diff --git a/flake.lock b/flake.lock
index 2fa3ba5..501fa01 100644
--- a/flake.lock
+++ b/flake.lock
@@ -721,16 +721,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1716736833,
-        "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
+        "lastModified": 1733050161,
+        "narHash": "sha256-lYnT+EYE47f5yY3KS/Kd4pJ6CO9fhCqumkYYkQ3TK20=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
+        "rev": "62d536255879be574ebfe9b87c4ac194febf47c5",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -1166,16 +1166,16 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1731239293,
-        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
+        "lastModified": 1732981179,
+        "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
+        "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 6699c7d..fc74abd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,12 +2,12 @@
   description = "nki's systems";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     nixos-hardware.url = "github:nixos/nixos-hardware";
     darwin.url = "github:lnl7/nix-darwin/master";
     darwin.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    home-manager.url = "github:nix-community/home-manager/release-24.05";
+    home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     home-manager-unstable.url = "github:nix-community/home-manager";
     home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
diff --git a/nki-personal-do/gitea.nix b/nki-personal-do/gitea.nix
index 237d6d5..be30f00 100644
--- a/nki-personal-do/gitea.nix
+++ b/nki-personal-do/gitea.nix
@@ -180,7 +180,6 @@ in
         MINIO_USE_SSL = "true";
         MINIO_ENDPOINT = "60c0807121eb35ef52cdcd4a33735fa6.r2.cloudflarestorage.com";
         MINIO_ACCESS_KEY_ID = "704c29ade7a8b438b77ab520da2799ca";
-        MINIO_SECRET_ACCESS_KEY = "#miniosecretkey#";
         MINIO_BUCKET = "dtth-gitea";
         MINIO_LOCATION = "auto";
         MINIO_CHECKSUM_ALGORITHM = "md5"; # R2 moment
@@ -192,7 +191,8 @@ in
 
     stateDir = "/mnt/data/gitea";
 
-    mailerPasswordFile = secrets."gitea/mailer-password".path;
+    secrets.mailer.PASSWD = secrets."gitea/mailer-password".path;
+    secrets.storage.MINIO_SECRET_ACCESS_KEY = config.sops.secrets."gitea/minio-secret-key".path;
 
     database = {
       inherit user;
@@ -216,14 +216,7 @@ in
     # https://github.com/NixOS/nixpkgs/commit/93c1d370db28ad4573fb9890c90164ba55391ce7
     serviceConfig.SystemCallFilter = mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
     preStart =
-      let
-        configFile = "${config.services.forgejo.customDir}/conf/app.ini";
-      in
       ''
-        # Update minio secret key
-        chmod u+w ${configFile} && \
-        ${lib.getExe pkgs.replace-secret} '#miniosecretkey#' '${config.sops.secrets."gitea/minio-secret-key".path}' '${configFile}' && \
-        chmod u-w ${configFile}
         # Import the signing subkey
         if cat ${config.services.forgejo.stateDir}/.gnupg/gpg.conf | grep -q ${signingKey}; then
           echo "Keys already imported"
diff --git a/nki-personal-do/headscale.nix b/nki-personal-do/headscale.nix
index acb6da1..d439d52 100644
--- a/nki-personal-do/headscale.nix
+++ b/nki-personal-do/headscale.nix
@@ -35,23 +35,25 @@ rec {
     settings = {
       server_url = "https://hs.dtth.ch";
 
-      db_type = "postgres";
-      db_host = "/var/run/postgresql"; # find out yourself
-      db_user = "headscale";
-      db_name = "headscale";
+      database.type = "postgres";
+      database.postgres = {
+        host = "/var/run/postgresql"; # find out yourself
+        user = "headscale";
+        name = "headscale";
+      };
 
-      dns_config = {
-        base_domain = host;
+      dns = {
+        base_domain = "dtth.ts";
       };
 
       noise = {
         private_key_path = "/var/lib/headscale/noise_private.key";
       };
 
-      ip_prefixes = [
-        "fd7a:115c:a1e0::/48"
-        "100.64.0.0/10"
-      ];
+      prefixes = {
+        v6 = "fd7a:115c:a1e0::/48";
+        v4 = "100.64.0.0/10";
+      };
 
       derp.paths = [
         secrets."headscale/derp-servers/vnm".path