diff --git a/flake.lock b/flake.lock
index fc4fb8f..8e72f36 100644
--- a/flake.lock
+++ b/flake.lock
@@ -62,7 +62,7 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-7kNQHKkMjjTBPgRzHh34KqbcorqgEyGcu8UQfFxEvb8=",
+        "narHash": "sha256-tsXsKNsa6/AqhXV6YxsSweX++YlwzQuWt0KeaV3SMgQ=",
         "path": "/home/palo/dev/secrets",
         "type": "path"
       },
diff --git a/nixos/configs/pepe/taskwarrior-pushover.nix b/nixos/configs/pepe/taskwarrior-pushover.nix
index dc82dd1..bae8937 100644
--- a/nixos/configs/pepe/taskwarrior-pushover.nix
+++ b/nixos/configs/pepe/taskwarrior-pushover.nix
@@ -11,6 +11,7 @@
 
   services.taskwarrior-pushover = {
     enable = true;
+    recurrence="on";
     onCalendar = "06:30:00";
     server = "taskd.ingolf-wagner.de:53589";
     pushoverApiTokenFile = config.sops.secrets.pushoverApiToken.path;
diff --git a/nixos/configs/workhorse/configuration.nix b/nixos/configs/workhorse/configuration.nix
index 47e6461..e6a3cb9 100644
--- a/nixos/configs/workhorse/configuration.nix
+++ b/nixos/configs/workhorse/configuration.nix
@@ -4,43 +4,45 @@
     ../../system/server
     ./hardware-configuration.nix
 
+    ./mail-fetcher.nix
+    ./transmission.nix
+    ./nextcloud.nix
+
+    ./borg.nix
+    ./finance.nix
     ./gogs.nix
     ./grafana.nix
     ./graylog.nix
     ./jenkins.nix
     ./kibana.nix
-    ./mail-fetcher.nix
+    ./mysql.nix
     ./packages.nix
     ./prometheus.nix
     ./syncthing.nix
     ./taskserver.nix
     ./tinc.nix
-    ./transmission.nix
     ./weechat.nix
-    ./nextcloud.nix
-    ./borg.nix
-    #./metabase.nix
-    #./jupyter.nix
-    ./mysql.nix
-    #./property.nix flask sucks, find something else
-    ./finance.nix
-    #./mining.nix
+
+    #./property.nix # flask sucks, find something else
+
   ];
 
+  sops.defaultSopsFile = ../../secrets/workhorse.yaml;
+
   nixpkgs.config.permittedInsecurePackages =
-    [ "gogs-0.11.91" "nextcloud-19.0.6" ];
+    [ "gogs-0.11.91" ];
 
   # todo: add this to each file instead summing that here
-  on-failure.plans = {
-    gogs.name = "gogs";
-    jenkins.name = "jenkins";
-    graylog.name = "graylog";
-    prometheus.name = "prometheus";
-    taskserver.name = "taskserver";
-    weechat.name = "weechat";
-    transmission.name = "transmission";
-    mail-fetcher.name = "fetchmail";
-  };
+  #on-failure.plans = {
+  #  gogs.name = "gogs";
+  #  jenkins.name = "jenkins";
+  #  graylog.name = "graylog";
+  #  prometheus.name = "prometheus";
+  #  taskserver.name = "taskserver";
+  #  weechat.name = "weechat";
+  #  transmission.name = "transmission";
+  #  mail-fetcher.name = "fetchmail";
+  #};
 
   networking.hostName = "workhorse";
 
diff --git a/nixos/configs/workhorse/finance.nix b/nixos/configs/workhorse/finance.nix
index 2e70c49..fb3ebac 100644
--- a/nixos/configs/workhorse/finance.nix
+++ b/nixos/configs/workhorse/finance.nix
@@ -17,7 +17,7 @@ let
   # ];
   # results in
   # P 2020-01-30 GOOGL $123
-  stocks = import <secrets/finance/stocks>;
+  stocks = import ../../private_assets/finance/stocks;
   stocksFile = toString /home/syncthing/finance/hledger/stocks.journal;
 
 in {
@@ -32,7 +32,7 @@ in {
 
     script = let
       command = { symbol, name, currency, ... }: ''
-        APIKEY=${lib.fileContents <secrets/finance/alphavantage/apikey>}
+        APIKEY=${lib.fileContents ../../private_assets/finance/alphavantage/apiKey}
         SYMBOL="${symbol}"
         ${pkgs.curl}/bin/curl --location --silent \
           "https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=$SYMBOL&apikey=$APIKEY" \
diff --git a/nixos/configs/workhorse/graylog.nix b/nixos/configs/workhorse/graylog.nix
index 11853a5..8a31746 100644
--- a/nixos/configs/workhorse/graylog.nix
+++ b/nixos/configs/workhorse/graylog.nix
@@ -45,11 +45,11 @@ in {
 
   # pwgen -N 1 -s 96
   services.graylog.passwordSecret =
-    lib.fileContents <secrets/graylog/password-secret>;
+    lib.fileContents ../../private_assets/graylog/password-secret;
 
   # echo -n yourpassword | shasum -a 256
   services.graylog.rootPasswordSha2 =
-    lib.fileContents <secrets/graylog/root-password-hash>;
+    lib.fileContents ../../private_assets/graylog/root-password-hash;
 
   services.graylog.plugins = [ pkgs.graylogPlugins.slack ];
 
diff --git a/nixos/configs/workhorse/jenkins.nix b/nixos/configs/workhorse/jenkins.nix
index bdcfab1..a87a36d 100644
--- a/nixos/configs/workhorse/jenkins.nix
+++ b/nixos/configs/workhorse/jenkins.nix
@@ -36,9 +36,11 @@ in {
     };
   };
 
+  sops.secrets.jenkins_token = { };
+
   krops.userKeys."accessToken" = {
     user = "jenkins";
-    source = toString <secrets/jenkins/accessToken>;
+    source = config.sops.secrets.jenkins_token.path;
     requiredBy = [ "jenkins-job-builder.service" ];
   };
 
diff --git a/nixos/configs/workhorse/mail-fetcher.nix b/nixos/configs/workhorse/mail-fetcher.nix
index b8eece6..c25bcfc 100644
--- a/nixos/configs/workhorse/mail-fetcher.nix
+++ b/nixos/configs/workhorse/mail-fetcher.nix
@@ -424,47 +424,20 @@ in {
     home = "/home/mailfetcher";
     openssh.authorizedKeys.keyFiles =
       config.users.users.root.openssh.authorizedKeys.keyFiles;
+    group = "mailfetcher";
   };
 
-  # configure passwords
-  krops.userKeys = {
-    "namecheap.terranix.org" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/namecheap/terranix.org>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmail.palipalo9" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmail/palipalo9>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmx.palo_van_dalo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmx/palo_van_dalo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmx.ingolf_wagner" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmx/ingolf.wagner>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "web.pali_palo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/web.de/pali_palo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "siteground.contact" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/siteground/contact>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "c-base.palo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/c-base/palo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
+  users.groups.mailUser = {
+    name = "mailfetcher";
   };
 
+  sops.secrets.mail_terranix.owner = "mailUser";
+  sops.secrets.mail_gmail.owner = "mailUser";
+  sops.secrets.mail_gmx_palo.owner = "mailUser";
+  sops.secrets.mail_gmx_ingolf.owner = "mailUser";
+  sops.secrets.mail_web.owner = "mailUser";
+  sops.secrets.mail_siteground.owner = "mailUser";
+
   environment.systemPackages = [ pkgs.muchsync ];
 
   # configure accounts
@@ -478,7 +451,7 @@ in {
         realName = "Ingolf Wagner";
         userName = "palo_van_dalo@gmx.de";
         passwordCommand =
-          "cat ${toString config.krops.userKeys."gmx.palo_van_dalo".target}";
+          "cat ${toString config.sops.secrets.mail_gmx_palo.path }";
         imap = {
           host = "imap.gmx.net";
           tls.enable = true;
@@ -498,7 +471,7 @@ in {
         realName = "Ingolf Wagner";
         userName = "ingolf.wagner@gmx.de";
         passwordCommand =
-          "cat ${toString config.krops.userKeys."gmx.ingolf_wagner".target}";
+          "cat ${toString config.sops.secrets.mail_gmx_ingolf.path }";
         imap = {
           host = "imap.gmx.net";
           tls.enable = true;
@@ -518,7 +491,7 @@ in {
         realName = "Ingolf Wagner";
         userName = "pali_palo@web.de";
         passwordCommand =
-          "cat ${toString config.krops.userKeys."web.pali_palo".target}";
+          "cat ${toString config.sops.secrets.mail_web.path }";
         imap = {
           host = "imap.web.de";
           tls.enable = true;
@@ -531,57 +504,6 @@ in {
         notmuch.enable = true;
       };
 
-      c-base = {
-        primary = false;
-        address = "palo@c-base.org";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "palo";
-        passwordCommand =
-          "cat ${toString config.krops.userKeys."c-base.palo".target}";
-        imap = {
-          host = "c-mail.c-base.org";
-          port = 993;
-          # fetched using :  nix-shell -p openssl --run "openssl s_client -connect c-mail.c-base.org:993 -showcerts"
-          tls.certificatesFile = pkgs.writeText "c-base.pem" ''
-            -----BEGIN CERTIFICATE-----
-            MIIFKDCCAxCgAwIBAgIDAtwrMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
-            Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
-            BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTkxMTA5MDgzMjUyWhcNMjExMTA4
-            MDgzMjUyWjBhMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
-            EwZCZXJsaW4xFDASBgNVBAoTC2MtYmFzZSBlLlYuMRowGAYDVQQDExFjLW1haWwu
-            Yy1iYXNlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKR3XBxJ
-            72MayCS0D5GCoHcY0TQLs1DQSohCCobRdSowFJzNQw/2lL6bb+Q2rmevZQXuM4vP
-            YbFytvTDmY5y5MNXEqGLfi8D5TcaP/RdXWQU++yUunE6yMdqZNheeXPjM//PnoXG
-            DyT236BovEi3YipUUsLXFiRj+cAjrQE7a2YUs3fjV3P6grMH0V06J6P6+JJvRgp2
-            K33uhKhnKyb3s1tbdbu1KeGozx2ws9lg79XV+Py6PXxP6jTZ2PCsaxs3BThSdmsl
-            vQyk/zoW7tA1m2ntRCoyFHZqfOHsN3UOS/HDRlXqgSf0ah8cPYPsl0ayXhgOv0Tu
-            1PSMt4Ve2GajX8MCAwEAAaOB9TCB8jAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE
-            AwIDqDA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG+EIEAQYK
-            KwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
-            Y3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2Fj
-            ZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDAtBgNVHREEJjAkghFjLW1haWwuYy1i
-            YXNlLm9yZ4IPbWFpbC5jLWJhc2Uub3JnMA0GCSqGSIb3DQEBDQUAA4ICAQBjTIa1
-            xdhUYXJidv1U0qaqSV1DzumakFY20OM4QCV0Qvlq+SQUqroGBTIGodxhTnjG5o01
-            4xBAnsTcMRNycXHu0j6XYqDS4QhaFcGdFmXP0EQfAFbvhwZdbvgiRHuUTSGEbcLp
-            Vk8sP8dpzx+zMAZ6PL7XMwPFPTHm7vw40qmTyCuUcnhIwHgwGxu4yu0tdsU+VwRD
-            RVsdZO4V2GhFTz8oRcHvmC2wmx+Zwx0RXWPXSN5yRDDZWwY4WbECa2MvojH1HlJG
-            YJkokq7nbYJix/RipSkAXgurcgppVmM5cf7uYgSrltW8pm3IMMPrlaFrlzMMMtdq
-            SYFk+FDp296B7CDyWpQhDcVjnGQ70JfMWT5S3Lsi8DnI2pul9ljxPOt+Q8XFh1oz
-            Ofr7y5Qjm72YToOX1j7N8ppCh0RJH4lOsouTPVdp859ch9FxZdceq+nC744wv+Nt
-            TQPw15Gk3RY5mVYBE/Cw2T7j7qDmBaEUKxkfW7q8t287FXM4XX6C+cKYr6jYx6s1
-            5/2p4gCuOALYqJ7kD2xjci0VTWu77H4J2QKEZF8AgdI36dIYr7GY0e/+xb/CScwr
-            uvu2R9jfPOMVu6CiavPGUtcvju4A+qMUDqIyH9dNwkMQRffAtmsF6KR4nMYxhr45
-            nKY1BaufWLD1UWrjaR1IF6L5qDHOXeMJEChYkg==
-            -----END CERTIFICATE-----'';
-        };
-        mbsync = {
-          enable = false;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
       gmail = {
         # for google accounts you have to allow 'less secure apps' in accounts.google.com
         primary = true;
@@ -590,7 +512,7 @@ in {
         realName = "Ingolf Wagner";
         userName = "palipalo9@googlemail.com";
         passwordCommand =
-          "cat ${toString config.krops.userKeys."gmail.palipalo9".target}";
+          "cat ${toString config.sops.secrets.mail_gmail.path }";
         imap = {
           host = "imap.gmail.com";
           tls.enable = true;
@@ -609,9 +531,7 @@ in {
         aliases = [ ];
         realName = "Ingolf Wagner";
         userName = "palo@terranix.org";
-        passwordCommand = "cat ${
-            toString config.krops.userKeys."namecheap.terranix.org".target
-          }";
+        passwordCommand = "cat ${toString config.sops.secrets.mail_terranix.path }";
         imap = {
           host = "mail.privateemail.com";
           tls.enable = true;
@@ -631,7 +551,7 @@ in {
         realName = "Ingolf Wagner";
         userName = "contact@ingolf-wagner.de";
         passwordCommand =
-          "cat ${toString config.krops.userKeys."siteground.contact".target}";
+          "cat ${toString config.sops.secrets.mail_siteground.path }";
         imap = {
           host = "securees5.sgcpanel.com";
           port = 993;
@@ -715,9 +635,9 @@ in {
     enable = true;
     new.tags = [ "unread" "inbox" "new" ];
   };
-  home-manager.users.mailUser.home.file."notmuch" = {
-    source = "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
-    target = ".notmuch-config";
-  };
+  #home-manager.users.mailUser.home.file."notmuch" = {
+  #  source = "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
+  #  target = ".notmuch-config";
+  #};
 
 }
diff --git a/nixos/configs/workhorse/metabase.nix b/nixos/configs/workhorse/metabase.nix
index 069767c..8dd3f0b 100644
--- a/nixos/configs/workhorse/metabase.nix
+++ b/nixos/configs/workhorse/metabase.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }: {
+/{ pkgs, lib, config, ... }: {
 
   services.metabase = {
     listen.port = 3040;
diff --git a/nixos/configs/workhorse/nextcloud.nix b/nixos/configs/workhorse/nextcloud.nix
index 2b9d90e..cfe26d6 100644
--- a/nixos/configs/workhorse/nextcloud.nix
+++ b/nixos/configs/workhorse/nextcloud.nix
@@ -7,20 +7,32 @@ let
 
 in {
 
+  sops.secrets.nextcloud_database_password = {};
+  sops.secrets.nextcloud_root_password = {};
+
   containers.nextcloud = {
 
     # mount host folders
     bindMounts = {
       rootpassword = {
-        hostPath = toString <secrets/nextcloud/root_password>;
-        mountPoint = toString <secrets/nextcloud/root_password>;
+        hostPath =
+                      "/run/secrets/nextcloud_root_password";
+          #toString <secrets/nextcloud/root_password>;
+        mountPoint =
+                      "/run/secrets/nextcloud_root_password";
+          #toString <secrets/nextcloud/root_password>;
         isReadOnly = true;
       };
       databasepassword = {
-        hostPath = toString <secrets/nextcloud/database_password>;
-        mountPoint = toString <secrets/nextcloud/database_password>;
+        hostPath =
+                      "/run/secrets/nextcloud_database_password";
+          #toString <secrets/nextcloud/database_password>;
+        mountPoint =
+                      "/run/secrets/nextcloud_database_password";
+          #toString <secrets/nextcloud/database_password>;
         isReadOnly = true;
       };
+
       home = {
         # make sure this folder exist on the host
         hostPath = toString "/home/nextcloud";
@@ -33,17 +45,6 @@ in {
         mountPoint = "/var/lib/mysql";
         isReadOnly = false;
       };
-      krops-lib = {
-        mountPoint = toString <krops-lib>;
-        hostPath = toString <krops-lib>;
-        isReadOnly = true;
-      };
-      modules = {
-        mountPoint = toString <modules>;
-        hostPath = toString <modules>;
-        isReadOnly = true;
-      };
-      # shared folders
       samples = {
         mountPoint =
           toString config.services.syncthing.declarative.folders.samples.path;
@@ -84,10 +85,7 @@ in {
 
     config = { config, pkgs, lib, ... }: {
 
-      imports = [ <modules> <krops-lib> ];
-
       services.nginx = {
-
         # Use recommended settings
         recommendedGzipSettings = lib.mkDefault true;
         recommendedOptimisation = lib.mkDefault true;
@@ -214,27 +212,20 @@ in {
         https = true;
         config = {
           adminpassFile =
-            toString config.krops.userKeys."nextcloud_root".target;
+            #config.sops.secrets.nextcloud_root_password.path;
+            "/run/secrets/nextcloud_root_password";
           overwriteProtocol = "https";
           trustedProxies = [ "195.201.134.247" hostAddress ];
           dbtype = "mysql";
           dbpassFile =
-            toString config.krops.userKeys."nextcloud_database".target;
+            #config.sops.secrets.nextcloud_database_password.path;
+            "/run/secrets/nextcloud_database_password";
           dbport = 3306;
         };
       };
 
-      # provide password file for database with proper rights
-      krops.userKeys."nextcloud_database" = {
-        user = "nextcloud";
-        source = toString <secrets/nextcloud/database_password>;
-        requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
-      };
-      krops.userKeys."nextcloud_root" = {
-        user = "nextcloud";
-        source = toString <secrets/nextcloud/root_password>;
-        requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
-      };
+      #sops.secrets.nextcloud_database_password = {};
+      #sops.secrets.nextcloud_root_password = {};
 
       environment.systemPackages = [ pkgs.smbclient ];
 
@@ -340,7 +331,8 @@ in {
       doInit = true;
       encryption = {
         mode = "repokey-blake2";
-        passCommand = "cat ${toString <secrets/backup/repo>}";
+            passCommand =
+              "cat ${config.sops.secrets.backup_repository_passphrase.path}";
       };
       startAt = "0/3:00:00";
       prune.keep = {
diff --git a/nixos/configs/workhorse/prometheus.nix b/nixos/configs/workhorse/prometheus.nix
index fd775b8..6888571 100644
--- a/nixos/configs/workhorse/prometheus.nix
+++ b/nixos/configs/workhorse/prometheus.nix
@@ -84,23 +84,23 @@
           };
         }];
       }
-      {
-        job_name = "home-assistant";
-        scrape_interval = "60s";
-        metrics_path = "/api/prometheus";
-        # you can create this token on your user profile page
-        # http://pepe.private:8123/profile
-        bearer_token =
-          lib.fileContents <secrets/prometheus/home-assistant/api_token>;
-        static_configs = [{
-          targets = [ "pepe.private:8123" ];
-          labels = {
-            service = "hass";
-            server = "pepe";
-            city = "essen";
-          };
-        }];
-      }
+      #{
+      #  job_name = "home-assistant";
+      #  scrape_interval = "60s";
+      #  metrics_path = "/api/prometheus";
+      #  # you can create this token on your user profile page
+      #  # http://pepe.private:8123/profile
+      #  bearer_token =
+      #    lib.fileContents <secrets/prometheus/home-assistant/api_token>;
+      #  static_configs = [{
+      #    targets = [ "pepe.private:8123" ];
+      #    labels = {
+      #      service = "hass";
+      #      server = "pepe";
+      #      city = "essen";
+      #    };
+      #  }];
+      #}
     ];
   };
 }
diff --git a/nixos/configs/workhorse/syncthing.nix b/nixos/configs/workhorse/syncthing.nix
index dcdf44e..c7a369a 100644
--- a/nixos/configs/workhorse/syncthing.nix
+++ b/nixos/configs/workhorse/syncthing.nix
@@ -11,14 +11,18 @@
     };
   };
 
+
+  sops.secrets.syncthing_cert = { };
+  sops.secrets.syncthing_key = { };
+
   services.syncthing = {
     enable = true;
     openDefaultPorts = false;
     dataDir = "/home/syncthing";
     configDir = "/home/syncthing";
     declarative = {
-      cert = toString <secrets/syncthing/cert.pem>;
-      key = toString <secrets/syncthing/key.pem>;
+      cert = toString config.sops.secrets.syncthing_cert.path;
+      key = toString config.sops.secrets.syncthing_key.path;
       overrideFolders = true;
 
       folders = {
diff --git a/nixos/configs/workhorse/tinc.nix b/nixos/configs/workhorse/tinc.nix
index ffe59c3..5291b19 100644
--- a/nixos/configs/workhorse/tinc.nix
+++ b/nixos/configs/workhorse/tinc.nix
@@ -17,4 +17,7 @@
     };
   };
 
+  sops.secrets.tinc_retiolum_ed25519_key = { };
+  sops.secrets.tinc_retiolum_rsa_key = { };
+
 }
diff --git a/nixos/configs/workhorse/transmission.nix b/nixos/configs/workhorse/transmission.nix
index 60426df..c53ec62 100644
--- a/nixos/configs/workhorse/transmission.nix
+++ b/nixos/configs/workhorse/transmission.nix
@@ -6,18 +6,20 @@ let
 
 in {
 
+  sops.secrets.nordvpn = {};
+
   containers.torrent = {
 
     # mount host folders
     bindMounts = {
-      password = {
-        hostPath = toString <secrets/transmission/password>;
-        mountPoint = toString <secrets/transmission/password>;
-        isReadOnly = true;
-      };
+      #password = {
+      #  hostPath = "/run/secrets/transmission_password";
+      #  mountPoint = "/run/secrets/transmission_password";
+      #  isReadOnly = true;
+      #};
       nordvpnPassword = {
-        hostPath = toString <secrets/transmission/nordvpn.txt>;
-        mountPoint = toString <secrets/transmission/nordvpn.txt>;
+        hostPath = "/run/secrets/nordvpn";
+        mountPoint = "/run/secrets/nordvpn";
         isReadOnly = true;
       };
       home = {
@@ -183,7 +185,8 @@ in {
 
         remote-cert-tls server
 
-        auth-user-pass ${toString <secrets/transmission/nordvpn.txt>}
+        auth-user-pass /run/secrets/nordvpn.txt
+
         verb 3
         pull
         resolv-retry infinite
diff --git a/nixos/flake.nix b/nixos/flake.nix
index 1046a54..92d8103 100644
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -63,6 +63,11 @@
             })
           ];
         })
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+        }
       ];
       desktopModules = [
         home-manager.nixosModules.home-manager
diff --git a/nixos/krops.nix b/nixos/krops.nix
index b626051..a8d9972 100644
--- a/nixos/krops.nix
+++ b/nixos/krops.nix
@@ -5,7 +5,7 @@ let
   command = targetPath:
     let
       commandLine =
-        "TMPDIR=/tmp nixos-rebuild switch --flake ${targetPath} -L --keep-going";
+        "TMPDIR=/tmp nixos-rebuild build --flake ${targetPath} -L --keep-going";
     in ''
       echo '${commandLine}'
       nix-shell \
diff --git a/nixos/modules/services/taskwarrior-pushover.nix b/nixos/modules/services/taskwarrior-pushover.nix
index a60683c..3500ffb 100644
--- a/nixos/modules/services/taskwarrior-pushover.nix
+++ b/nixos/modules/services/taskwarrior-pushover.nix
@@ -13,6 +13,10 @@ in
       type = str;
       default = "4:00:00";
     };
+    recurrence = mkOption {
+      type = enum["on" "off"];
+      default = "off";
+    };
     pushoverApiTokenFile = mkOption {
       type = path;
     };
@@ -54,7 +58,7 @@ in
       script = let
         taskwarriorCommand = pkgs.writers.writeDash "taskwarrior-push" ''
          ${pkgs.taskwarrior}/bin/task \
-            rc.recurrence=off  \
+            rc.recurrence=${cfg.recurrence}  \
             rc:/var/lib/${name}/.taskrc \
             rc.data.location=/var/lib/${name}/${cfg.dataDir} \
             rc.taskd.ca=${cfg.caFile} \
diff --git a/nixos/system/desktop/mail-stuff.nix b/nixos/system/desktop/mail-stuff.nix
index 12f5fa2..a16686d 100644
--- a/nixos/system/desktop/mail-stuff.nix
+++ b/nixos/system/desktop/mail-stuff.nix
@@ -118,7 +118,7 @@ in {
         enable = true;
         # msmtp --serverinfo --tls --tls-certcheck=off -a ingolf-wagner
         tls.fingerprint =
-          "F3:5C:9A:BF:82:35:78:AA:42:85:F5:D1:2A:08:B9:B4:56:6D:B7:BF:47:3B:37:B4:D8:B5:10:AE:0E:95:03:CD";
+          "16:94:47:E0:00:86:BB:F7:56:D3:81:F1:89:7B:CD:67:65:0B:EE:0B:A9:26:96:5E:0B:1F:56:AB:FD:DE:96:C5";
       };
       gpg = {
         encryptByDefault = true;