diff --git a/modules/default.nix b/modules/default.nix
index 10c2701..9e8e864 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -6,7 +6,6 @@ in {
     ./nftnat
     ./decklink.nix
     ./websites.nix
-    "${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden"
   ];
 
   # disabled since vaultwarden defines a dummy bitwarden_rs option that
diff --git a/nix/sources.json b/nix/sources.json
index 8d192ec..f3e3440 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -23,7 +23,7 @@
         "homepage": "https://mattermost.com",
         "owner": "mattermost",
         "repo": "mattermost-server",
-        "rev": "3172adfce9d98fe8f9c98ccd0a0fdbb52291ae0a",
+        "rev": "8f352436049776b5bd7c006bb03992d8fe2f029f",
         "sha256": "1sy0kydp87pwby0whgq678jq1zpivqndip81787r9b3dqcyq47cp",
         "type": "tarball",
         "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v6.1.2.tar.gz",
@@ -70,27 +70,15 @@
         "url_template": "<repo>/-/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-21.05",
-        "description": "Nix Packages collection",
-        "homepage": "",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "7bca80140fc7732c7357b26002db3d87b3ba4c61",
-        "sha256": "0vyjpf1jw4cvw7kfbk055faq08q4swz6v1h2mf9zw4r8frhqa73w",
-        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/7bca80140fc7732c7357b26002db3d87b3ba4c61.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixpkgs-new": {
         "branch": "nixos-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8588b14a397e045692d0a87192810b6dddf53003",
-        "sha256": "15srsgbhgn27wa4kz4x0gfqbsdnwig0h0y8gj2h4nnw92nrxpvnm",
+        "rev": "6c4b9f1a2fd761e2d384ef86cff0d208ca27fdca",
+        "sha256": "1yl5gj0mzczhl1j8sl8iqpwa1jzsgr12fdszw9rq13cdig2a2r5f",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/8588b14a397e045692d0a87192810b6dddf53003.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/6c4b9f1a2fd761e2d384ef86cff0d208ca27fdca.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-unstable": {
@@ -99,10 +87,10 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac169ec6371f0d835542db654a65e0f2feb07838",
-        "sha256": "0bwjyz15sr5f7z0niwls9127hikp2b6fggisysk0cnk3l6fa8abh",
+        "rev": "945ec499041db73043f745fad3b2a3a01e826081",
+        "sha256": "1ixv310sjw0r5vda4yfwp3snyha2i9h7aqygd43cyvdk2qsjk8pq",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/ac169ec6371f0d835542db654a65e0f2feb07838.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/945ec499041db73043f745fad3b2a3a01e826081.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "workadventure": {
diff --git a/pkgs/default.nix b/pkgs/default.nix
index f6ebdee..beb7bd8 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,7 +4,6 @@ let
   sources = import ../nix/sources.nix;
   pkgs = import sources.nixpkgs args;
   unstable = import sources.nixpkgs-unstable args;
-  new = import sources.nixpkgs-new args;
 
   callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
 
diff --git a/pkgs/mattermost/default.nix b/pkgs/mattermost/default.nix
index 870d9fe..8db6934 100644
--- a/pkgs/mattermost/default.nix
+++ b/pkgs/mattermost/default.nix
@@ -12,10 +12,9 @@ let
 
     goPackagePath = "github.com/mattermost/mattermost-server";
 
-    buildFlagsArray = ''
-      -ldflags=
-        -X ${goPackagePath}/model.BuildNumber=nixpkgs-${version}
-    '';
+    ldflags = [
+        "-X ${goPackagePath}/model.BuildNumber=nixpkgs-${version}"
+    ];
 
   };
 
diff --git a/services/gitlab-runner.nix b/services/gitlab-runner.nix
index 6968d1c..6a467d6 100644
--- a/services/gitlab-runner.nix
+++ b/services/gitlab-runner.nix
@@ -57,6 +57,7 @@
     home = "/persist/var/lib/gitlab-runner";
     extraGroups = [ "docker" ];
     isSystemUser = true;
+    group = "nogroup";
   };
 
   virtualisation.docker.storageDriver = "zfs";
diff --git a/services/hedgedoc-hacc.nix b/services/hedgedoc-hacc.nix
index a4938d5..430e4fb 100644
--- a/services/hedgedoc-hacc.nix
+++ b/services/hedgedoc-hacc.nix
@@ -42,7 +42,12 @@
           allowFreeURL = true;
           allowGravatar = false;
           allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
-          dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
+          db = {
+            host = "/run/postgresql";
+            username = "codimd";
+            dialect = "postgres";
+            database = "codimd";
+          };
           defaultPermission = "limited";
           domain  = "pad.hacc.space";
           host = "0.0.0.0";
@@ -74,6 +79,11 @@
             "DATABASE codimd" = "ALL PRIVILEGES";
           };
         }];
+        authentication = ''
+          local all all trust
+          host  codimd  codimd  127.0.0.1/32  trust
+        '';
+        package = pkgs.postgresql_11;
       };
       services.postgresqlBackup = {
         enable = true;
diff --git a/services/hedgedoc-i4f.nix b/services/hedgedoc-i4f.nix
index 0cdd526..4580b82 100644
--- a/services/hedgedoc-i4f.nix
+++ b/services/hedgedoc-i4f.nix
@@ -42,7 +42,11 @@
           allowFreeURL = true;
           allowGravatar = false;
           allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
-          dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc";
+          db = {
+            host = "/run/postgresql";
+            dialect = "postgres";
+            database = "hedgedoc";
+          };
           defaultPermission = "freely";
           domain  = "pad.infra4future.de";
           host = "0.0.0.0";
@@ -56,6 +60,7 @@
       };
       services.postgresql = {
         enable = true;
+        package = pkgs.postgresql_11;
         authentication = ''
           local all       all                     trust
           host  hedgedoc  hedgedoc  127.0.0.1/32  trust
diff --git a/services/lantifa.nix b/services/lantifa.nix
index f1f0997..3b7c04d 100644
--- a/services/lantifa.nix
+++ b/services/lantifa.nix
@@ -1,8 +1,6 @@
 { config, lib, pkgs, profiles, modules, evalConfig, ... }:
 
-let
-  new = import (import ../nix/sources.nix).nixpkgs-new {};
-in {
+{
   containers.lantifa = {
     autoStart = true;
     privateNetwork = true;
@@ -37,7 +35,6 @@ in {
       services.mediawiki = {
         enable = true;
         name = "LANtifa";
-        package = new.mediawiki;
         database.createLocally = true;
         passwordFile = "/var/lib/mediawiki/mediawiki-password";
         extraConfig = let
diff --git a/services/mail.nix b/services/mail.nix
index a02ed7a..bdb754b 100644
--- a/services/mail.nix
+++ b/services/mail.nix
@@ -124,8 +124,8 @@
     # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
     virusScanning = false;
   };
-  services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
-  services.postfix.submissionsOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
+  services.postfix.submissionOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
+  services.postfix.submissionsOptions.smtpd_sender_restrictions = lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
   services.postfix.virtual = ''
     @4future.dev @hacc.space
     @4futu.re @hacc.space
diff --git a/services/mattermost.nix b/services/mattermost.nix
index a8e4b82..4e9e41b 100644
--- a/services/mattermost.nix
+++ b/services/mattermost.nix
@@ -202,6 +202,7 @@ in {
 
       services.postgresql = {
         enable = lib.mkForce true; # mattermost sets this to false. wtf.
+        package = pkgs.postgresql_11;
         ensureDatabases = [ "mattermost" ];
         ensureUsers = [ {
           name = "mattermost";
diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix
index aaac896..484e0c6 100644
--- a/services/nextcloud/default.nix
+++ b/services/nextcloud/default.nix
@@ -102,6 +102,7 @@
 
       services.postgresql = {
         enable = true;
+        package = pkgs.postgresql_11;
         ensureDatabases = [ "nextcloud" ];
         ensureUsers = [
           { # by default, postgres has unix sockets enabled, and allows a
diff --git a/services/syncthing.nix b/services/syncthing.nix
index 049af5c..9b05ace 100644
--- a/services/syncthing.nix
+++ b/services/syncthing.nix
@@ -34,8 +34,6 @@
           };
         };
       };
-
     };
-
   };
 }