diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix
index 6282a1a4..cd54fc7f 100644
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@@ -22,7 +22,7 @@ let
   '';
 in
 {
-  imports = [ ./authentik.nix ];
+  imports = [ ./authentik.nix ./part-db.nix ];
   networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
   networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ];
   fileSystems."/var/lib/containers" = {
@@ -222,12 +222,14 @@ in
     '';
   };
   virtualisation.oci-containers.containers.archivebox = {
-    image = "archivebox/archivebox:latest";
+    image = "archivebox/archivebox:dev";
     environment = {
       ALLOWED_HOSTS = "*"; # set this to the hostname(s) you're going to serve the site from!
       CSRF_TRUSTED_ORIGINS = "https://archive.hailsatan.eu"; # you MUST set this to the server's URL for admin login and the REST API to work
-      PUBLIC_INDEX = "True"; # set to False to prevent anonymous users from viewing snapshot list
-      PUBLIC_SNAPSHOTS = "True"; # set to False to prevent anonymous users from viewing snapshot content
+      REVERSE_PROXY_USER_HEADER="X-Authentik-Username";
+      REVERSE_PROXY_WHITELIST="10.88.0.1/32";
+      PUBLIC_INDEX = "False"; # set to False to prevent anonymous users from viewing snapshot list
+      PUBLIC_SNAPSHOTS = "False"; # set to False to prevent anonymous users from viewing snapshot content
       PUBLIC_ADD_VIEW = "False"; # set to True to allow anonymous users to submit new URLs to archive
       SEARCH_BACKEND_ENGINE = "sonic"; # tells ArchiveBox to use sonic container below for fast full-text search
       SEARCH_BACKEND_HOST_NAME = "archivebox_sonic";
diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index 61c59177..e3835871 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -212,64 +212,37 @@ in
       handle @grafana {
         import podmanRedirWithAuth http://grafana:3000 
       }
-      handle {
-        import podmanRedirWithAuth http://127.0.0.1:8001
+      @hoard host hoard.hailsatan.eu
+      handle @hoard {
+        import podmanRedirWithAuth http://partdb-server:80
       }
-      handle {
-        abort
-      }
-      
-    '';
-    virtualHosts."*.hailsatan.eu".extraConfig = ''
-      import blockBots
-      # tailscale only
-      bind [fd7a:115c:a1e0:ab12:4843:cd96:6253:6019]
       @immich host immich.hailsatan.eu
       handle @immich {
-        import podmanRedir http://immich-server:2283
+        import podmanRedirWithAuth http://immich-server:2283
       }
       @cd host cd.hailsatan.eu
       handle @cd {
-        import podmanRedir http://changedetection:5000 
-      }
-      @grafana host grafana.hailsatan.eu
-      handle @grafana {
-        import podmanRedirWithAuth http://grafana:3000 
+        import podmanRedirWithAuth http://changedetection:5000 
       }
       @node-red host node-red.hailsatan.eu
       handle @node-red {
-        import podmanRedir http://node-red:1880 
+        import podmanRedirWithAuth http://node-red:1880 
       }
       @labello host labello.hailsatan.eu
       handle @labello {
-        import podmanRedir http://labello:4242
+        import podmanRedirWithAuth http://labello:4242
       }
-
-      
-      # @bzzt-api host bzzt-api.hailsatan.eu
-      # handle @bzzt-api {
-      #   reverse_proxy http://127.0.0.1:5001
-      # }
-      # @bzzt-lcg host bzzt-lcg.hailsatan.eu
-      # handle @bzzt-lcg {
-      #   reverse_proxy http://127.0.0.1:5003
-      # }
-      # @bzzt host bzzt.hailsatan.eu
-      # handle @bzzt {
-      #   reverse_proxy http://127.0.0.1:5002
-      # }
-      
-      
       @archivebox host archivebox.hailsatan.eu
       handle @archivebox {
-        import podmanRedir http://archivebox:8000 
-      }
-      @jellyfin host j.hailsatan.eu
-      handle @jellyfin {
-        import podmanRedir http://jellyfin:8096 
+        handle /api/* {
+          import podmanRedir http://archivebox:8000
+        }
+        handle {
+          import podmanRedirWithAuth http://archivebox:8000 
+        }
       }
       handle {
-        reverse_proxy http://127.0.0.1:8001
+        import podmanRedirWithAuth http://127.0.0.1:8001
       }
     '';
   };
diff --git a/hosts/ds9/part-db.nix b/hosts/ds9/part-db.nix
new file mode 100644
index 00000000..23b07046
--- /dev/null
+++ b/hosts/ds9/part-db.nix
@@ -0,0 +1,31 @@
+{ pkgs, config, lib, inputs, ... }:
+{
+  ragon.agenix.secrets.ds9PartDbEnv = { };
+  virtualisation.quadlet =
+    {
+      containers = {
+        partdb-server.containerConfig.image = "jbtronics/part-db1";
+        partdb-server.containerConfig.networks = [
+          "db-net"
+          "podman"
+        ];
+        partdb-server.containerConfig.volumes = [
+          "partdb-uploads:/var/www/html/uploads"
+          "partdb-media:/var/www/html/public/media"
+        ];
+        partdb-server.containerConfig.environments = {
+          APP_ENV = "docker";
+          DEFAULT_LANG = "en";
+          DEFAULT_TIMEZONE = "Europe/Berlin";
+          BASE_CURRENCY = "EUR";
+          INSTANCE_NAME = "xynos_hoard";
+          TRUSTED_PROXIES = "10.88.0.0/16";
+          DEFAULT_URI = "https://hoard.hailsatan.eu/";
+        };
+        partdb-server.serviceConfig.TimeoutStartSec = "60";
+        partdb-server.containerConfig.environmentFiles = [
+          config.age.secrets.ds9PartDbEnv.path
+        ];
+      };
+    };
+}
diff --git a/hosts/picard/ts-ovpn.nix b/hosts/picard/ts-ovpn.nix
deleted file mode 100644
index f9863e68..00000000
--- a/hosts/picard/ts-ovpn.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ config, pkgs, options, ... }: {
-  imports = [
-    ../../nixos-modules/services/tailscale-openvpn.nix
-    ../../nixos-modules/system/agenix.nix
-  ];
-  ragon = {
-    agenix.secrets."ovpnNl" = { };
-    agenix.secrets."ovpnDe" = { };
-    agenix.secrets."ovpnTu" = { };
-    agenix.secrets."ovpnCrt1" = { };
-    agenix.secrets."ovpnPw1" = { };
-    agenix.secrets."ovpnPw2" = { };
-    agenix.secrets."ovpnScript" = { };
-    agenix.secrets."tailscaleKey" = { };
-    services.tailscale-openvpn = {
-      enable = true;
-      tsAuthKey = config.age.secrets.tailscaleKey.path;
-      config = {
-        nl = config.age.secrets.ovpnNl.path;
-        de = config.age.secrets.ovpnDe.path;
-        tu = config.age.secrets.ovpnTu.path;
-      };
-      script = config.age.secrets.ovpnScript.path;
-    };
-  };
-}
diff --git a/hosts/theseus/default.nix b/hosts/theseus/default.nix
index 47732553..acf150a0 100644
--- a/hosts/theseus/default.nix
+++ b/hosts/theseus/default.nix
@@ -207,6 +207,7 @@
       discord # shitcord
       unstable.signal-desktop
       unstable.firefoxpwa
+    mosh
       unstable.plexamp
       # firefox
       obsidian
diff --git a/secrets/ds9PartDbEnv.age b/secrets/ds9PartDbEnv.age
new file mode 100644
index 00000000..9ea22027
Binary files /dev/null and b/secrets/ds9PartDbEnv.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bce29543..2fa5ed5a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,6 +21,7 @@ in
   "ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9AuthentikEnv.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9PartDbEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9AuthentikLdapEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server;
   "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard";