff --git a/overlays/worktime/uv.lock b/overlays/worktime/uv.lock
new file mode 100644
index 00000000..39de4ccf
--- /dev/null
+++ b/overlays/worktime/uv.lock
@@ -0,0 +1,248 @@
+version = 1
+revision = 2
+requires-python = ">=3.12, <4"
+
+[[package]]
+name = "atomicwriter"
+version = "0.2.5"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/50/b4/dd04e186eb244d1ed84b1d0ebfba19ddc7f8886b98e345aaca4208b031d2/atomicwriter-0.2.5.tar.gz", hash = "sha256:5ced6afb0579377a13e191b17a16115e14c30ec00e6c38b60403f58235a867af", size = 64990, upload-time = "2025-05-24T20:35:42.538Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/99/7c/672a0de09b0b355a2ffa521ef25cf106f1984823379dee37f7305fdc1774/atomicwriter-0.2.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:5c1fab874e62ebe96f1af0e965dc1e92c4c1ef2e2e9612a444371b8fc751ec43", size = 234141, upload-time = "2025-05-24T20:34:32.74Z" },
+    { url = "https://files.pythonhosted.org/packages/b9/0c/e1c5bad033284c212c0a77121b48dd4147f80e9a7cd82a9d2ce0a2160901/atomicwriter-0.2.5-cp312-cp312-macosx_11_0_x86_64.whl", hash = "sha256:8dbb67cc730be7d6bdfd5e991271bc17052be8fb2e4fa27854b47d8a76d36349", size = 245788, upload-time = "2025-05-24T20:34:33.897Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/d3/7036e203cc5fc4c49bf916b4ba158e0d2779de127afad5963edd7e3b9400/atomicwriter-0.2.5-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:a4e7f81932839c738425dc96ad98e4a7511b740cd3d75f480bfabbcf8e6f7eae", size = 260428, upload-time = "2025-05-24T20:34:35.533Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/b9/9a4d235a8d67fb442302dc0f3ea2394b7bd994bfc99b1dc0f744c7852418/atomicwriter-0.2.5-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:de37a3a5d1b57b719cfb0b81a11cab2114acfdc2c36051bf0af72d05eb644411", size = 263648, upload-time = "2025-05-24T20:34:36.72Z" },
+    { url = "https://files.pythonhosted.org/packages/71/7c/32d4ddad53375de42f3e972bb0633ec76f2c31772f2e508479d4788651d9/atomicwriter-0.2.5-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:0b925e55750092fd482565b6068b8c8366fd79de526681af9e58eb209f0deeca", size = 323775, upload-time = "2025-05-24T20:34:37.968Z" },
+    { url = "https://files.pythonhosted.org/packages/06/fe/6a226368a3f7ea30001fbd165f6a97f28c8f1a884896357b3d694983f5d2/atomicwriter-0.2.5-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:538f78f25e01584535782397211c66b8b3c9de90c2d1fc01a668ddce73dd0cb2", size = 340819, upload-time = "2025-05-24T20:34:39.63Z" },
+    { url = "https://files.pythonhosted.org/packages/92/95/b035b2296c483fde5392c629e0b6e3844eba6e54ea965c4b8827379b0893/atomicwriter-0.2.5-cp312-cp312-win_amd64.whl", hash = "sha256:1d2d49a1b94ea7b289be9f7134d756bfb0bbf53eb0e58411334ed1b9958abe5e", size = 152789, upload-time = "2025-05-24T20:34:40.905Z" },
+    { url = "https://files.pythonhosted.org/packages/da/25/caa0959ae8ce24763e24e1f45be6cb897414545d224a155f929d496d6812/atomicwriter-0.2.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3f5490fd5bec378509521f7c2a19a64031a0de07d368d76733c3f76a0b9f026b", size = 233830, upload-time = "2025-05-24T20:34:42.532Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/76/3c41bfd4fd74bc63bec29f05a806a767258eea7cf151496b4ab015cb5323/atomicwriter-0.2.5-cp313-cp313-macosx_11_0_x86_64.whl", hash = "sha256:a4dada83ff1255c7e640363cc2a4399ab9a822d4dbc9c18f55bbf0c8b12ce056", size = 245461, upload-time = "2025-05-24T20:34:44.454Z" },
+    { url = "https://files.pythonhosted.org/packages/c3/1e/5512dbdfdc3f4ab12f5923c50ae4765cc2fc65a9f112bb9dccbcbe60b395/atomicwriter-0.2.5-cp313-cp313-manylinux_2_28_aarch64.whl", hash = "sha256:ef2cf15e67513f05ad37d4cec48e403982c6b3c07f491472effd76d2157de7e2", size = 259892, upload-time = "2025-05-24T20:34:45.688Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/1d/2382b6cacb119115828eb519697a555900bcfdb062efeb0f82603295402d/atomicwriter-0.2.5-cp313-cp313-manylinux_2_28_x86_64.whl", hash = "sha256:73618f74c3c5f5401d3da0a3cd3043f23de5b6bb4a3d85bc580940a441355d25", size = 263125, upload-time = "2025-05-24T20:34:47.205Z" },
+    { url = "https://files.pythonhosted.org/packages/07/d7/c4d68386161870db4a8d0452f0655a19902fa435b749c12e6ef800e89b19/atomicwriter-0.2.5-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bbd5eda80710ddac7aefb421c79cef6b905852a827e764f0f12fcbaa88919f7a", size = 323503, upload-time = "2025-05-24T20:34:48.417Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/08/0fc03c0736ab8466e1b47a3ee17a528da18019cff93b7c4c2b33df82c19e/atomicwriter-0.2.5-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:b4776aaca40bc3040c3716c2adad74625c42285083ff31e8bf24a95315225c7b", size = 340156, upload-time = "2025-05-24T20:34:50.389Z" },
+    { url = "https://files.pythonhosted.org/packages/fa/09/7ba888cf4d90bcabd9e82db3bdb9de50e4ef072e0ea0d375cd1931b79349/atomicwriter-0.2.5-cp313-cp313-win_amd64.whl", hash = "sha256:225ed1fbfa1996d9b0b2252f8a5d81263e51cbc797086d830f488c35b1d2ab42", size = 152274, upload-time = "2025-05-24T20:34:51.785Z" },
+    { url = "https://files.pythonhosted.org/packages/2a/70/07d2ba2e0a126cfecfbfed46baf599c9e2155f4c8338fed4d3ae0041b133/atomicwriter-0.2.5-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:63b55982cfa47232f179689933bf003eefb2bd33464235883ed3ce7322cf38f3", size = 232879, upload-time = "2025-05-24T20:34:53.195Z" },
+    { url = "https://files.pythonhosted.org/packages/f6/4d/397eb5435917135df93b339d849884bb1125896b1e15163c5244aa590336/atomicwriter-0.2.5-cp313-cp313t-macosx_11_0_x86_64.whl", hash = "sha256:e33f40b2a27f8831beeabb485923acb6dd067cc70bba1a63096749b3dc4747ff", size = 244386, upload-time = "2025-05-24T20:34:54.852Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/01/73f0b683fa55e61dd29d30e48e9a75ddb049e6dad0ac4ae1a29dbc05f21e/atomicwriter-0.2.5-cp313-cp313t-manylinux_2_28_aarch64.whl", hash = "sha256:c646e115e88147d71f845a005fc53910f22c4dc65bd634768cb90b7f34259359", size = 258255, upload-time = "2025-05-24T20:34:56.046Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/19/692387c1fb1b8714a9b2fab99a58850fd4136bed988814c8ff74d0c8de02/atomicwriter-0.2.5-cp313-cp313t-manylinux_2_28_x86_64.whl", hash = "sha256:47f974e986ff6514351c3ea75041009a514be0c34c225c062b0ad8a28ec9c0a3", size = 261768, upload-time = "2025-05-24T20:34:57.795Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/f2/4d466f52ee635cc54011713272f302584c6d1ce612c331d9989fa6fa672f/atomicwriter-0.2.5-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:e1db8b9004cd3f628166e83b25eb814b82345f9d6bc15e99b6d201c355455b45", size = 321975, upload-time = "2025-05-24T20:34:59.45Z" },
+    { url = "https://files.pythonhosted.org/packages/84/ad/0189ad9783ca6609df47e06cc0cd22866a8073d46478f59c6ab3ec13e0fb/atomicwriter-0.2.5-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:a7da4a114121ab865663578b801a0520b2b518d4591af0bd294f6aac0dad243b", size = 338946, upload-time = "2025-05-24T20:35:01.501Z" },
+    { url = "https://files.pythonhosted.org/packages/94/79/2c4d8f75eeb09192cf572957f031271998f3c985fabd79d513fff66ac715/atomicwriter-0.2.5-cp313-cp313t-win_amd64.whl", hash = "sha256:7aab4b3956cc17219e7e4da76e8a1bceb3d3aeaf03234f89b90e234a2adcf27b", size = 151571, upload-time = "2025-05-24T20:35:02.747Z" },
+    { url = "https://files.pythonhosted.org/packages/32/19/d6a686d189c3577e7f08b33df398b959c24bf74b3cec34359104db1a24ff/atomicwriter-0.2.5-cp39-abi3-macosx_11_0_arm64.whl", hash = "sha256:8d0fccac2dfe5d884d97edbda28be9c16d55faee9bdf66f53a99384ac387cc43", size = 239320, upload-time = "2025-05-24T20:35:04.028Z" },
+    { url = "https://files.pythonhosted.org/packages/8e/35/35571a4eed57816c3b5fdbefcb15f38563fbe4f3a4a7d1588c8ef899afaf/atomicwriter-0.2.5-cp39-abi3-macosx_11_0_x86_64.whl", hash = "sha256:6583c24333508839db2156d895cbbb5cd3ff20d4f9c698e341435e5b35990eaa", size = 250818, upload-time = "2025-05-24T20:35:05.21Z" },
+    { url = "https://files.pythonhosted.org/packages/81/d9/145093630bc25f115a49d32d9ef66745f5cdef787492d77fd27e74d20389/atomicwriter-0.2.5-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:136a9902ae3f1c0cb262a07dd3ac85069d71f8b11347cd740030567e67d611aa", size = 265796, upload-time = "2025-05-24T20:35:06.388Z" },
+    { url = "https://files.pythonhosted.org/packages/58/32/d1881adade2ebc70aa9dbb61cadabc2c00cfa99a7a5d6ba48f44e279056f/atomicwriter-0.2.5-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:0b6830434b6a49c19473c3f3975dfa0a87dec95bee81297f7393e378f9a0b82f", size = 269378, upload-time = "2025-05-24T20:35:07.578Z" },
+    { url = "https://files.pythonhosted.org/packages/93/f5/2661ea763784a4991c4c7be5c932a468937bd1d4618b833a63ec638a3b76/atomicwriter-0.2.5-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:53095a01891a2901aa04c10c8de52c0ba41e0d8a4a1893318cf34ccbdbde00b7", size = 328167, upload-time = "2025-05-24T20:35:08.764Z" },
+    { url = "https://files.pythonhosted.org/packages/ec/bc/e3aa521671a589bee9662d3e2108e4835a5d80e6da76e4d05d98d1c78005/atomicwriter-0.2.5-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:ecf4dc3983bb1f28b21cb09c2d96b6936d8864c559dcf151b57813cb1eae998b", size = 347153, upload-time = "2025-05-24T20:35:10.507Z" },
+    { url = "https://files.pythonhosted.org/packages/59/b7/e190383e7240b1f247c6df9bc6667db8df10190cd0bb2dba8ea6bd704ea4/atomicwriter-0.2.5-cp39-abi3-win_amd64.whl", hash = "sha256:92cff264a20364301ab341b332fd0112866870b8cb35caf99a3f3fee0e6c19e8", size = 156374, upload-time = "2025-05-24T20:35:11.716Z" },
+]
+
+[[package]]
+name = "certifi"
+version = "2025.1.31"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/1c/ab/c9f1e32b7b1bf505bf26f0ef697775960db7932abeb7b516de930ba2705f/certifi-2025.1.31.tar.gz", hash = "sha256:3d5da6925056f6f18f119200434a4780a94263f10d1c21d032a6f6b2baa20651", size = 167577, upload-time = "2025-01-31T02:16:47.166Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/38/fc/bce832fd4fd99766c04d1ee0eead6b0ec6486fb100ae5e74c1d91292b982/certifi-2025.1.31-py3-none-any.whl", hash = "sha256:ca78db4565a652026a4db2bcdf68f2fb589ea80d0be70e03929ed730746b84fe", size = 166393, upload-time = "2025-01-31T02:16:45.015Z" },
+]
+
+[[package]]
+name = "charset-normalizer"
+version = "3.4.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/16/b0/572805e227f01586461c80e0fd25d65a2115599cc9dad142fee4b747c357/charset_normalizer-3.4.1.tar.gz", hash = "sha256:44251f18cd68a75b56585dd00dae26183e102cd5e0f9f1466e6df5da2ed64ea3", size = 123188, upload-time = "2024-12-24T18:12:35.43Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/0a/9a/dd1e1cdceb841925b7798369a09279bd1cf183cef0f9ddf15a3a6502ee45/charset_normalizer-3.4.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:73d94b58ec7fecbc7366247d3b0b10a21681004153238750bb67bd9012414545", size = 196105, upload-time = "2024-12-24T18:10:38.83Z" },
+    { url = "https://files.pythonhosted.org/packages/d3/8c/90bfabf8c4809ecb648f39794cf2a84ff2e7d2a6cf159fe68d9a26160467/charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dad3e487649f498dd991eeb901125411559b22e8d7ab25d3aeb1af367df5efd7", size = 140404, upload-time = "2024-12-24T18:10:44.272Z" },
+    { url = "https://files.pythonhosted.org/packages/ad/8f/e410d57c721945ea3b4f1a04b74f70ce8fa800d393d72899f0a40526401f/charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c30197aa96e8eed02200a83fba2657b4c3acd0f0aa4bdc9f6c1af8e8962e0757", size = 150423, upload-time = "2024-12-24T18:10:45.492Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/b8/e6825e25deb691ff98cf5c9072ee0605dc2acfca98af70c2d1b1bc75190d/charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2369eea1ee4a7610a860d88f268eb39b95cb588acd7235e02fd5a5601773d4fa", size = 143184, upload-time = "2024-12-24T18:10:47.898Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/a2/513f6cbe752421f16d969e32f3583762bfd583848b763913ddab8d9bfd4f/charset_normalizer-3.4.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc2722592d8998c870fa4e290c2eec2c1569b87fe58618e67d38b4665dfa680d", size = 145268, upload-time = "2024-12-24T18:10:50.589Z" },
+    { url = "https://files.pythonhosted.org/packages/74/94/8a5277664f27c3c438546f3eb53b33f5b19568eb7424736bdc440a88a31f/charset_normalizer-3.4.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffc9202a29ab3920fa812879e95a9e78b2465fd10be7fcbd042899695d75e616", size = 147601, upload-time = "2024-12-24T18:10:52.541Z" },
+    { url = "https://files.pythonhosted.org/packages/7c/5f/6d352c51ee763623a98e31194823518e09bfa48be2a7e8383cf691bbb3d0/charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:804a4d582ba6e5b747c625bf1255e6b1507465494a40a2130978bda7b932c90b", size = 141098, upload-time = "2024-12-24T18:10:53.789Z" },
+    { url = "https://files.pythonhosted.org/packages/78/d4/f5704cb629ba5ab16d1d3d741396aec6dc3ca2b67757c45b0599bb010478/charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:0f55e69f030f7163dffe9fd0752b32f070566451afe180f99dbeeb81f511ad8d", size = 149520, upload-time = "2024-12-24T18:10:55.048Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/96/64120b1d02b81785f222b976c0fb79a35875457fa9bb40827678e54d1bc8/charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:c4c3e6da02df6fa1410a7680bd3f63d4f710232d3139089536310d027950696a", size = 152852, upload-time = "2024-12-24T18:10:57.647Z" },
+    { url = "https://files.pythonhosted.org/packages/84/c9/98e3732278a99f47d487fd3468bc60b882920cef29d1fa6ca460a1fdf4e6/charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:5df196eb874dae23dcfb968c83d4f8fdccb333330fe1fc278ac5ceeb101003a9", size = 150488, upload-time = "2024-12-24T18:10:59.43Z" },
+    { url = "https://files.pythonhosted.org/packages/13/0e/9c8d4cb99c98c1007cc11eda969ebfe837bbbd0acdb4736d228ccaabcd22/charset_normalizer-3.4.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e358e64305fe12299a08e08978f51fc21fac060dcfcddd95453eabe5b93ed0e1", size = 146192, upload-time = "2024-12-24T18:11:00.676Z" },
+    { url = "https://files.pythonhosted.org/packages/b2/21/2b6b5b860781a0b49427309cb8670785aa543fb2178de875b87b9cc97746/charset_normalizer-3.4.1-cp312-cp312-win32.whl", hash = "sha256:9b23ca7ef998bc739bf6ffc077c2116917eabcc901f88da1b9856b210ef63f35", size = 95550, upload-time = "2024-12-24T18:11:01.952Z" },
+    { url = "https://files.pythonhosted.org/packages/21/5b/1b390b03b1d16c7e382b561c5329f83cc06623916aab983e8ab9239c7d5c/charset_normalizer-3.4.1-cp312-cp312-win_amd64.whl", hash = "sha256:6ff8a4a60c227ad87030d76e99cd1698345d4491638dfa6673027c48b3cd395f", size = 102785, upload-time = "2024-12-24T18:11:03.142Z" },
+    { url = "https://files.pythonhosted.org/packages/38/94/ce8e6f63d18049672c76d07d119304e1e2d7c6098f0841b51c666e9f44a0/charset_normalizer-3.4.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:aabfa34badd18f1da5ec1bc2715cadc8dca465868a4e73a0173466b688f29dda", size = 195698, upload-time = "2024-12-24T18:11:05.834Z" },
+    { url = "https://files.pythonhosted.org/packages/24/2e/dfdd9770664aae179a96561cc6952ff08f9a8cd09a908f259a9dfa063568/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22e14b5d70560b8dd51ec22863f370d1e595ac3d024cb8ad7d308b4cd95f8313", size = 140162, upload-time = "2024-12-24T18:11:07.064Z" },
+    { url = "https://files.pythonhosted.org/packages/24/4e/f646b9093cff8fc86f2d60af2de4dc17c759de9d554f130b140ea4738ca6/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8436c508b408b82d87dc5f62496973a1805cd46727c34440b0d29d8a2f50a6c9", size = 150263, upload-time = "2024-12-24T18:11:08.374Z" },
+    { url = "https://files.pythonhosted.org/packages/5e/67/2937f8d548c3ef6e2f9aab0f6e21001056f692d43282b165e7c56023e6dd/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2d074908e1aecee37a7635990b2c6d504cd4766c7bc9fc86d63f9c09af3fa11b", size = 142966, upload-time = "2024-12-24T18:11:09.831Z" },
+    { url = "https://files.pythonhosted.org/packages/52/ed/b7f4f07de100bdb95c1756d3a4d17b90c1a3c53715c1a476f8738058e0fa/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:955f8851919303c92343d2f66165294848d57e9bba6cf6e3625485a70a038d11", size = 144992, upload-time = "2024-12-24T18:11:12.03Z" },
+    { url = "https://files.pythonhosted.org/packages/96/2c/d49710a6dbcd3776265f4c923bb73ebe83933dfbaa841c5da850fe0fd20b/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:44ecbf16649486d4aebafeaa7ec4c9fed8b88101f4dd612dcaf65d5e815f837f", size = 147162, upload-time = "2024-12-24T18:11:13.372Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/41/35ff1f9a6bd380303dea55e44c4933b4cc3c4850988927d4082ada230273/charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0924e81d3d5e70f8126529951dac65c1010cdf117bb75eb02dd12339b57749dd", size = 140972, upload-time = "2024-12-24T18:11:14.628Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/43/c6a0b685fe6910d08ba971f62cd9c3e862a85770395ba5d9cad4fede33ab/charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:2967f74ad52c3b98de4c3b32e1a44e32975e008a9cd2a8cc8966d6a5218c5cb2", size = 149095, upload-time = "2024-12-24T18:11:17.672Z" },
+    { url = "https://files.pythonhosted.org/packages/4c/ff/a9a504662452e2d2878512115638966e75633519ec11f25fca3d2049a94a/charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:c75cb2a3e389853835e84a2d8fb2b81a10645b503eca9bcb98df6b5a43eb8886", size = 152668, upload-time = "2024-12-24T18:11:18.989Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/71/189996b6d9a4b932564701628af5cee6716733e9165af1d5e1b285c530ed/charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:09b26ae6b1abf0d27570633b2b078a2a20419c99d66fb2823173d73f188ce601", size = 150073, upload-time = "2024-12-24T18:11:21.507Z" },
+    { url = "https://files.pythonhosted.org/packages/e4/93/946a86ce20790e11312c87c75ba68d5f6ad2208cfb52b2d6a2c32840d922/charset_normalizer-3.4.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:fa88b843d6e211393a37219e6a1c1df99d35e8fd90446f1118f4216e307e48cd", size = 145732, upload-time = "2024-12-24T18:11:22.774Z" },
+    { url = "https://files.pythonhosted.org/packages/cd/e5/131d2fb1b0dddafc37be4f3a2fa79aa4c037368be9423061dccadfd90091/charset_normalizer-3.4.1-cp313-cp313-win32.whl", hash = "sha256:eb8178fe3dba6450a3e024e95ac49ed3400e506fd4e9e5c32d30adda88cbd407", size = 95391, upload-time = "2024-12-24T18:11:24.139Z" },
+    { url = "https://files.pythonhosted.org/packages/27/f2/4f9a69cc7712b9b5ad8fdb87039fd89abba997ad5cbe690d1835d40405b0/charset_normalizer-3.4.1-cp313-cp313-win_amd64.whl", hash = "sha256:b1ac5992a838106edb89654e0aebfc24f5848ae2547d22c2c3f66454daa11971", size = 102702, upload-time = "2024-12-24T18:11:26.535Z" },
+    { url = "https://files.pythonhosted.org/packages/0e/f6/65ecc6878a89bb1c23a086ea335ad4bf21a588990c3f535a227b9eea9108/charset_normalizer-3.4.1-py3-none-any.whl", hash = "sha256:d98b1668f06378c6dbefec3b92299716b931cd4e6061f3c875a71ced1780ab85", size = 49767, upload-time = "2024-12-24T18:12:32.852Z" },
+]
+
+[[package]]
+name = "dbus-next"
+version = "0.2.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/ce/45/6a40fbe886d60a8c26f480e7d12535502b5ba123814b3b9a0b002ebca198/dbus_next-0.2.3.tar.gz", hash = "sha256:f4eae26909332ada528c0a3549dda8d4f088f9b365153952a408e28023a626a5", size = 71112, upload-time = "2021-07-25T22:11:28.398Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/d2/fc/c0a3f4c4eaa5a22fbef91713474666e13d0ea2a69c84532579490a9f2cc8/dbus_next-0.2.3-py3-none-any.whl", hash = "sha256:58948f9aff9db08316734c0be2a120f6dc502124d9642f55e90ac82ffb16a18b", size = 57885, upload-time = "2021-07-25T22:11:25.466Z" },
+]
+
+[[package]]
+name = "desktop-notify"
+version = "1.3.3"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "dbus-next" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/7a/d8/7ae5779257f5f1aa0a2d50c02d70b29522bd414692f3d3bd18ef119fe82d/desktop-notify-1.3.3.tar.gz", hash = "sha256:62934ad1f72f292f9a3af5ffe45af32814af18c396c00369385540c72bf08077", size = 7828, upload-time = "2021-01-03T16:46:36.483Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/0a/cd/a7e3bd0262f3e8a9272fd24d0193e24dad7cb4e4edd27da48e74b5523e59/desktop_notify-1.3.3-py3-none-any.whl", hash = "sha256:8ad7ecc3a9a603dd5fa3cdc11cc6265cfbc7f6df9d8ed240f4663f43ef0de37a", size = 9937, upload-time = "2021-01-03T16:46:35.157Z" },
+]
+
+[[package]]
+name = "frozendict"
+version = "2.4.6"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/bb/59/19eb300ba28e7547538bdf603f1c6c34793240a90e1a7b61b65d8517e35e/frozendict-2.4.6.tar.gz", hash = "sha256:df7cd16470fbd26fc4969a208efadc46319334eb97def1ddf48919b351192b8e", size = 316416, upload-time = "2024-10-13T12:15:32.449Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/04/13/d9839089b900fa7b479cce495d62110cddc4bd5630a04d8469916c0e79c5/frozendict-2.4.6-py311-none-any.whl", hash = "sha256:d065db6a44db2e2375c23eac816f1a022feb2fa98cbb50df44a9e83700accbea", size = 16148, upload-time = "2024-10-13T12:15:26.839Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/d0/d482c39cee2ab2978a892558cf130681d4574ea208e162da8958b31e9250/frozendict-2.4.6-py312-none-any.whl", hash = "sha256:49344abe90fb75f0f9fdefe6d4ef6d4894e640fadab71f11009d52ad97f370b9", size = 16146, upload-time = "2024-10-13T12:15:28.16Z" },
+    { url = "https://files.pythonhosted.org/packages/a5/8e/b6bf6a0de482d7d7d7a2aaac8fdc4a4d0bb24a809f5ddd422aa7060eb3d2/frozendict-2.4.6-py313-none-any.whl", hash = "sha256:7134a2bb95d4a16556bb5f2b9736dceb6ea848fa5b6f3f6c2d6dba93b44b4757", size = 16146, upload-time = "2024-10-13T12:15:29.495Z" },
+]
+
+[[package]]
+name = "idna"
+version = "3.10"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", size = 190490, upload-time = "2024-09-15T18:07:39.745Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", size = 70442, upload-time = "2024-09-15T18:07:37.964Z" },
+]
+
+[[package]]
+name = "jsonpickle"
+version = "4.0.5"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d6/33/4bda317ab294722fcdfff8f63aab74af9fda3675a4652d984a101aa7587e/jsonpickle-4.0.5.tar.gz", hash = "sha256:f299818b39367c361b3f26bdba827d4249ab5d383cd93144d0f94b5417aacb35", size = 315661, upload-time = "2025-03-29T19:22:56.92Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/dc/1b/0e79cf115e0f54f1e8f56effb6ffd2ef8f92e9c324d692ede660067f1bfe/jsonpickle-4.0.5-py3-none-any.whl", hash = "sha256:b4ac7d0a75ddcdfd93445737f1d36ff28768690d43e54bf5d0ddb1d915e580df", size = 46382, upload-time = "2025-03-29T19:22:54.252Z" },
+]
+
+[[package]]
+name = "python-dateutil"
+version = "2.9.0.post0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "six" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/66/c0/0c8b6ad9f17a802ee498c46e004a0eb49bc148f2fd230864601a86dcf6db/python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3", size = 342432, upload-time = "2024-03-01T18:36:20.211Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427", size = 229892, upload-time = "2024-03-01T18:36:18.57Z" },
+]
+
+[[package]]
+name = "pyxdg"
+version = "0.28"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/b0/25/7998cd2dec731acbd438fbf91bc619603fc5188de0a9a17699a781840452/pyxdg-0.28.tar.gz", hash = "sha256:3267bb3074e934df202af2ee0868575484108581e6f3cb006af1da35395e88b4", size = 77776, upload-time = "2022-06-05T11:35:01Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e5/8d/cf41b66a8110670e3ad03dab9b759704eeed07fa96e90fdc0357b2ba70e2/pyxdg-0.28-py2.py3-none-any.whl", hash = "sha256:bdaf595999a0178ecea4052b7f4195569c1ff4d344567bccdc12dfdf02d545ab", size = 49520, upload-time = "2022-06-05T11:34:58.832Z" },
+]
+
+[[package]]
+name = "requests"
+version = "2.32.3"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "certifi" },
+    { name = "charset-normalizer" },
+    { name = "idna" },
+    { name = "urllib3" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760", size = 131218, upload-time = "2024-05-29T15:37:49.536Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6", size = 64928, upload-time = "2024-05-29T15:37:47.027Z" },
+]
+
+[[package]]
+name = "six"
+version = "1.17.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/94/e7/b2c673351809dca68a0e064b6af791aa332cf192da575fd474ed7d6f16a2/six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81", size = 34031, upload-time = "2024-12-04T17:35:28.174Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050, upload-time = "2024-12-04T17:35:26.475Z" },
+]
+
+[[package]]
+name = "tabulate"
+version = "0.9.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/ec/fe/802052aecb21e3797b8f7902564ab6ea0d60ff8ca23952079064155d1ae1/tabulate-0.9.0.tar.gz", hash = "sha256:0095b12bf5966de529c0feb1fa08671671b3368eec77d7ef7ab114be2c068b3c", size = 81090, upload-time = "2022-10-06T17:21:48.54Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/40/44/4a5f08c96eb108af5cb50b41f76142f0afa346dfa99d5296fe7202a11854/tabulate-0.9.0-py3-none-any.whl", hash = "sha256:024ca478df22e9340661486f85298cff5f6dcdba14f3813e8830015b9ed1948f", size = 35252, upload-time = "2022-10-06T17:21:44.262Z" },
+]
+
+[[package]]
+name = "toml"
+version = "0.10.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/be/ba/1f744cdc819428fc6b5084ec34d9b30660f6f9daaf70eead706e3203ec3c/toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f", size = 22253, upload-time = "2020-11-01T01:40:22.204Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/44/6f/7120676b6d73228c96e17f1f794d8ab046fc910d781c8d151120c3f1569e/toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", size = 16588, upload-time = "2020-11-01T01:40:20.672Z" },
+]
+
+[[package]]
+name = "uritools"
+version = "4.0.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d3/43/4182fb2a03145e6d38698e38b49114ce59bc8c79063452eb585a58f8ce78/uritools-4.0.3.tar.gz", hash = "sha256:ee06a182a9c849464ce9d5fa917539aacc8edd2a4924d1b7aabeeecabcae3bc2", size = 24184, upload-time = "2024-05-28T18:07:45.194Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e6/17/5a4510d9ca9cc8be217ce359eb54e693dca81cf4d442308b282d5131b17d/uritools-4.0.3-py3-none-any.whl", hash = "sha256:bae297d090e69a0451130ffba6f2f1c9477244aa0a5543d66aed2d9f77d0dd9c", size = 10304, upload-time = "2024-05-28T18:07:42.731Z" },
+]
+
+[[package]]
+name = "urllib3"
+version = "2.3.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/aa/63/e53da845320b757bf29ef6a9062f5c669fe997973f966045cb019c3f4b66/urllib3-2.3.0.tar.gz", hash = "sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d", size = 307268, upload-time = "2024-12-22T07:47:30.032Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/c8/19/4ec628951a74043532ca2cf5d97b7b14863931476d117c471e8e2b1eb39f/urllib3-2.3.0-py3-none-any.whl", hash = "sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df", size = 128369, upload-time = "2024-12-22T07:47:28.074Z" },
+]
+
+[[package]]
+name = "worktime"
+version = "1.0.0"
+source = { editable = "." }
+dependencies = [
+    { name = "atomicwriter" },
+    { name = "desktop-notify" },
+    { name = "frozendict" },
+    { name = "jsonpickle" },
+    { name = "python-dateutil" },
+    { name = "pyxdg" },
+    { name = "requests" },
+    { name = "tabulate" },
+    { name = "toml" },
+    { name = "uritools" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "atomicwriter", specifier = ">=0.2.5" },
+    { name = "desktop-notify", specifier = ">=1.3.3" },
+    { name = "frozendict", specifier = ">=2.4.6" },
+    { name = "jsonpickle", specifier = ">=4.0.5,<5" },
+    { name = "python-dateutil", specifier = ">=2.9.0.post0,<3" },
+    { name = "pyxdg", specifier = ">=0.28,<0.29" },
+    { name = "requests", specifier = ">=2.32.3,<3" },
+    { name = "tabulate", specifier = ">=0.9.0,<0.10" },
+    { name = "toml", specifier = ">=0.10.2,<0.11" },
+    { name = "uritools", specifier = ">=4.0.3,<5" },
+]
+
+[package.metadata.requires-dev]
+dev = []
diff --git a/overlays/worktime/worktime/__main__.py b/overlays/worktime/worktime/__main__.py
index 4eee5dc2..bf24bbec 100755
--- a/overlays/worktime/worktime/__main__.py
+++ b/overlays/worktime/worktime/__main__.py
@@ -1,10 +1,12 @@
 import requests
 from requests.exceptions import HTTPError
 from requests.auth import HTTPBasicAuth
+from requests.adapters import HTTPAdapter, Retry
 from datetime import *
 from xdg import BaseDirectory
 import toml
-from uritools import (uricompose)
+from uritools import uricompose
+from urllib.parse import urljoin
 
 from inspect import signature
 
@@ -27,77 +29,76 @@ from sys import stderr, stdout
 
 from tabulate import tabulate
 
-from itertools import groupby, count
+from itertools import groupby, count, islice
 from functools import cache, partial
 
-import backoff
-
 from pathlib import Path
 
 from collections import defaultdict
+from collections.abc import Iterable, Generator
+from typing import Any
 
 import jsonpickle
 from hashlib import blake2s
 import json
 
-class TogglAPISection(Enum):
-    TOGGL = '/api/v9'
-    REPORTS = '/reports/api/v2'
-
-class TogglAPIError(Exception):
-    def __init__(self, response, *, http_error=None):
-        self.http_error = http_error
-        self.response = response
-
-    def __str__(self):
-        if not self.http_error is None:
-            return str(self.http_error)
-        else:
-            return self.response.text
-
-class TogglAPI(object):
-    def __init__(self, api_token, workspace_id, client_ids):
-        self._api_token = api_token
-        self._workspace_id = workspace_id
-        self._client_ids = set(map(int, client_ids.split(','))) if client_ids else None
-
-    def _make_url(self, api=TogglAPISection.TOGGL, section=['me', 'time_entries', 'current'], params={}):
-        if api is TogglAPISection.REPORTS:
-          params.update({'user_agent': 'worktime', 'workspace_id': self._workspace_id})
-
-        api_path = api.value
-        section_path = '/'.join(section)
-        uri = uricompose(scheme='https', host='api.track.toggl.com', path=f"{api_path}/{section_path}", query=params)
-
-        return uri
-
-    def _query(self, url, method):
-        response = self._raw_query(url, method)
-        response.raise_for_status()
-        return response
-
-    @backoff.on_predicate(
-        backoff.expo,
-        factor=0.1, max_value=2,
-        predicate=lambda r: r.status_code == 429,
-        max_time=10,
-    )
-    def _raw_query(self, url, method):
-        headers = {'content-type': 'application/json', 'accept': 'application/json'}
-        response = None
-
-        if method == 'GET':
-            response = requests.get(url, headers=headers, auth=HTTPBasicAuth(self._api_token, 'api_token'))
-        elif method == 'POST':
-            response = requests.post(url, headers=headers, auth=HTTPBasicAuth(self._api_token, 'api_token'))
-        else:
-            raise ValueError(f"Undefined HTTP method “{method}”")
-
-        return response
+import asyncio
+
+from frozendict import frozendict
+from contextlib import closing
+import os
+from time import clock_gettime_ns, CLOCK_MONOTONIC
+from atomicwriter import AtomicWriter
+import desktop_notify.aio as notify
+
+class BearerAuth(requests.auth.AuthBase):
+    def __init__(self, token):
+        self.token = token
+    def __call__(self, r):
+        r.headers["authorization"] = "Bearer " + self.token
+        return r
+
+class KimaiSession(requests.Session):
+    def __init__(self, base_url: str, api_token: str):
+        super().__init__()
+        self.base_url = base_url
+        self.auth = BearerAuth(api_token)
+        retries = Retry(total=5, backoff_factor=0.1, status_forcelist=[500, 502, 503, 504])
+        super().mount(base_url, HTTPAdapter(max_retries=retries))
+
+    def request(self, method, url, *args, **kwargs):
+        joined_url = urljoin(self.base_url, url)
+        return super().request(method, joined_url, *args, headers = {'Accept': 'application/json'} | (kwargs['headers'] if 'headers' in kwargs else {}), **{k: v for k, v in kwargs.items() if k not in ['headers']})
+
+class KimaiAPI(object):
+    def __init__(self, base_url: str, api_token: str, clients: Iterable[str]):
+        self._session = KimaiSession(base_url, api_token)
+        self._kimai_clients = self._session.get('/api/customers').json()
+        self._client_ids = self.resolve_clients(clients)
+        kimai_user = self._session.get('/api/users/me').json()
+        self._tz = gettz(kimai_user['timezone'])
+
+    def resolve_clients(self, clients: Iterable[str]) -> frozenset[int]:
+        return frozenset({ client['id'] for client in self._kimai_clients if client['name'] in clients })
+
+    def render_datetime(self, datetime: datetime) -> str:
+        return datetime.astimezone(self._tz).strftime('%Y-%m-%dT%H:%M:%S')
+
+    def get_timesheets(self, params: dict[str, Any] = {}) -> Generator[Any]:
+        for page in count(start=1):
+            resp = self._session.get('/api/timesheets', params=params | {'size': 100, 'page': page})
+            if resp.status_code == 404:
+                break
+            yield from resp.json()
 
-    def entry_durations(self, start_date, *, end_date, rounding=False, client_ids):
-        if client_ids is not None and not client_ids:
+    def entry_durations(self, start_date: datetime, *, end_date: datetime, clients: Iterable[str] | None = None) -> Generator[timedelta]:
+        client_ids = None
+        if clients is not None and not clients:
             return
+        elif clients is None:
+            client_ids = self._client_ids
+        else:
+            client_ids = self.resolve_clients(clients)
 
         cache_dir = Path(BaseDirectory.save_cache_path('worktime')) / 'entry_durations'
         step = timedelta(days = 120)
@@ -116,11 +117,8 @@ class TogglAPI(object):
                 cache_key = blake2s(jsonpickle.encode({
                     'start': req_start,
                     'end': req_end,
-                    'rounding': rounding,
-                    'clients': client_ids,
-                    'workspace': self._workspace_id,
-                    'workspace_clients': self._client_ids
-                }).encode('utf-8'), key = self._api_token.encode('utf-8')).hexdigest()
+                    'client_ids': client_ids,
+                }).encode('utf-8'), key = self._session.auth.token.encode('utf-8')).hexdigest()
                 cache_path = cache_dir / cache_key[:2] / cache_key[2:4] / f'{cache_key[4:]}.json'
                 try:
                     with cache_path.open('r', encoding='utf-8') as ch:
@@ -130,85 +128,83 @@ class TogglAPI(object):
                     pass
 
             entries = list()
-            params = { 'since': (req_start - timedelta(days=1)).date().isoformat(),
-                       'until': (req_end + timedelta(days=1)).date().isoformat(),
-                       'rounding': 'yes' if rounding else 'no',
-                       'billable': 'yes'
-                      }
-            if client_ids is not None:
-                params |= { 'client_ids': ','.join(map(str, client_ids)) }
-            for page in count(start = 1):
-                url = self._make_url(api = TogglAPISection.REPORTS, section = ['details'], params = params | { 'page': page })
-                r = self._query(url = url, method='GET')
-                if not r or not r.json():
-                    raise TogglAPIError(r)
-                report = r.json()
-                for entry in report['data']:
-                    start = isoparse(entry['start'])
-                    end = isoparse(entry['end'])
-
-                    if start > req_end or end < req_start:
-                        continue
+            params = {
+                'begin': self.render_datetime(req_start),
+                'end': self.render_datetime(req_end),
+                'customers[]': list(client_ids),
+                'billable': 1,
+            }
+
+            for entry in self.get_timesheets(params):
+                if entry['end'] is None:
+                    continue
+
+                start = isoparse(entry['begin'])
+                end = isoparse(entry['end'])
+
+                if start > req_end or end < req_start:
+                    continue
 
-                    x = min(end, req_end) - max(start, req_start)
-                    if cache_key:
-                        entries.append(x)
-                    yield x
-                if not report['data']:
-                    break
+                x = min(end, req_end) - max(start, req_start)
+                if cache_key:
+                    entries.append(x)
+                yield x
 
             if cache_path:
                 cache_path.parent.mkdir(parents=True, exist_ok=True)
                 with cache_path.open('w', encoding='utf-8') as ch:
                     ch.write(jsonpickle.encode(entries))
-            # res = timedelta(milliseconds=report['total_billable']) if report['total_billable'] else timedelta(milliseconds=0)
-            # return res
 
-    def get_billable_hours(self, start_date, end_date=datetime.now(timezone.utc), rounding=False):
-        billable_acc = timedelta(milliseconds = 0)
-        if 0 in self._client_ids:
-            url = self._make_url(api = TogglAPISection.TOGGL, section = ['workspaces', self._workspace_id, 'clients'])
-            r = self._query(url = url, method = 'GET')
-            if not r or not r.json():
-                raise TogglAPIError(r)
+    def get_billable_hours(self, start_date: datetime, end_date: datetime = datetime.now(timezone.utc)) -> timedelta:
+        return sum(self.entry_durations(start_date, end_date=end_date), start=timedelta(milliseconds=0))
 
-            billable_acc += sum(self.entry_durations(start_date, end_date=end_date, rounding=rounding, client_ids=None), start=timedelta(milliseconds=0)) - sum(self.entry_durations(start_date, end_date=end_date, rounding=rounding, client_ids=frozenset(map(lambda c: c['id'], r.json()))), start=timedelta(milliseconds=0))
-
-        billable_acc += sum(self.entry_durations(start_date, end_date=end_date, rounding=rounding, client_ids=frozenset(*(self._client_ids - {0}))), start=timedelta(milliseconds=0))
-
-        return billable_acc
+    def get_running_entry(self) -> Any | None:
+        kimai_entries = self._session.get('/api/timesheets/active').json()
+        if not kimai_entries:
+            return None
+        entry = kimai_entries[0]
 
-    def get_running_clock(self, now=datetime.now(timezone.utc)):
-        url = self._make_url(api = TogglAPISection.TOGGL, section = ['me', 'time_entries', 'current'])
-        r = self._query(url = url, method='GET')
+        if entry['project']['customer']['id'] not in self._client_ids:
+            return None
 
-        if not r or (not r.json() and r.json() is not None):
-            raise TogglAPIError(r)
+        return entry
 
-        if not r.json() or not r.json()['billable']:
+    def get_running_clock(self, now: datetime = datetime.now(timezone.utc)) -> timedelta | None:
+        entry = self.get_running_entry()
+        if not entry:
             return None
+        start = isoparse(entry['begin'])
+        return now - start if start <= now else None
 
-        if self._client_ids is not None:
-            if 'pid' in r.json() and r.json()['pid']:
-                url = self._make_url(api = TogglAPISection.TOGGL, section = ['projects', str(r.json()['pid'])])
-                pr = self._query(url = url, method = 'GET')
-                if not pr or not pr.json():
-                    raise TogglAPIError(pr)
+    def get_recent_entries(self) -> Generator[Any]:
+        step = timedelta(days = 7)
+        now = datetime.now().astimezone(timezone.utc)
+        ids = set()
+        for req_end in (now - step * i for i in count()):
+            params = {
+                'begin': self.render_datetime(req_end - step),
+                'end': self.render_datetime(req_end),
+                'full': 'true',
+            }
+            for entry in self.get_timesheets(params):
+                if entry['id'] in ids:
+                    continue
+                ids.add(entry['id'])
+                yield entry
 
-                if not pr.json():
-                    return None
+    def start_clock(self, project_id: int, activity_id: int, description: str | None = None, tags: Iterable[str] | None = None, billable: bool = True):
+        self._session.post('/api/timesheets', json={
+            'begin': self.render_datetime(datetime.now()),
+            'project': project_id,
+            'activity': activity_id,
+            'description': description if description else '',
+            'tags': (','.join(tags)) if tags else '',
+            'billable': billable,
+        }).raise_for_status()
 
-                if 'cid' in pr.json() and pr.json()['cid']:
-                    if pr.json()['cid'] not in self._client_ids:
-                        return None
-                elif 0 not in self._client_ids:
-                    return None
-            elif 0 not in self._client_ids:
-                return None
+    def stop_clock(self, running_id: int):
+        self._session.patch(f'/api/timesheets/{running_id}/stop').raise_for_status()
 
-        start = isoparse(r.json()['start'])
-
-        return now - start if start <= now else None
 
 class Worktime(object):
     time_worked = timedelta()
@@ -281,10 +277,10 @@ class Worktime(object):
 
       config = Worktime.config()
       config_dir = BaseDirectory.load_first_config('worktime')
-      api = TogglAPI(
-          api_token=config.get("TOGGL", {}).get("ApiToken", None),
-          workspace_id=config.get("TOGGL", {}).get("Workspace", None),
-          client_ids=config.get("TOGGL", {}).get("ClientIds", None)
+      api = KimaiAPI(
+          base_url=config.get("KIMAI", {}).get("BaseUrl", None),
+          api_token=config.get("KIMAI", {}).get("ApiToken", None),
+          clients=config.get("KIMAI", {}).get("Clients", None)
       )
       date_format = config.get("WORKTIME", {}).get("DateFormat", '%Y-%m-%d')
 
@@ -496,7 +492,7 @@ class Worktime(object):
 
       self.time_to_work += self.time_pulled_forward
 
-      self.time_worked += api.get_billable_hours(self.start_date, self.now, rounding = config.get("WORKTIME", {}).get("rounding", True))
+      self.time_worked += api.get_billable_hours(self.start_date, self.now)
 
 def format_days(worktime, days, date_format=None):
     if not date_format:
@@ -886,7 +882,7 @@ def main():
 
     config = Worktime.config()
 
-    parser = argparse.ArgumentParser(prog = "worktime", description = 'Track worktime using toggl API')
+    parser = argparse.ArgumentParser(prog = "worktime", description = 'Track worktime using Kimai API')
     parser.add_argument('--time', dest = 'now', metavar = 'TIME', type = isotime, help = 'Time to calculate status for (default: current time)', default = datetime.now(tzlocal()))
     parser.add_argument('--start', dest = 'start_datetime', metavar = 'TIME', type = isotime, help = 'Time to calculate status from (default: None)', default = None)
     parser.add_argument('--no-running', dest = 'include_running', action = 'store_false')
@@ -923,5 +919,139 @@ def main():
 
     args.cmd(**vars(args))
 
+async def ui_update_options(api, cache_path):
+    options = set()
+    sort_order = dict()
+    entry_iter = enumerate(api.get_recent_entries())
+    loop = asyncio.get_event_loop()
+    start = clock_gettime_ns(CLOCK_MONOTONIC)
+    while item := await loop.run_in_executor(None, next, entry_iter):
+        ix, entry = item
+        if len(options) >= 20 or ix >= 1000:
+            break
+        elif len(options) >= 3:
+            now = clock_gettime_ns(CLOCK_MONOTONIC)
+            if now - start >= 4000000000:
+                break
+
+        option = frozendict({
+            'tags': frozenset(entry['tags']),
+            'activity': frozendict({'id': entry['activity']['id'], 'name': entry['activity']['name']}),
+            'project': frozendict({'id': entry['project']['id'], 'customer': entry['project']['customer']['name'], 'name': entry['project']['name']}),
+            'description': entry['description'] if entry['description'] else None,
+            'billable': entry['billable'],
+        })
+        sort_value = isoparse(entry['begin'])
+        if option in sort_order:
+            sort_value = max(sort_value, sort_order[option])
+        sort_order[option] = sort_value
+        options.add(option)
+
+    options = list(sorted(options, key = lambda o: sort_order[o], reverse = True))
+
+    with AtomicWriter(cache_path, overwrite=True) as ch:
+        ch.write_text(jsonpickle.encode(options))
+
+    return options
+
+def ui_render_option(option):
+    res = ''
+    if option['description']:
+        res += '„{}“, '.format(option['description'])
+    res += option['activity']['name'] + ', '
+    res += option['project']['name']
+    if option['project']['customer'] not in option['project']['name']:
+        res += ' ({})'.format(option['project']['customer'])
+    if option['tags']:
+        res += ', {}'.format(' '.join(map(lambda t: '#{}'.format(t), option['tags'])))
+    if not option['billable']:
+        res += ', not billable'
+    return res
+
+async def ui_main():
+    cache_path = Path(BaseDirectory.save_cache_path('worktime-ui')) / 'options.json'
+    options = None
+    try:
+        with cache_path.open('r', encoding='utf-8') as ch:
+            options = jsonpickle.decode(ch.read())
+    except FileNotFoundError:
+        pass
+
+    config = Worktime.config()
+    api = KimaiAPI(
+        base_url=config.get("KIMAI", {}).get("BaseUrl", None),
+        api_token=config.get("KIMAI", {}).get("ApiToken", None),
+        clients=config.get("KIMAI", {}).get("Clients", None)
+    )
+    running_entry = api.get_running_entry()
+
+    async with asyncio.TaskGroup() as tg:
+        update_options = tg.create_task(ui_update_options(api, cache_path))
+        if not options:
+            options = await update_options
+
+        read_fd, write_fd = os.pipe()
+        w_pipe = open(write_fd, 'wb', 0)
+        loop = asyncio.get_event_loop()
+        w_transport, _ = await loop.connect_write_pipe(
+            asyncio.Protocol,
+            w_pipe,
+        )
+        r_pipe = open(read_fd, 'rb', 0)
+
+        proc = await asyncio.create_subprocess_exec(
+            "fuzzel", "--dmenu", "--index", "--width=60",
+            stdout = asyncio.subprocess.PIPE,
+            stdin = r_pipe,
+        )
+
+        with closing(w_transport) as t:
+            if running_entry:
+                t.write(b'Stop running timesheet\n')
+            for option in options:
+                t.write(ui_render_option(option).encode('utf-8') + b'\n')
+
+        stdout, _ = await proc.communicate()
+        if proc.returncode != 0:
+            return
+        fuzzel_out = int(stdout.decode('utf-8'))
+        if fuzzel_out < 0 or fuzzel_out >= len(options):
+            return
+        elif running_entry and fuzzel_out == 0:
+            api.stop_clock(running_entry['id'])
+            await notify.Server('worktime').Notify("Stopped running timesheet").set_timeout(65000).show()
+        else:
+            if running_entry:
+                fuzzel_out -= 1
+            option = options[fuzzel_out]
+            api.start_clock(
+                project_id = option['project']['id'],
+                activity_id = option['activity']['id'],
+                description = option['description'],
+                tags = option['tags'],
+                billable = option['billable'],
+            )
+            await notify.Server('worktime').Notify("Timesheet started…").set_timeout(65000).show()
+
+
+def ui():
+    asyncio.run(ui_main())
+
+async def stop_main():
+    config = Worktime.config()
+    api = KimaiAPI(
+        base_url=config.get("KIMAI", {}).get("BaseUrl", None),
+        api_token=config.get("KIMAI", {}).get("ApiToken", None),
+        clients=config.get("KIMAI", {}).get("Clients", None)
+    )
+    if running_entry := api.get_running_entry():
+        api.stop_clock(running_entry['id'])
+        await notify.Server('worktime').Notify("Stopped running timesheet").set_timeout(65000).show()
+    else:
+        await notify.Server('worktime').Notify("No timesheet currently running").set_timeout(65000).show()
+
+def stop():
+    asyncio.run(stop_main())
+
 if __name__ == "__main__":
     sys.exit(main())
diff --git a/shell.nix b/shell.nix
index bec68474..1b334187 100644
--- a/shell.nix
+++ b/shell.nix
@@ -3,6 +3,12 @@ let
   pkgs = self.legacyPackages.${system};
   utils = import ./utils { inherit (nixpkgs) lib; };
   inherit (utils) nixImport;
+  uv-links = pkgs.symlinkJoin {
+    name = "uv-links";
+    paths = [
+      pkgs.python312.pkgs.pygobject3
+    ];
+  };
 in pkgs.mkShell {
   nativeBuildInputs = builtins.attrValues self.packages.${system} ++ (with pkgs; [
     sops
@@ -15,5 +21,9 @@ in pkgs.mkShell {
     nvfetcher.packages.${system}.default
     ca-util.packages.${system}.ca
     poetry uv
+    ninja pkg-config cairo.dev systemd.dev
   ]);
+  shellHook = ''
+    export UV_FIND_LINKS=${uv-links}/lib/python3.12/site-packages
+  '';
 }
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 229a007e..e5f9dc16 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -180,13 +180,7 @@ in {
       };
       environment.systemPackages = with pkgs; [ git-annex scutiger ];
     }
-  ] ++ (optional (options ? system.switch.enableNg) {
-    system.switch = lib.mkDefault {
-      enable = false;
-      enableNg = true;
-    };
-  })
-  ++ (optional (options ? system.rebuild.enableNg) {
+  ] ++ (optional (options ? system.rebuild.enableNg) {
     system.rebuild.enableNg = lib.mkDefault true;
   })
   ++ (optional (options ? services.userborn) {
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
index b0116d61..e3dc2d2e 100644
--- a/system-profiles/nfsroot.nix
+++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
-{ config, options, pkgs, lib, flake, flakeInputs, ... }:
+{ config, options, pkgs, lib, flake, ... }:
 
 with lib;
 
@@ -86,7 +86,7 @@ in {
         mkdir -p /mnt-root/etc/
         cp /etc/resolv.conf /mnt-root/etc/resolv.conf
       '';
-      networking.useDHCP = true;
+      networking.useDHCP = mkImageMediaOverride true;
       networking.resolvconf.enable = false;
       networking.dhcpcd.persistent = true;
 
diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix
index a93dddd2..af9f1c17 100644
--- a/system-profiles/zfs.nix
+++ b/system-profiles/zfs.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... } : {
+{ config, pkgs, lib, ... } : {
   config = {
     boot = {
       kernelPackages = pkgs.linuxPackages_6_12;
diff --git a/user-profiles/tmux/default.nix b/user-profiles/tmux/default.nix
index dc4e791f..7ea0c0d5 100644
--- a/user-profiles/tmux/default.nix
+++ b/user-profiles/tmux/default.nix
@@ -16,8 +16,8 @@
 
         installPhase = ''
           substitute $src $out \
-            --subst-var-by zsh ${config.programs.zsh.package} \
-            --subst-var-by man ${config.programs.man.package}
+            --subst-var-by zsh ${lib.getExe config.programs.zsh.package} \
+            --subst-var-by man ${lib.getExe config.programs.man.package}
         '';
       });
     };
diff --git a/user-profiles/yt-dlp.nix b/user-profiles/yt-dlp.nix
index ef0be87e..5c9858a6 100644
--- a/user-profiles/yt-dlp.nix
+++ b/user-profiles/yt-dlp.nix
@@ -13,11 +13,12 @@
           "best"
         ];
         embed-subs = true;
+        embed-thumbnail = true;
+        embed-metadata = true;
         # write-subs = true;
         write-auto-subs = true;
         sub-langs = "en(-(gb|us|orig))?,de(-(de|orig))?,-live_chat,-rechat";
         prefer-free-formats = true;
-        embed-metadata = true;
         # downloader = "${pkgs.axel}/bin/axel";
         concurrent-fragments = 12;
         buffer-size = "16K";
@@ -29,6 +30,7 @@
         # ];
         remux-video = "mp4>mkv";
         output = lib.mkDefault "\"%(modified_date>%Y%m%d,release_date>%Y%m%d,upload_date>%Y%m%d)s %(title)s [%(uploader)s %(webpage_url)s].%(ext)s\"";
+        audio-multistreams = true;
       };
     };
   };
diff --git a/user-profiles/zsh/default.nix b/user-profiles/zsh/default.nix
index 973ff775..ab523a52 100644
--- a/user-profiles/zsh/default.nix
+++ b/user-profiles/zsh/default.nix
@@ -21,6 +21,8 @@
             abbreviations = {
               re = "systemctl restart";
               ure = "systemctl --user restart";
+              st = "systemctl status";
+              ust = "systemctl --user status";
             };
             globalAbbreviations = {
               "L" = "| less";
@@ -28,6 +30,7 @@
               "G" = "| grep";
               "B" = "&> /dev/null &";
               "BB" = "&> /dev/null &!";
+              "J" = lib.mkIf config.programs.jq.enable "| jq '.'";
             };
           };