diff --git a/.sops.yaml b/.sops.yaml
index 443c711..40ae249 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -29,3 +29,7 @@ creation_rules:
     key_groups:
       - age:
         - *primary
+  - path_regex: secrets/aquarius-wg.yaml
+    key_groups:
+      - age:
+        - *primary
diff --git a/modules/home/cli-apps/fish/default.nix b/modules/home/cli-apps/fish/default.nix
index 8abd67b..f97ff8c 100644
--- a/modules/home/cli-apps/fish/default.nix
+++ b/modules/home/cli-apps/fish/default.nix
@@ -22,6 +22,7 @@ in
       shellAliases = {
         nix-dns = "nixos-rebuild switch --flake ${flakeRoot}/.#dns --target-host dns-1 --sudo --ask-sudo-password && nixos-rebuild switch --flake ${flakeRoot}/.#dns --target-host dns-2 --sudo --ask-sudo-password";
         nix-blarm = "nixos-rebuild switch --flake ${flakeRoot}/.#blarm --target-host blarm --sudo --ask-sudo-password";
+        nix-aquarius = "nixos-rebuild switch --flake ${flakeRoot}/.#aquarius --target-host aquarius --sudo --ask-sudo-password";
         cd = "z";
         ls = "exa --icons";
         l = "exa";
diff --git a/overlays/cinny/default.nix b/overlays/cinny/default.nix
index 3c04f0c..46fb09d 100644
--- a/overlays/cinny/default.nix
+++ b/overlays/cinny/default.nix
@@ -8,16 +8,17 @@ final: prev: {
   awesome-flake = (prev.awesome-flake or { }) // {
     cinny = prev.cinny-unwrapped.overrideAttrs (_old: rec {
       pname = "cinny-unwrapped";
-      version = "65475050d76d6e8da8c3402528215b1425e8ed4e";
+      version = "76ac4e298733e67dbfcd3f0c3a4bae169cd521dd";
 
       src = final.fetchFromGitHub {
-        owner = "GigiaJ";
+        #owner = "GigiaJ";
+        owner = "cinnyapp";
         repo = "cinny";
         rev = version;
-        hash = "sha256-kJZDc53mcJrGIw3Dl4ANq+1O5O2p0tcO2btQGNGRg4A=";
+        hash = "sha256-tvBaONJwfkCK77aHmWJ/UAAZHq2WIc7geNT2tEFKuZ0=";
       };
 
-      npmDepsHash = "sha256-GkD+CrblXBv7yPVrTBVIGkz7Wu5llWzlluNq7rmm3CE=";
+      npmDepsHash = "sha256-9faffTlXEI1lMrVrkSyso/tfjs/4W+TVzmiv+bZAv18=";
       npmDeps = final.fetchNpmDeps {
         inherit src;
         name = "${pname}-${version}-npm-deps";
diff --git a/secrets/aquarius-wg.yaml b/secrets/aquarius-wg.yaml
new file mode 100644
index 0000000..634b0aa
--- /dev/null
+++ b/secrets/aquarius-wg.yaml
@@ -0,0 +1,18 @@
+privateKey: ENC[AES256_GCM,data:WtmzHDKRbqbJJ3VXKqqKnqKTcvVDV+yFgFfeKxLv+UErOiEBgqtDhKEs0Io=,iv:admaUfhhKLlu58wKpRvgyGSqOsiY82ix2xJgT0GL8Xs=,tag:eP9Ka0jo2BYxZX0w7eKGqA==,type:str]
+publicKey: ENC[AES256_GCM,data://Kq875vV3gpE3tbMRVt/q7m5LqPRXOka8fzoA2oZzglfE1xtS/kAMPMR44=,iv:5fLk4lBTHwIcGiAM325ykceViCBwRHFLnxZkcqm3Ao4=,tag:g6R0ZSRa2m9JNB2UH3JIJg==,type:str]
+presharedKey: ENC[AES256_GCM,data:EpOJCMzi1XHDbbqdEB+SoC/6LxkHwxZ2DxQINBnGhjXl6JhNYswqTWQuFVU=,iv:GFcxLghV+SQMaJ5J4bQOBPGDQatkSwPLtx57wlWaB+8=,tag:2ofR6eSplwLwe/vYyGyrLg==,type:str]
+sops:
+    age:
+        - recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QWtnVkU1QnVyUU9ROHpO
+            WWp5TU1rTSt6aUlMOHczTXhXTmpUeDIvcDB3CnRRdk5BTnRWOUZiK0R1L0NUNHBn
+            L3FVNnFTbEVmQ2lHUlZwZFJyUWtFRVUKLS0tIFhPcUoxbXgrd3FWYmJMU2ZUTXFv
+            ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
+            f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-02T12:06:55Z"
+    mac: ENC[AES256_GCM,data:T9trFCzxJm3eINbuJIDN04feEHViZz6yiaA59yf9+WyJrLB467DagDc4Qv90vdRJXzakwZSYvprDtglrVReT+Wg2GLdVtNIZmPEaLrfpfBgVaBCEZch48dOh+Ytgc09f95ecyXJV/2xNLBtW8YUs3JZsIAcJQTOOrLLhhPjj96A=,iv:wrwIeLhEsN6LFpO/6RF+DE343xdFhshd4TSeF+le+m8=,tag:rNXmYSJsStd5HeDCgtKSRQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/systems/aarch64-linux/blarm/default.nix b/systems/aarch64-linux/aquarius/default.nix
similarity index 75%
rename from systems/aarch64-linux/blarm/default.nix
rename to systems/aarch64-linux/aquarius/default.nix
index ae7d1e8..3262919 100644
--- a/systems/aarch64-linux/blarm/default.nix
+++ b/systems/aarch64-linux/aquarius/default.nix
@@ -19,13 +19,17 @@ with lib.${namespace};
     generic-extlinux-compatible.enable = true;
   };
 
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
+  nix.settings = {
+    trusted-users = [ "philipp" ];
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
 
   # Disable detailed ddocumentation
   documentation.nixos.enable = false;
+  documentation.man.generateCaches = false;
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
@@ -38,7 +42,6 @@ with lib.${namespace};
     description = "Philipp Böhm";
     extraGroups = [
       "wheel"
-      "caddy"
     ];
   };
 
@@ -50,16 +53,15 @@ with lib.${namespace};
     };
   };
 
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  services.cron = enabled;
+
   awesome-flake = {
     services = {
       ssh = enabled;
-      caddy = enabled;
-      restic = enabled;
-    };
-
-    container = {
-      technitium = enabled;
-      invidious = enabled;
+      technitium-dns-server = enabled;
     };
 
     system.sops = enabled;
diff --git a/systems/aarch64-linux/aquarius/networking.nix b/systems/aarch64-linux/aquarius/networking.nix
new file mode 100644
index 0000000..6769fbf
--- /dev/null
+++ b/systems/aarch64-linux/aquarius/networking.nix
@@ -0,0 +1,46 @@
+{
+  networking = {
+    hostName = "aquarius";
+    networkmanager.enable = false;
+    dhcpcd.enable = true;
+
+    interfaces.end0.useDHCP = true;
+
+    firewall = {
+      enable = true;
+      allowedUDPPorts = [ 51820 ];
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces."wg0" = {
+        ips = [ "192.168.100.10/24" "fd00:100::10/64" ];
+        listenPort = 51820;
+        mtu = 1400;
+        privateKeyFile = "/run/secrets/privateKey";
+        peers = [
+          {
+            publicKey = "ylsjhpKiq3B6Kv4q2uiHXUJpyxY2b1DOAlGc/FWdflQ=";
+            presharedKeyFile = "/run/secrets/presharedKey";
+            allowedIPs = [ "192.168.100.1/32" "fd00:100::1/128" ];
+            endpoint = "neuruppin.boehm.sh:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    privateKey = {
+      sopsFile = ../../../secrets/aquarius-wg.yaml;
+      key = "privateKey";
+    };
+
+    presharedKey = {
+      sopsFile = ../../../secrets/aquarius-wg.yaml;
+      key = "presharedKey";
+    };
+  };
+
+}
diff --git a/systems/aarch64-linux/blarm/networking.nix b/systems/aarch64-linux/blarm/networking.nix
deleted file mode 100644
index d75a0a7..0000000
--- a/systems/aarch64-linux/blarm/networking.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  networking = {
-    hostName = "blarm";
-    firewall.enable = false;
-    networkmanager.enable = false;
-    dhcpcd.enable = true;
-    defaultGateway.address = "192.168.1.1";
-    interfaces.end0 = {
-      useDHCP = true;
-      ipv4.addresses = [
-        {
-          address = "192.168.1.251";
-          prefixLength = 32;
-        }
-        {
-          address = "192.168.1.202";
-          prefixLength = 32;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fd00:192:168:1::202";
-          prefixLength = 64;
-        }
-        {
-          address = "fd00:192:168:1::251";
-          prefixLength = 64;
-        }
-      ];
-    };
-  };
-
-}
diff --git a/systems/x86_64-linux/blarm/default.nix b/systems/x86_64-linux/blarm/default.nix
index c4ba42b..ea53265 100644
--- a/systems/x86_64-linux/blarm/default.nix
+++ b/systems/x86_64-linux/blarm/default.nix
@@ -7,9 +7,7 @@
 }:
 with lib.${namespace};
 {
-  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-  ];
+  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
 
   nix.settings = {
     trusted-users = [ "philipp" ];