diff --git a/flake.lock b/flake.lock
index 1878beb8..6f517bd2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -208,6 +208,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "kmonad": {
       "inputs": {
         "nixpkgs": [
@@ -450,26 +465,12 @@
         "type": "github"
       }
     },
-    "quadlet": {
-      "locked": {
-        "lastModified": 1752618481,
-        "narHash": "sha256-8132xTqalZxJZbznHDNoia1UqjNdL/hIQD4IXnI9F58=",
-        "owner": "SEIAROTg",
-        "repo": "quadlet-nix",
-        "rev": "0c1d64f360c1a3c3534f6b592ca3ed5d46cf8429",
-        "type": "github"
-      },
-      "original": {
-        "owner": "SEIAROTg",
-        "repo": "quadlet-nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "csharp-language-server": "csharp-language-server",
         "helix": "helix",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "kmonad": "kmonad",
         "lanzaboote": "lanzaboote",
         "lix-module": "lix-module",
@@ -479,7 +480,7 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-master": "nixpkgs-master",
-        "quadlet": "quadlet",
+        "sops-nix": "sops-nix",
         "zen-browser": "zen-browser"
       }
     },
@@ -546,6 +547,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752544651,
+        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index 345e933f..88cac688 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,7 +10,9 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    quadlet.url = "github:SEIAROTg/quadlet-nix";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    impermanence.url = "github:nix-community/impermanence";
 
     # software
     lanzaboote = {
@@ -58,26 +60,30 @@
           };
         }
       );
-      overlays = [ self.overlays.default
-              # lix-module.overlays.default
-      (final: prev: let
-        versionSuffix = "-horribly-patched";
-        lix = final.applyPatches {
-          name = "lix${versionSuffix}";
-          src = inputs.lix-module.inputs.lix;
-          patches = [
-            (final.fetchpatch {
-              name = "lix-2.93-structuredAttrs.patch";
-              url = "https://gerrit.lix.systems/changes/lix~3668/revisions/2/patch?download&raw";
-              hash = "sha256-JQlAU0texMa7DMrqk447SXJUEu1k4IP9z8mjCHyskVc=";
-            })
-          ];
-        };
-        patchedOverlay = import (inputs.lix-module + "/overlay.nix") {
-          inherit versionSuffix lix;
-        };
-      in
-        patchedOverlay final prev)
+      overlays = [
+        self.overlays.default
+        # lix-module.overlays.default
+        (
+          final: prev:
+          let
+            versionSuffix = "-horribly-patched";
+            lix = final.applyPatches {
+              name = "lix${versionSuffix}";
+              src = inputs.lix-module.inputs.lix;
+              patches = [
+                (final.fetchpatch {
+                  name = "lix-2.93-structuredAttrs.patch";
+                  url = "https://gerrit.lix.systems/changes/lix~3668/revisions/2/patch?download&raw";
+                  hash = "sha256-JQlAU0texMa7DMrqk447SXJUEu1k4IP9z8mjCHyskVc=";
+                })
+              ];
+            };
+            patchedOverlay = import (inputs.lix-module + "/overlay.nix") {
+              inherit versionSuffix lix;
+            };
+          in
+          patchedOverlay final prev
+        )
       ];
       genPkgs =
         system:
@@ -99,7 +105,7 @@
           inputs.kmonad.nixosModules.default
           inputs.home-manager.nixosModules.default
           inputs.lanzaboote.nixosModules.lanzaboote
-          inputs.quadlet.nixosModules.quadlet
+          inputs.sops-nix.nixosModules.sops
         ]
         ++ (import ./modules/module-list.nix)
       );
@@ -111,7 +117,10 @@
           packages = [
             pkgs.nixfmt-rfc-style
             pkgs.nil
+            pkgs.sops
+            pkgs.ssh-to-age
           ];
+          SOPS_AGE_KEY_CMD = "";
         };
     };
 }
diff --git a/instances/ds9/default.nix b/instances/ds9/default.nix
index 198ddfdf..35058e0f 100644
--- a/instances/ds9/default.nix
+++ b/instances/ds9/default.nix
@@ -2,4 +2,7 @@
   modules = [ ./configuration.nix ];
   system = "x86_64-linux";
   hostName = "ds9";
+  publicHostname = "ds9.hailsatan.eu";
+  wgPubKey = "";
+  wgServer = true;
 }
diff --git a/lib/default.nix b/lib/default.nix
index b8c8f172..eb53e869 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -11,11 +11,12 @@ rec {
     lib.mapAttrs (n: v: (import "${parentDir}/${n}")) (
       lib.filterAttrs (n: v: v == "directory") (builtins.readDir parentDir)
     );
-  loadInstances = dir: extraModules: lib.mapAttrs (n: v: loadInstance extraModules v) (getDirs dir);
+  loadInstances =
+    dir: extraModules: lib.mapAttrs (n: v: loadInstance extraModules v (getDirs dir)) (getDirs dir);
   loadInstance =
-    extraModules: instance:
+    extraModules: instance: instanceConfigs:
     nixpkgs.lib.nixosSystem {
-      specialArgs = { inherit inputs; };
+      specialArgs = { inherit inputs instanceConfigs; instanceConfig = instance; };
       modules =
         instance.modules
         ++ extraModules
diff --git a/modules/desktop/wpaperd.nix b/modules/desktop/wpaperd.nix
index 4c9059e1..fe103136 100644
--- a/modules/desktop/wpaperd.nix
+++ b/modules/desktop/wpaperd.nix
@@ -6,34 +6,71 @@
 }:
 let
   cfg = config.xyno.desktop.wpaperd;
-  wpaperdConf = pkgs.writeText "wpaperd.conf" ''
-    [default]
-    path = "/home/${config.xyno.system.user.name}/Pictures/backgrounds"
-    duration = "10m"
-    sorting = "random"
-    mode = "center"
-  '';
+  # wpaperdConf = pkgs.writeText "wpaperd.conf" ''
+  #   [default]
+  #   path = "/home/${config.xyno.system.user.name}/Pictures/backgrounds"
+  #   duration = "10m"
+  #   sorting = "random"
+  #   mode = "center"
+  # '';
 in
 {
-  options.xyno.desktop.wpaperd.enable = lib.mkEnableOption "enable wpaperd notification daemon";
+  options.xyno.desktop.wpaperd.enable = lib.mkEnableOption "enable wpaperd wallpaper daemon";
   options.xyno.desktop.wpaperd.wantedBy = lib.mkOption {
     type = lib.types.str;
     default = "niri.service";
   };
   options.xyno.desktop.wpaperd.package = lib.mkOption {
     type = lib.types.package;
-    default = pkgs.wpaperd;
+    default = pkgs.swww;
   };
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
-    systemd.user.services.wpaperd = {
+    systemd.user.services.swww-daemon = {
       unitConfig.PartOf = "graphical-session.target";
       unitConfig.After = "graphical-session.target";
       unitConfig.Requisite = "graphical-session.target";
       serviceConfig.Restart = "on-failure";
       wantedBy = [ cfg.wantedBy ];
-      script = "exec ${cfg.package}/bin/wpaperd -c ${wpaperdConf}";
-      restartTriggers = [wpaperdConf];
+      script = ''
+        exec ${cfg.package}/bin/swww-daemon'';
+    };
+    systemd.user.services.swww-randomize = {
+      unitConfig.PartOf = "graphical-session.target";
+      unitConfig.After = "graphical-session.target";
+      unitConfig.Requisite = "graphical-session.target";
+      serviceConfig.Restart = "on-failure";
+      wantedBy = [ "swww-daemon.service" ];
+      script = ''
+        export DEFAULT_INTERVAL=300 # In seconds
+        export DIR=''$HOME/Pictures/backgrounds
+
+        # See swww-img(1)
+        RESIZE_TYPE="crop"
+        export SWWW_TRANSITION_FPS="120"
+        export SWWW_TRANSITION="fade"
+        export SWWW_TRANSITION_DURATION="1"
+        # export SWWW_TRANSITION_STEP="90"
+
+        while true; do
+        	find "''$DIR" -type f \
+        	| while read -r img; do
+        		echo "''$(</dev/urandom tr -dc a-zA-Z0-9 | head -c 8):''$img"
+        	done \
+        	| sort -n | cut -d':' -f2- \
+        	| while read -r img; do
+        		for d in ''$(${cfg.package}/bin/swww query | grep -Po "^[^:]+"); do # see ${cfg.package}/bin/swww-query(1)
+        			# Get next random image for this display, or re-shuffle images
+        			# and pick again if no more unused images are remaining
+        			[ -z "''$img" ] && if read -r img; then true; else break 2; fi
+        			${cfg.package}/bin/swww img --resize "''$RESIZE_TYPE" --outputs "''$d" "''$img"
+        			unset -v img # Each image should only be used once per loop
+        		done
+        		sleep "''${DEFAULT_INTERVAL}"
+        	done
+        done
+      '';
+      # restartTriggers = [wpaperdConf];
     };
   };
 }
diff --git a/modules/networking/networkd.nix b/modules/networking/networkd.nix
index b55a07df..d9e4fbbf 100644
--- a/modules/networking/networkd.nix
+++ b/modules/networking/networkd.nix
@@ -57,6 +57,7 @@ in
     #   # ipv6AcceptRAConfig.UsePREF64 = true;
     # };
     networking.wireless.iwd.enable = cfg.enableWifi;
+    xyno.impermanence.extraDirectories = lib.mkOptionals cfg.enableWifi [ "/var/lib/iwd" ];
     # services.clatd.enable = true;
   };
 }
diff --git a/modules/presets/cli.nix b/modules/presets/cli.nix
index 5181ea2f..ab822df6 100644
--- a/modules/presets/cli.nix
+++ b/modules/presets/cli.nix
@@ -73,11 +73,12 @@ in
     };
 
     services.pcscd.enable = true;
-programs.gnupg.agent = {
-   enable = true;
-   # pinentrywlavor = "curses";
-   # enableSSHSupport = true;
-};
+    programs.gnupg.agent = {
+      enable = true;
+      # pinentrywlavor = "curses";
+      # enableSSHSupport = true;
+    };
+    services.udev.packages = [ pkgs.yubikey-personalization ]; # needed for yubikeys to be used as smartcards
 
     environment.systemPackages = with pkgs; [
       jq
diff --git a/modules/presets/common.nix b/modules/presets/common.nix
index ccb10ea6..892be39e 100644
--- a/modules/presets/common.nix
+++ b/modules/presets/common.nix
@@ -13,5 +13,15 @@ in
     boot.initrd.systemd.enable = true;
     hardware.keyboard.zsa.enable = true;
     programs.nh.enable = true;
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm)
+        if (
+          subject.isInGroup("wheel")
+          && action.id == "org.freedesktop.systemd1.manage-units"
+        ) {
+          return polkit.Result.AUTH_ADMIN_KEEP;
+        }
+      });
+    '';
   };
 }
diff --git a/modules/presets/gui.nix b/modules/presets/gui.nix
index bfeaa566..933d3860 100644
--- a/modules/presets/gui.nix
+++ b/modules/presets/gui.nix
@@ -14,6 +14,10 @@ in
     default = "alacritty";
   };
   config = lib.mkIf cfg.enable {
+    services.udev.packages = [
+      pkgs.openocd # fix permission errors with connecting things (especially esp32-c3)
+      pkgs.ptouch-print
+    ];
     xyno.desktop.niri.enable = true;
     xyno.desktop.audio.enable = lib.mkDefault true;
     security.soteria.enable = true;
@@ -116,6 +120,7 @@ in
       source-sans
       b612
       lxqt.lxqt-config
+      ptouch-print
 
     ];
 
diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix
new file mode 100644
index 00000000..30e5f382
--- /dev/null
+++ b/modules/services/monitoring.nix
@@ -0,0 +1,22 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.xyno.services.monitoring;
+in
+{
+  options.xyno.services.monitoring.enable =
+    lib.mkEnableOption "enables monitoring (prometheus exporters and stuff)";
+  options.xyno.services.monitoring.ip = lib.mkOption {
+    type = lib.types.str;
+    default = "::1";
+    description = "the ip prometheus exporters should listen to";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+  };
+}
diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix
new file mode 100644
index 00000000..f66aeb09
--- /dev/null
+++ b/modules/services/postgres.nix
@@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.xyno.services.postgres;
+in
+{
+  options.xyno.services.postgres.enable = lib.mkEnableOption "enables postgres";
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_17_jit;
+      identMap = ''
+        # ArbitraryMapName systemUser DBUser
+        superuser_map      root      postgres
+        superuser_map      postgres  postgres
+        # Let other names login as themselves
+        superuser_map      /^(.*)$   \1
+      '';
+    };
+    services.prometheus.exporters.postgres = lib.mkIf config.xyno.services.monitoring.enable {
+      enable = true;
+      listenAddress = config.xyno.services.monitoring.ip;
+      port = 9187;
+    };
+
+    xyno.impermanence.extraDirectories = [ "/var/lib/postgresql" ];
+
+    services.borgmatic.settings.postgresql_databases = [
+      {
+        name = "all"; # gets run as root anyways so can log in
+      }
+    ];
+
+  };
+}
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
new file mode 100644
index 00000000..4ade5990
--- /dev/null
+++ b/modules/services/wireguard.nix
@@ -0,0 +1,88 @@
+{
+  pkgs,
+  lib,
+  config,
+  instanceConfigs,
+  instanceConfig,
+  ...
+}:
+let
+  cfg = config.xyno.services.wireguard;
+  ula = "fd68:b6a4:36e4";
+  ulaPrefix = "${ula}:1337"; # /64 for normal vpn
+  monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring
+
+  # uses a hash digest as the host identifier
+  genUlaForHost =
+    prefix: hostName:
+    let
+      hostHash = builtins.hashString "sha512" hostName;
+      localParts = map (n: builtins.substring (n * 4) 4 hostHash) hostHash;
+      localPart = lib.concatStringsSep ":" localParts;
+    in
+    "${prefix}:${localPart}";
+  # peers list for networkd
+  wgPeers = map (
+    c:
+    (
+      (lib.optionals (lib.hasAttr c "publicHostname") {
+        # if peer is publicly on the internet
+        AllowedIPs =
+          (lib.optionals (c.wgServer) [
+            "${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
+          ])
+          ++ (lib.optionals (!c.wgServer) [
+            "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
+          ]);
+        Endpoint = "${c.publicHostname}:51820";
+        PersistentKeepalive = 25;
+        PublicKey = c.wgPubKey;
+      })
+      ++ (lib.optionals (!(lib.hasAttr c "publicHostname") && instanceConfig.wgServer && (lib.hasAttr c "wgPubKey")) {
+        # if this is the server and the peer isn't reachable on the internet
+        AllowedIPs = [
+          "${genUlaForHost ulaPrefix c.hostName}/128"
+          "${genUlaForHost monitoringUlaPrefix c.hostName}/128"
+        ];
+        PublicKey = c.wgPubKey;
+        # TODO: preshared keys
+      })
+    )
+  ) instanceConfigs;
+in
+{
+  options.xyno.services.wireguard.enable = lib.mkEnableOption "enables wireguard";
+  options.xyno.services.wireguard.hostsDomain = lib.mkOpion { type = lib.types.str; default = "wg.hailsatan.eu"; };
+  config = lib.mkIf cfg.enable {
+    xyno.services.monitoring.ip = genUlaForHost monitoringUlaPrefix config.networking.hostName;
+    networking.hosts = lib.mapAttrs' (
+      n: v: {
+        name = "${v.hostName}.${cfg.hostsDomain}";
+        value = [ (genUlaForHost ulaPrefix v.hostName) ];
+      }
+    );
+    networking.firewall.allowedUDPPorts = lib.mkIf instanceConfig.wgServer [ 51820 ];
+    systemd.network.netdevs."wg0" = {
+      wireguardConfig = {
+        ListenPort = lib.mkIf instanceConfig.wgServer 51820;
+        PrivateKeyFile = config.sops.secrets.wg_privkey.path; # TODO
+      };
+      wireguardPeers = wgPeers;
+    };
+    systemd.network.networks."wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        Description = "xyno wireguard";
+      };
+      address = [
+        "${(genUlaForHost ulaPrefix config.networking.hostName)}/128"
+        "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128"
+      ];
+    };
+
+    sops.secrets.wg_privkey = {
+      reloadUnits = [ "systemd-networkd.service" ];
+    };
+
+  };
+}
diff --git a/modules/system/impermanence.nix b/modules/system/impermanence.nix
index dac9409f..086e6f30 100644
--- a/modules/system/impermanence.nix
+++ b/modules/system/impermanence.nix
@@ -2,21 +2,97 @@
   pkgs,
   lib,
   config,
+  inputs,
   ...
 }:
 let
   cfg = config.xyno.impermanence;
+  genImpermanenceCfg = cfg: {
+
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/systemd/coredump"
+
+    ]
+    ++ cfg.extraDirectories;
+    files = [
+      "/etc/machine-id"
+
+    ]
+    ++ cfg.extraFiles;
+    users.${config.xyno.system.user.name} = {
+      directories = [
+        "Downloads"
+        "Music"
+        "Pictures"
+        "Documents"
+        "Videos"
+        "docs"
+        "proj"
+        "git"
+        {
+          directory = ".gnupg";
+          mode = "0700";
+        }
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+        {
+          directory = ".local/share/keyrings";
+          mode = "0700";
+        }
+        ".local/share/direnv"
+      ]
+      ++ cfg.user.extraDirectories;
+      files = cfg.user.extraFiles;
+    };
+  };
+
 in
 {
   options.xyno.impermanence = {
     enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
     extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
     extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    user = {
+      extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    };
+    # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
+    cache = {
+      extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      user = {
+        extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+        extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      };
+
+    };
   };
   config = lib.mkIf cfg.enable {
-    imports = [ ]; # TODO
-
-    impermanence.extraFiles = cfg.extraFiles;
-    impermanence.extraDirectories = cfg.extraDirectories;
+    imports = [
+      inputs.impermanence.nixosModules.impermanence
+    ];
+    xyno.impermanence.cache.extraDirectories = [ "/var/cache" ];
+    xyno.impermanence.cache.user.extraDirectories = [ ".cache" ];
+    environment.persistence."/persistent" = genImpermanenceCfg cfg;
+    environment.persistence."/persistent/cache" = genImpermanenceCfg cfg.cache;
+    system.activationScripts."createPersistentStorageDirs".deps = [
+      "var-lib-private-permissions"
+      "users"
+      "groups"
+    ];
+    # https://github.com/nix-community/impermanence/issues/254#issuecomment-2683859091
+    system.activationScripts = {
+      "var-lib-private-permissions" = {
+        deps = [ "specialfs" ];
+        text = ''
+          mkdir -p /persistent/var/lib/private
+          chmod 0700 /persistent/var/lib/private
+        '';
+      };
+    };
   };
 }
diff --git a/modules/system/user.nix b/modules/system/user.nix
index 04961acb..98a9edb7 100644
--- a/modules/system/user.nix
+++ b/modules/system/user.nix
@@ -30,6 +30,7 @@ in
         "tape"
         "uucp"
         "wireshark"
+        "lock"
 
       ];