diff --git a/machines/gerd/services/lldap/default.nix b/machines/gerd/services/lldap/default.nix
index dd36177..12806c5 100644
--- a/machines/gerd/services/lldap/default.nix
+++ b/machines/gerd/services/lldap/default.nix
@@ -204,7 +204,6 @@ in {
       in lib.concatStrings (cap parts);
     in {
       uid = "uid";
-      creationdate = "creationdate";
       firstname = "givenName";
       lastname = "sn";
       email = "mail";
diff --git a/machines/gerd/services/stalwart/default.nix b/machines/gerd/services/stalwart/default.nix
index 16cca83..8b0edd3 100644
--- a/machines/gerd/services/stalwart/default.nix
+++ b/machines/gerd/services/stalwart/default.nix
@@ -7,13 +7,7 @@
 
   mine.shared.meta.stalwart = {
     name = "Stalwart Mail";
-    description = ''
-        We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.
-        From here encryption-at-rest can be setup with either OpenPGP or S/MIME. Keep in mind, Change Password, Two-factor Auth and App Passwords
-        do not work, as we are using LDAP for authentication instead.
-    '';
-
-    url = "https://${config.mine.shared.settings.mail.domain}";
+    description = "We host our own mailserver, which can be reached on ${config.mine.shared.settings.mail.domain} with your LDAP username and password.";
 
     package = let
       pkg = config.services.stalwart-mail.package;
diff --git a/machines/gerd/services/stalwart/stalwart.nix b/machines/gerd/services/stalwart/stalwart.nix
index c50dfcb..1ab1106 100644
--- a/machines/gerd/services/stalwart/stalwart.nix
+++ b/machines/gerd/services/stalwart/stalwart.nix
@@ -1,10 +1,7 @@
 { config, lib, pkgs, ... }:
 
 let
-  svc_domain = "stalwart.${config.mine.shared.settings.domain}";
-  svc_domain_mail = "mail.${config.mine.shared.settings.domain}";
-  # TODO(eyJhb): in theory these domains are not used, they're just
-  # nice to have.. maybe.
+  svc_domain = "mail.${config.mine.shared.settings.domain}";
   svc_domain_smtp = "smtp.${config.mine.shared.settings.domain}";
   svc_domain_imap = "imap.${config.mine.shared.settings.domain}";
 
@@ -30,7 +27,7 @@ in {
     openFirewall = true;
 
     settings = {
-      lookup.default.hostname = svc_domain_mail;
+      lookup.default.hostname = svc_domain;
 
       store.db.path = "${stateDir}/db";
 
@@ -75,15 +72,11 @@ in {
           quota = lconfig.attr.membermaildiskquota;
           class = "objectClass";
           groups = "memberOf";
-          # we dont have access to this in lldap, and
-          # therefore we use secret-changed instead
+          # we dont have access to this in lldap
           # secret = lconfig.attr.stalwart_secret;
-          # TODO(eyJhb): remove once LLDAP gets
-          # plugin support, so we can make a plugin
-          # that updates a attribute on password updates
-          # https://github.com/lldap/lldap/pull/1119
-          secret-changed = lconfig.attr.creationdate;
         });
+
+        
       };
 
       storage.directory = "ldap";
@@ -94,7 +87,7 @@ in {
         submissions = { bind = [ "[::]:${builtins.toString ports.submissions}"]; protocol = "smtp"; tls.implicit = true; };
         imaptls = { bind = [ "[::]:${builtins.toString ports.imaptls}"]; protocol = "imap"; tls.implicit = true; };
 
-        management = { bind = [ "[::]:${builtins.toString ports.http_management}" ]; protocol = "http"; };
+        management = { bind = [ "127.0.0.1:${builtins.toString ports.http_management}" ]; protocol = "http"; };
       };
 
       certificate.domain = {
@@ -146,19 +139,13 @@ in {
   ];
 
   # setup certs
-  services.nginx.virtualHosts."${svc_domain_mail}" = {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     serverAliases = [ svc_domain_smtp svc_domain_imap ];
     root = pkgs.writeTextDir "index.html" "Nothing.";
   };
 
-  services.nginx.virtualHosts."${svc_domain}" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/".proxyPass = "http://localhost:${builtins.toString ports.http_management}";
-  };
-
   # need to change group to stalwart-mail for cert + add nginx to stalwart-mail group to do HTTP ACME
   users.users.nginx.extraGroups = [ stalwart_group ];
   security.acme.certs."${svc_domain}" = {
@@ -173,7 +160,6 @@ in {
 
   mine.shared.settings.mail = {
     domain = svc_domain;
-    domain_mail = svc_domain_mail;
     domain_smtp = svc_domain_smtp;
     domain_imap = svc_domain_imap;
 
diff --git a/shared/sources/default.nix b/shared/sources/default.nix
index 12d5f5f..25c0e05 100644
--- a/shared/sources/default.nix
+++ b/shared/sources/default.nix
@@ -8,21 +8,19 @@ in sources // {
     src = sources.nixpkgs;
     name = "nixpkgs-patched";
     patches = [
-      # stalwart-mail: 0.11.8 -> 0.12.0 
-      (pkgs.fetchpatch {
-        url = "https://github.com/NixOS/nixpkgs/pull/409178.patch";
-        sha256 = "sha256-06J8pTjqeWTL6MJqVq17r3eelL5p/AfvUsPye5icVUg=";
-      })
-      # nixos/stalwart-mail: fix incorrect config for webadmin and spam-filter
-      (pkgs.fetchpatch {
-        url = "https://github.com/NixOS/nixpkgs/pull/412054.patch";
-        sha256 = "sha256-OExslGsrGGPWSJJFPkZgYV8DaPKq9YDlmozPf/bV6dE=";
-      })
+      # # tmp - lldap: 0.5.1-unstable-2024-10-30 -> 0.6.1
+      # (pkgs.fetchpatch {
+      #   url = "https://github.com/NixOS/nixpkgs/pull/359835.patch";
+      #   sha256 = "sha256-2C9l4v9MaUJyiaB+kslTsSjsqTZ7RlcfMNlRzZblMik=";
+      # })
+      # tmp - stalwart-mail.webadmin: pin wasm-bindgen-cli version
+      # (pkgs.fetchpatch {
+      #   url = "https://github.com/NixOS/nixpkgs/pull/353360.patch";
+      #   sha256 = "sha256-WPNnvVmtySyEk58kVIYWVx3VN8MhX4v2ITLLnUGhpz4=";
+      # })
     ];
   };
 
-  # nixpkgs = pkgs.lib.cleanSource /state/home/projects/nixos/nixpkgs;
-
   drasl = pkgs.applyPatches {
     src = sources.drasl;
     name = "drasl-patched";
diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index 6949936..64d5621 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -67,15 +67,15 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-unstable",
+        "branch": "nixos-25.05",
         "description": "Nix Packages collection",
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
-        "sha256": "064q32jmj54iwgh4lcdg2aii75cr5lvb683ym5pmj2kkj340pnpd",
+        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
+        "sha256": "0klkpy7ah033y3cwj51a0l96lwmkqqvwgfv3kid4z9x5g2rqr0l5",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/96ec055edbe5ee227f28cdbc3f1ddf1df5965102.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/7282cb574e0607e65224d33be8241eae7cfe0979.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }