diff --git a/deploy.sh b/deploy.sh
index 6f3d692..9f50ae2 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -5,6 +5,7 @@ set -ex
 USERNAME="root"
 IP="gerd.fricloud.dk"
 NIXPKGS=$(nix build --impure --json --expr '(import ./shared/sources).nixpkgs' | jq -r '.[].outputs.out')
+NIXPKGS=$(nix eval --impure --json  --expr '(import ./shared/sources/default.nix).nixpkgs.outPath' | jq -r)
 
 export NIX_PATH="nixpkgs=$NIXPKGS"
 
diff --git a/machines/gerd.nix b/machines/gerd.nix
index cbc4941..76dbd7c 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -55,5 +55,10 @@
     };
   };
 
+  # TMP FIX FOR https://github.com/nix-community/impermanence/issues/229
+  boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
+  systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
+
+
   system.stateVersion = "24.11";
 }
diff --git a/machines/gerd/services/forgejo/forgejo.nix b/machines/gerd/services/forgejo/forgejo.nix
index eb6e0b8..0134cef 100644
--- a/machines/gerd/services/forgejo/forgejo.nix
+++ b/machines/gerd/services/forgejo/forgejo.nix
@@ -37,10 +37,6 @@ in {
     };
   };
 
-  # TODO(eyJhb): remove after our ban expires (and nginx config)
-  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
-  security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
-
   services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
diff --git a/machines/gerd/services/forgejo/patches/link-accounts-template.patch b/machines/gerd/services/forgejo/patches/link-accounts-template.patch
index 4e56395..252d810 100644
--- a/machines/gerd/services/forgejo/patches/link-accounts-template.patch
+++ b/machines/gerd/services/forgejo/patches/link-accounts-template.patch
@@ -1,11 +1,26 @@
 diff --git a/templates/user/auth/link_account.tmpl b/templates/user/auth/link_account.tmpl
-index 8dd49ccd60..8cdce5e1ad 100644
+index e8bb3d409c..aa6d18b97a 100644
 --- a/templates/user/auth/link_account.tmpl
 +++ b/templates/user/auth/link_account.tmpl
+@@ -4,12 +4,12 @@
+ 		<div class="overflow-menu-items tw-justify-center">
+ 			<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
+ 			{{if not .AllowOnlyInternalRegistration}}
+-				<a class="item {{if not .user_exists}}active{{end}}"
++				<a class="item"
+ 					data-tab="auth-link-signup-tab">
+ 					{{ctx.Locale.Tr "auth.oauth_signup_tab"}}
+ 				</a>
+ 			{{end}}
+-			<a class="item {{if .user_exists}}active{{end}}"
++			<a class="item active"
+ 				data-tab="auth-link-signin-tab">
+ 				{{ctx.Locale.Tr "auth.oauth_signin_tab"}}
+ 			</a>
 @@ -17,11 +17,11 @@
  	</overflow-menu>
  	<div class="ui middle very relaxed page grid">
- 		<div class="column">
+ 		<div class="column tw-flex tw-flex-col tw-gap-4 tw-max-w-2xl tw-m-auto">
 -			<div class="ui tab {{if not .user_exists}}active{{end}}"
 +			<div class="ui tab"
  				data-tab="auth-link-signup-tab">
diff --git a/machines/gerd/services/forgejo/patches/signin-template.patch b/machines/gerd/services/forgejo/patches/signin-template.patch
index 30c4972..eece720 100644
--- a/machines/gerd/services/forgejo/patches/signin-template.patch
+++ b/machines/gerd/services/forgejo/patches/signin-template.patch
@@ -1,20 +1,20 @@
 diff --git a/templates/user/auth/signin_inner.tmpl b/templates/user/auth/signin_inner.tmpl
-index 9872096fbc..1076f90326 100644
+index d4ba664e37..2c94eafc22 100644
 --- a/templates/user/auth/signin_inner.tmpl
 +++ b/templates/user/auth/signin_inner.tmpl
-@@ -10,6 +10,7 @@
- </h4>
- <div class="ui attached segment">
- 	<form class="ui form tw-max-w-2xl tw-m-auto" action="{{.SignInLink}}" method="post">
-+	<div {{if not .LinkAccountMode}}style="display:none;"{{end}}>
- 	{{.CsrfTokenHtml}}
- 	<div class="required field {{if and (.Err_UserName) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
- 		<label for="user_name">{{ctx.Locale.Tr "home.uname_holder"}}</label>
-@@ -53,6 +54,7 @@
- 	<div class="divider divider-text">
- 		{{ctx.Locale.Tr "sign_in_or"}}
- 	</div>
-+	</div>
- 	<div id="oauth2-login-navigator" class="tw-py-1">
- 		<div class="tw-flex tw-flex-col tw-justify-center">
- 			<div id="oauth2-login-navigator-inner" class="tw-flex tw-flex-col tw-flex-wrap tw-items-center tw-gap-2">
+@@ -11,6 +11,7 @@
+ 	</h4>
+ 	<div class="ui attached segment">
+ 		<form class="ui form" action="{{.SignInLink}}" method="post">
++			<div {{if not .LinkAccountMode}}style="display:none;"{{end}}>
+ 			{{.CsrfTokenHtml}}
+ 			<div class="required field {{if and (.Err_UserName) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeSignIn))}}error{{end}}">
+ 				<label for="user_name">{{ctx.Locale.Tr "home.uname_holder"}}</label>
+@@ -43,6 +44,7 @@
+ 					{{end}}
+ 				</button>
+ 			</div>
++			</div>
+ 		</form>
+ 
+ 		{{template "user/auth/oauth_container" .}}
diff --git a/machines/gerd/services/lldap.nix b/machines/gerd/services/lldap.nix
index 6c9958f..3866f61 100644
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@@ -5,13 +5,13 @@ let
 
   resetPasswordStartPatch = pkgs.writeText "lldap-reset-password-start.patch" ''
 diff --git a/server/src/main.rs b/server/src/main.rs
-index 71e4928..63be13c 100644
+index 6f42473..b3746a1 100644
 --- a/server/src/main.rs
 +++ b/server/src/main.rs
-@@ -158,7 +158,7 @@ async fn set_up_server(config: Configuration) -> Result<ServerBuilder> {
+@@ -171,7 +171,7 @@ async fn set_up_server(config: Configuration) -> Result<ServerBuilder> {
          ))?;
      }
-     if config.force_update_private_key || config.force_ldap_user_pass_reset {
+     if config.force_update_private_key || config.force_ldap_user_pass_reset.is_yes() {
 -        bail!("Restart the server without --force-update-private-key or --force-ldap-user-pass-reset to continue.");
 +        // bail!("Restart the server without --force-update-private-key or --force-ldap-user-pass-reset to continue.");
      }
diff --git a/shared/sources/default.nix b/shared/sources/default.nix
index e07d00f..5611e31 100644
--- a/shared/sources/default.nix
+++ b/shared/sources/default.nix
@@ -8,10 +8,15 @@ in sources // {
     src = sources.nixpkgs;
     name = "nixpkgs-patched";
     patches = [
-      # tmp teeworlds fetchpatch to inject secrets
+      # tmp - lldap: 0.5.1-unstable-2024-08-09 -> 0.5.1-unstable-2024-10-30
       (pkgs.fetchpatch {
-        url = "https://github.com/NixOS/nixpkgs/pull/334590.patch";
-        sha256 = "sha256-kP5wYYxR+sSGBla9d4+iGUu1SHA4q2UkLuebhZUhAxo=";
+        url = "https://github.com/NixOS/nixpkgs/pull/352840.patch";
+        sha256 = "sha256-O4zxn4AgUrggCkqUEkmVsUAbMTL/Jhki6Q+j1mhHWLw=";
+      })
+      # tmp - stalwart-mail.webadmin: pin wasm-bindgen-cli version
+      (pkgs.fetchpatch {
+        url = "https://github.com/NixOS/nixpkgs/pull/353360.patch";
+        sha256 = "sha256-WPNnvVmtySyEk58kVIYWVx3VN8MhX4v2ITLLnUGhpz4=";
       })
     ];
   };
diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index 21494f9..d55e22a 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe",
-        "sha256": "16zjxysjhk3sgd8b4x5mvx9ilnq35z3zfpkv1la33sqkr8xh1amn",
+        "rev": "856a2902156ba304efebd4c1096dbf7465569454",
+        "sha256": "0r5yxld3yshrd09hblwzf9sadsa6p8nc24xadpajxldk2pskdmmi",
         "type": "tarball",
-        "url": "https://github.com/nix-community/disko/archive/e55f9a8678adc02024a4877c2a403e3f6daf24fe.tar.gz",
+        "url": "https://github.com/nix-community/disko/archive/856a2902156ba304efebd4c1096dbf7465569454.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "impermanence": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
-        "sha256": "0xnshgwfg834dm9l14p2w3wmhjysjpqpgfk37im0vrk1qgva19g2",
+        "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
+        "sha256": "0s6wb425pp2906mavcpwk9mnjw94xhzmvhqf711986kzlbjlflav",
         "type": "tarball",
-        "url": "https://github.com/nix-community/impermanence/archive/63f4d0443e32b0dd7189001ee1894066765d18a5.tar.gz",
+        "url": "https://github.com/nix-community/impermanence/archive/0d09341beeaa2367bac5d718df1404bf2ce45e6f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -41,10 +41,10 @@
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
-        "sha256": "0s6h7r9jin9sd8l85hdjwl3jsvzkddn3blggy78w4f21qa3chymz",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "sha256": "0mny4jzyimbfr2amc751nl2rwdlxz6wffadvygk8ra225sr3ma0f",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/574d1eac1c200690e27b8eb4e24887f8df7ac27c.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }