diff --git a/hive.nix b/hive.nix
index be56c3a..7f0c8d7 100644
--- a/hive.nix
+++ b/hive.nix
@@ -1,6 +1,8 @@
 let
   src = import ./npins;
-  pkgs = import src.nixpkgs { };
+  pkgs = import src.nixpkgs {
+    config.permittedInsecurePackages = [ "olm-3.2.16" ];
+  };
   disko = (import src.disko { inherit (pkgs) lib; });
   diskConfig = import ./disks/ext4.nix {
     inherit (pkgs) lib;
@@ -8,7 +10,11 @@ let
 in
 {
   meta = {
-    nixpkgs = src.nixpkgs;
+    nixpkgs = pkgs;
+    nodeNixpkgs = {
+      # FIXME discourse est cassé en unstable
+      pendragon = src."nixpkgs-24.11";
+    };
   };
 
   # FIXME
@@ -21,6 +27,9 @@ in
       "${src.agenix}/modules/age.nix"
     ];
 
+    deployment.targetHost = "${name}.federez.net";
+    networking.hostName = name;
+
     security.acme.defaults.email = "monitoring@federez.net";
     security.acme.acceptTerms = true;
 
@@ -45,10 +54,8 @@ in
     time.timeZone = "Europe/Paris";
   };
 
-  vogon = { name, nodes, ... }: {
+  vogon = { ... }: {
     deployment.tags = [ "hypervisor" ];
-    deployment.targetHost = "vogon.federez.net";
-    networking.hostName = name;
     networking.hostId = "1751e2a7";
 
     imports = [
@@ -57,12 +64,8 @@ in
     ];
   };
 
-  estragon = { name, nodes, pkgs, ... }: {
+  estragon = { pkgs, ... }: {
     deployment.tags = [ "matrix" ];
-    deployment.targetHost = "estragon.federez.net";
-    networking.hostName = name;
-
-    environment.systemPackages = [ pkgs.tcpdump pkgs.openssl ];
 
     glucagon.networking = {
       nibble = 227;
@@ -88,10 +91,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  wagon = { name, nodes, ... }: {
+  wagon = { pkgs, ... }: {
     deployment.tags = [ "vaultwarden" "pass" "passwords" ];
-    deployment.targetHost = "wagon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 228;
@@ -114,10 +115,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  lagon = { name, nodes, ... }: {
+  lagon = { pkgs, ... }: {
     deployment.tags = [ "keycloak" "wayf" ];
-    deployment.targetHost = "lagon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 229;
@@ -140,10 +139,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  aragon = { name, nodes, ... }: {
+  aragon = { pkgs, ... }: {
     deployment.tags = [ "gitlab" ];
-    deployment.targetHost = "aragon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 231;
@@ -166,11 +163,8 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  # FIXME can't update: discourse pkg is broken
-  pendragon = { name, nodes, ... }: {
+  pendragon = { pkgs, ... }: {
     deployment.tags = [ "discourse" ];
-    deployment.targetHost = "pendragon.federez.net";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 233;
@@ -193,18 +187,21 @@ in
     system.build.diskoScript = disko.diskoScript diskConfig pkgs;
   };
 
-  perdrigon = { name, nodes, ... }: {
+  perdrigon = { pkgs, ... }: {
     deployment.tags = [ "indico" ];
-    deployment.targetHost = "perdrigon.federez.net";
-    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
-    networking.hostName = name;
 
     glucagon.networking = {
       nibble = 234;
       wan-mac = "BC:24:11:04:9B:51";
     };
 
+    infra-net.leaf = {
+      mac = "BC:24:11:09:B8:76";
+      id = 17;
+    };
+
     imports = [
+      (disko.config diskConfig)
       ./profiles/vm.nix
       ./profiles/indico.nix
     ];
diff --git a/npins/sources.json b/npins/sources.json
index a76001a..9ded7b3 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -39,6 +39,12 @@
       "url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz",
       "hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl"
     },
+    "nixpkgs-24.11": {
+      "type": "Channel",
+      "name": "nixos-24.11",
+      "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716438.7ffe0edc685f/nixexprs.tar.xz",
+      "hash": "1i99256170lllhdy8z1agvb4hgim20zs7i2qvikw5x9ldzh4q7zv"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixos-unstable-small",
diff --git a/profiles/irc-bot.nix b/profiles/irc-bot.nix
index f594b84..09d56f2 100644
--- a/profiles/irc-bot.nix
+++ b/profiles/irc-bot.nix
@@ -2,7 +2,7 @@
 let
   cfg = config.services.matrix-appservice-irc;
   bindPort = cfg.settings.ircService.mediaProxy.bindPort;
-  upstreamUrl  = "http://127.0.0.1:${toString bindPort}";
+  upstreamUrl  = "127.0.0.1:${toString bindPort}";
 in {
   services.nginx = {
     enable = true;
diff --git a/profiles/matrix-server.nix b/profiles/matrix-server.nix
index 70aed6d..e2d4de8 100644
--- a/profiles/matrix-server.nix
+++ b/profiles/matrix-server.nix
@@ -50,7 +50,7 @@ in {
     # in client applications.
     settings.public_baseurl = baseUrl;
     settings.app_service_config_files = [
-      "/var/lib/matrix-synapse/telegram-registration.yaml"
+      #"/var/lib/matrix-synapse/telegram-registration.yaml"
       "/var/lib/matrix-synapse/irc-registration.yml"
     ];
     settings.listeners = [
diff --git a/profiles/vogon.nix b/profiles/vogon.nix
index 2785aa9..adf5ffe 100644
--- a/profiles/vogon.nix
+++ b/profiles/vogon.nix
@@ -64,6 +64,9 @@
     "sr_mod"
   ];
 
+  # FIXME
+  networking.firewall.trustedInterfaces = [ "wg-infra" "vxl-infra" "br-infra" ];
+
   systemd.network.links = {
     "10-phy1" = {
       matchConfig.MACAddress = "18:66:da:75:da:04";
@@ -114,19 +117,22 @@
       };
       wireguardPeers = [
         {
-          PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA=";
+          PublicKey = "JfTsY3+jPTDgLDrECoSvoYs+6+GpjII0ookjhFhd5SY=";
           Endpoint = "89.234.162.224:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
+          PersistentKeepalive = 10;
         }
         {
-          PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA=";
+          PublicKey = "nOeLgmE1U6nY3UNxltQKwlID9lD7fvpEwij2XUvEGgg=";
           Endpoint = "137.194.12.129:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
+          PersistentKeepalive = 10;
         }
         {
-          PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc=";
+          PublicKey = "9pGyE4+CQl+f8sFJ/Mkvp14yxDQJ0SJmGnher5Tgzjc=";
           Endpoint = "193.48.225.201:51039";
           AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
+          PersistentKeepalive = 10;
         }
       ];
     };
@@ -156,6 +162,7 @@
     };
     "10-br-infra" = {
       matchConfig.Name = "br-infra";
+      linkConfig.MACAddress = "9E:D8:78:A1:CE:22";
       address = [
         "fd0a:66d3:1c19:42::1/64"
         "10.42.0.1/16"
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c5836a2..c360af2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,10 +22,10 @@ let
   keycloak-admins = active-admins;
   ldap-bind-admins = active-admins;
   discourse-admins = active-admins;
+  wg-admins = active-admins;
   indico-admins = active-admins;
   grafana-admins = active-admins;
-  wg-admins = active-admins;
-  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
+  servers = [ estragon wagon lagon klingon aragon pendragon vogon perdrigon martagon ];
 in
   {
     "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
diff --git a/secrets/vogon-wg-infra-key.age b/secrets/vogon-wg-infra-key.age
index db5c8a3..2cd6517 100644
Binary files a/secrets/vogon-wg-infra-key.age and b/secrets/vogon-wg-infra-key.age differ