diff --git a/modules/default.nix b/modules/default.nix
index 100b4f2..82850cb 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,7 +5,6 @@ in {
   imports = [
     ./nftnat
     ./decklink.nix
-    "${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden"
   ];
 
   # disabled since vaultwarden defines a dummy bitwarden_rs option that
diff --git a/nix/sources.json b/nix/sources.json
index 7717bc6..eacf667 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -76,7 +76,7 @@
         "url_template": "<repo>/-/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-21.05",
+        "branch": "nixos-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "nixos",
@@ -87,28 +87,16 @@
         "url": "https://github.com/nixos/nixpkgs/archive/7bca80140fc7732c7357b26002db3d87b3ba4c61.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
-    "nixpkgs-new": {
-        "branch": "nixos-21.11",
-        "description": "Nix Packages collection",
-        "homepage": "",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "8588b14a397e045692d0a87192810b6dddf53003",
-        "sha256": "15srsgbhgn27wa4kz4x0gfqbsdnwig0h0y8gj2h4nnw92nrxpvnm",
-        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/8588b14a397e045692d0a87192810b6dddf53003.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
     "nixpkgs-unstable": {
         "branch": "nixos-unstable",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac169ec6371f0d835542db654a65e0f2feb07838",
-        "sha256": "0bwjyz15sr5f7z0niwls9127hikp2b6fggisysk0cnk3l6fa8abh",
+        "rev": "5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3",
+        "sha256": "0yb7l5p4k9q8avwiq0fgp87ij50d6yavgh4dfw14jh2lf8daqbmp",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/ac169ec6371f0d835542db654a65e0f2feb07838.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/5b091d4fbe3b7b7493c3b46fe0842e4b30ea24b3.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "workadventure": {
diff --git a/pkgs/mattermost/default.nix b/pkgs/mattermost/default.nix
index 870d9fe..8db6934 100644
--- a/pkgs/mattermost/default.nix
+++ b/pkgs/mattermost/default.nix
@@ -12,10 +12,9 @@ let
 
     goPackagePath = "github.com/mattermost/mattermost-server";
 
-    buildFlagsArray = ''
-      -ldflags=
-        -X ${goPackagePath}/model.BuildNumber=nixpkgs-${version}
-    '';
+    ldflags = [
+        "-X ${goPackagePath}/model.BuildNumber=nixpkgs-${version}"
+    ];
 
   };
 
diff --git a/services/gitlab-runner.nix b/services/gitlab-runner.nix
index 6968d1c..6a467d6 100644
--- a/services/gitlab-runner.nix
+++ b/services/gitlab-runner.nix
@@ -57,6 +57,7 @@
     home = "/persist/var/lib/gitlab-runner";
     extraGroups = [ "docker" ];
     isSystemUser = true;
+    group = "nogroup";
   };
 
   virtualisation.docker.storageDriver = "zfs";
diff --git a/services/mail.nix b/services/mail.nix
index a02ed7a..bdb754b 100644
--- a/services/mail.nix
+++ b/services/mail.nix
@@ -124,8 +124,8 @@
     # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
     virusScanning = false;
   };
-  services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
-  services.postfix.submissionsOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
+  services.postfix.submissionOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
+  services.postfix.submissionsOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
   services.postfix.virtual = ''
     @4future.dev @hacc.space
     @4futu.re @hacc.space
diff --git a/services/syncthing.nix b/services/syncthing.nix
index d7d2be6..e453a58 100644
--- a/services/syncthing.nix
+++ b/services/syncthing.nix
@@ -6,50 +6,47 @@
     openDefaultPorts = true;
     configDir = "/persist/var/lib/syncthing/";
     dataDir = "/persist/data/syncthing/";
-    declarative = {
-      devices = {
-        # schweby
-        txsbcct = {
-          addresses = []; # empty = dynamic
-          id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD";
-        };
-        octycs = {
-          addresses = []; # empty = dynamic
-          id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE";
-        };
-        stuebinm-desktop = {
-          addresses = []; # empty = dynamic
-          id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ";
-        };
-        raphael-laptop = {
-          addresses = []; # empty = dynamic
-          id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG";
-        };
-        # zauberberg
-        conway = {
-          addresses = []; # empty = dynamic
-          id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF";
-        };
-        # hexchen
-        storah = {
-          addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ];
-          id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM";
-        };
+    overrideDevices = true;
+    devices = {
+      # schweby
+      txsbcct = {
+        addresses = []; # empty = dynamic
+        id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD";
       };
-
-      folders = {
-        "/persist/data/syncthing/hacc/" = {
-          id = "qt2ly-xvvvs";
-          devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
-          type = "receiveonly";
-          versioning = {
-            type = "simple";
-            params.keep = "10";
-          };
-        };
+      octycs = {
+        addresses = []; # empty = dynamic
+        id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE";
+      };
+      stuebinm-desktop = {
+        addresses = []; # empty = dynamic
+        id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ";
+      };
+      raphael-laptop = {
+        addresses = []; # empty = dynamic
+        id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG";
+      };
+      # zauberberg
+      conway = {
+        addresses = []; # empty = dynamic
+        id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF";
+      };
+      # hexchen
+      storah = {
+        addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ];
+        id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM";
       };
-
     };
 
+    folders = {
+      "/persist/data/syncthing/hacc/" = {
+        id = "qt2ly-xvvvs";
+        devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
+        type = "receiveonly";
+        versioning = {
+          type = "simple";
+          params.keep = "10";
+        };
+      };
+    };
   };
 }