diff --git a/flake.nix b/flake.nix
index adb70ab..aa43be7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,12 +12,14 @@
     # TODO_: Add any other flake you might need
     hardware.url = "github:nixos/nixos-hardware";
 
+    # inputs.agenix.url = "github:ryantm/agenix";
+
     # Shameless plug: looking for a way to nixify your themes and make
     # everything match nicely? Try nix-colors!
     # nix-colors.url = "github:misterio77/nix-colors";
   };
 
-  outputs = { nixpkgs, ... }@inputs: {
+  outputs = { self, nixpkgs, ... }@inputs: {
     # NixOS configuration entrypoint
     # Available through 'nixos-rebuild --flake .#your-hostname'
     nixosConfigurations = {
@@ -25,19 +27,25 @@
       pc-mans = nixpkgs.lib.nixosSystem {
         specialArgs = { inherit inputs; }; # Pass flake inputs to our config
         # > Our main nixos configuration file <
-        modules = [ ./nixos/machines/pc-mans/configuration.nix ];
+        modules = [ 
+          ./nixos/machines/pc-mans/configuration.nix 
+	];
       };
 
       lpt-mans = nixpkgs.lib.nixosSystem {
         specialArgs = { inherit inputs; }; # Pass flake inputs to our config
         # > Our main nixos configuration file <
-        modules = [ ./nixos/machines/lpt-mans/configuration.nix ];
+        modules = [ 
+	  ./nixos/machines/lpt-mans/configuration.nix 
+ 	];
       };
 
       srv01-home = nixpkgs.lib.nixosSystem {
         specialArgs = { inherit inputs; }; # Pass flake inputs to our config
         # > Our main nixos configuration file <
-        modules = [ ./nixos/machines/srv01-home/configuration.nix ];
+        modules = [ 
+	  ./nixos/machines/srv01-home/configuration.nix 
+	];
       };
     };
   };
diff --git a/nixos/machines/srv01-home/configuration.nix b/nixos/machines/srv01-home/configuration.nix
index b591953..7facbb0 100644
--- a/nixos/machines/srv01-home/configuration.nix
+++ b/nixos/machines/srv01-home/configuration.nix
@@ -2,22 +2,48 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running `nixos-help`).
 
-{ config, pkgs, ... }:
+{ inputs, lib, config, pkgs, ... }: {
 
-{
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      inputs.hardware.nixosModules.common-cpu-amd
 
       ../../modules/docker.nix
 
       ../../roles/server.nix
     ];
-  services.gitea-actions-runner.instances.test = {
+  services.haproxy = {
+    enable = true;
+    config = ''
+    global
+        daemon
+        maxconn 256
+
+    defaults
+        mode http
+        timeout connect 5000ms
+        timeout client 50000ms
+        timeout server 50000ms
+
+    frontend http-in
+        bind *:88
+        default_backend garage-web
+
+    backend garage-s3
+        server server1 127.0.0.1:3900 maxconn 32
+    backend garage-web
+        server server1 127.0.0.1:3902 maxconn 32
+    '';
+  };
+
+  virtualisation.libvirtd.enable = true;
+
+  services.gitea-actions-runner.instances.nixos = {
     enable = true;
     name = "NixOs";
     url = "https://git.mzsl.nl";
-    token = "kkhRRI5MsCDrqK30XLaLvSIYx5mjPUlJ0KBUl2OH";
+    token = "vKx7ZkXHrQES3cAgNTr0KhT0LQZK3gKj7KY2Jdk3";
     labels = [
       "ubuntu-latest:docker://node:16-bullseye" 
       "ubuntu-22.04:docker://node:16-bullseye"
@@ -26,6 +52,43 @@
     ];
   };
 
+  services.prometheus = {
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+  };
+
+  # services.garage = {
+  #   enable = true;
+  #   package = pkgs.garage_0_8;
+  #   settings = {
+  #     metadata_dir = "/var/lib/garage/meta";
+  #     data_dir = "/var/lib/garage/data";
+  #     db_engine = "lmdb";
+  #     compression_level = 2;
+  #     replication_mode = "none";
+  #     rpc_bind_addr = "[::]:3901";
+  #     rpc_public_addr = "0.0.0.0:3901";
+  #     rpc_secret = "aa6d8a7fc7a53d3c89b28838920eb75934ee8cb814b322c2c9f96af687a6f053";
+  # 
+  #     s3_api = {
+  #       s3_region = "garage";
+  #       api_bind_addr = "127.0.0.1:3900";
+  #       root_domain = ".s3.mzsl.nl";
+  #     };
+  # 
+  #     s3_web = {
+  #       bind_addr = "127.0.0.1:3902";
+  #       root_domain = ".site.mzsl.nl";
+  #       index = "index.html";
+  #     };
+  #   };
+  # };
+
   # Use the systemd-boot EFI boot loader.
   # boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -55,20 +118,6 @@
     nameservers = ["1.1.1.1" "8.8.8.8"];
   };
 
-  # Configure keymap in X11
-  # services.xserver.layout = "us";
-  # services.xserver.xkbOptions = "";
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # sound.enable = true;
-  # hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.adminmz = {
     isNormalUser = true;
@@ -98,11 +147,52 @@
   # };
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 22 ];
+  networking.firewall.allowedTCPPorts = [ 22 80 88 443 9002 2022 ];
+  networking.firewall.allowedUDPPorts = [ 22 80 88 443 9002 2022 51820];
   # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  networking.firewall.enable = true;
 
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "enp2s0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = [ "10.100.0.1/24" ];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 51820;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp2s0 -j MASQUERADE
+      '';
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/etc/wireguard/private";
+
+      peers = [
+        # List of allowed peers.
+        { # PC werk
+          publicKey = "0PWQA3zf48RFFJXMxPE/i6FWzbH9FzKliRugtDVmPlY=";
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = [ "10.100.0.2/32" ];
+        }
+      ];
+    };
+  };
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave
diff --git a/nixos/roles/server.nix b/nixos/roles/server.nix
index 43f491e..ba580ed 100644
--- a/nixos/roles/server.nix
+++ b/nixos/roles/server.nix
@@ -3,6 +3,7 @@
 {
 imports = [
   ../modules/ssh.nix
+  ../modules
 ];
 
 options = {