diff --git a/config/db-postgres.nix b/config/db-postgres.nix
index 1f31774..f66ba3f 100644
--- a/config/db-postgres.nix
+++ b/config/db-postgres.nix
@@ -15,4 +15,13 @@
     checkConfig = true;
     initialScript = config.age.secrets.db-postgres-initscript.path;
   };
+
+  # TODO: Manually add /mnt/backups mountpoint => NAS backup folder (with rotation on the NAS)
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    compression = "gzip";
+    compressionLevel = 6;
+    location = "/mnt/backups/postgresql";
+  };
 }
diff --git a/config/git-gitea.nix b/config/git-gitea.nix
index 77daf04..e7e3110 100644
--- a/config/git-gitea.nix
+++ b/config/git-gitea.nix
@@ -16,11 +16,16 @@
         host = tools.build_ip "db";
         createDatabase = false;
       };
-      # TODO: dump ...
       settings = {
         server.HTTP_PORT = 3000;
       };
-      # user = "git";
+      dump = {
+        enable = true;
+        # TODO: Manual mountpoint /mnt/backups => NAS
+        backupDir = "/mnt/backups/gitea";
+        interval = "1:42";
+        type = "tar.gz";
+      };
     };
     # gitea-actions-runner.instances.default = {
     #   enable = true;
diff --git a/config/matrix-maubot.nix b/config/matrix-maubot.nix
new file mode 100644
index 0000000..046b683
--- /dev/null
+++ b/config/matrix-maubot.nix
@@ -0,0 +1,23 @@
+{
+  pkgs,
+  config,
+  tools,
+  ...
+}:
+{
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
+  environment.etc."maubot/config.base.yaml".source = config.age.secrets.matrix-maubot-cfg.path;
+  services.maubot = {
+    enable = true;
+    plugins = with config.services.maubot.package.plugins; [
+      rss
+      hasswebhookbot
+    ];
+    configMutable = true;
+    # RIP the auto configuration ... Built a base yaml, written in agenix, and manually copying this to the config.yaml file + adapting as needed...
+    extraConfigFile = "/etc/maubot/config.yaml";
+  };
+}
diff --git a/config/metrics-prometheus.nix b/config/metrics-prometheus.nix
index 6017973..847c773 100644
--- a/config/metrics-prometheus.nix
+++ b/config/metrics-prometheus.nix
@@ -15,6 +15,20 @@ in
       "--web.enable-remote-write-receiver"
       "--storage.tsdb.retention.time=${config.globals.retention}"
     ];
+    exporters.pve = {
+      enable = true;
+      collectors = {
+        cluster = true;
+        config = false;
+        node = true;
+        replication = false;
+        resources = true;
+        status = true;
+        version = true;
+      };
+      configFile = config.age.secrets.metrics-pve.path;
+      port = 9221;
+    };
     globalConfig = {
       scrape_interval = "30s";
     };
@@ -30,6 +44,14 @@ in
               service = "prometheus";
             };
           }
+          {
+            targets = [ "localhost:9221" ];
+            labels = {
+              host = tools.build_hostname "proxmox";
+              host_ip = tools.build_ip "proxmox";
+              service = "proxmox";
+            };
+          }
         ];
       }
     ]
diff --git a/containers/matrix.nix b/containers/matrix.nix
index 6321c84..ff63767 100644
--- a/containers/matrix.nix
+++ b/containers/matrix.nix
@@ -18,8 +18,10 @@ in
       additionalPorts = [
         80 # element web
         5173 # synapse admin
+        29316 # maubot
       ];
       importConfig = [
+        ../config/matrix-maubot.nix
         ../config/matrix-synapse.nix
         ../config/matrix-nginx.nix
       ];
@@ -27,6 +29,9 @@ in
     db = {
       enable = true;
       password = db_pass.matrix;
+      additionalDB = [
+        "maubot"
+      ];
     };
     logging = {
       enable = true;
@@ -47,6 +52,12 @@ in
         private = true;
         auth = false;
       }
+      {
+        subdomain = "maubot";
+        port = 29316;
+        private = true;
+        auth = false;
+      }
     ];
   };
 }
diff --git a/modules/tools.nix b/modules/tools.nix
index 3455491..b6ce0ee 100644
--- a/modules/tools.nix
+++ b/modules/tools.nix
@@ -19,12 +19,23 @@ let
   build_ip_cidr = arg: "${build_ip arg}/${toString config.globals.cidr}";
   mask_cidr = build_ip_cidr 0;
   build_hostname = arg: "${arg}${config.globals.domains.external}";
+  build_db_uri =
+    container: base:
+    let
+      db_user = container;
+      db_pass = config.my-lxc.${container}.db.password;
+      db_host = build_ip "db";
+      db_port = "5432";
+      db_name = base;
+    in
+    "postgresql://${db_user}:${db_pass}@${db_host}:${db_port}/${db_name}";
 in
 {
   build_ip = build_ip;
   build_ip_cidr = build_ip_cidr;
   mask_cidr = mask_cidr;
   build_hostname = build_hostname;
+  build_db_uri = build_db_uri;
 
   loki_addr = "${build_ip "monitoring"}:3100";
   metrics_addr = "${build_ip "metrics"}:9090";
diff --git a/secrets/auth-authentik-ldap-secrets.age b/secrets/auth-authentik-ldap-secrets.age
index 1eda0ed..f3e27ea 100644
Binary files a/secrets/auth-authentik-ldap-secrets.age and b/secrets/auth-authentik-ldap-secrets.age differ
diff --git a/secrets/auth-authentik-proxy-secrets.age b/secrets/auth-authentik-proxy-secrets.age
index f17a17d..9f00c9c 100644
Binary files a/secrets/auth-authentik-proxy-secrets.age and b/secrets/auth-authentik-proxy-secrets.age differ
diff --git a/secrets/auth-authentik-secrets.age b/secrets/auth-authentik-secrets.age
index cdd7229..832e461 100644
Binary files a/secrets/auth-authentik-secrets.age and b/secrets/auth-authentik-secrets.age differ
diff --git a/secrets/db-postgres-initscript.age b/secrets/db-postgres-initscript.age
index b667b03..232fc12 100644
Binary files a/secrets/db-postgres-initscript.age and b/secrets/db-postgres-initscript.age differ
diff --git a/secrets/finances-app-key.age b/secrets/finances-app-key.age
index f1d609f..a977be2 100644
--- a/secrets/finances-app-key.age
+++ b/secrets/finances-app-key.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jxhkLg aQoOlZUoNaXXxfkMlkGx9zJDKQh+zlLyYrXuX+LEcFw
-9c/dFd+LYdnb2TUm5+lxcPmFW8STMq6UALHlClL85jc
--> ssh-ed25519 UJuwpQ hnsSFl7MIkaG0DmCzZKoUtDLj/ey+YZ7Af4gEiPNtkc
-2bmkqUGoh2kAW03X//iq/mlzOZeoS1PpmAmLWcAR48k
---- yMItyu2jgirF9YB+u26yykPuqEVz7T46oi6EDZ8rXYs
-��6v%a�KF��1�49<$kH�C�b�v�#dܿ$�4
-�F5k*Ct��qUH%��~��E����:e:�d���䁷�k
\ No newline at end of file
+-> ssh-ed25519 jxhkLg cwOIK3+fKR+hwY0ffpXmoRlvEzisaqJKph9KAz1tjgE
+M7ZSm185WYRIyVFBtdhqUSSevkPrWUU+oO1pWyvBL6c
+-> ssh-ed25519 UJuwpQ Rd52L1o0bCbjgudCzJ0qo209c9WOKxqwnWi9oYbpbXA
+6EoyF/9warFja9lKxAAa7M/wIHfFrifJQhg31gNDQeg
+--- dkH7UftAnXBiRRK6xf+c/wBTlgREs8fTBNWPXVhfg/I
+�7�:V;�/a�*޾��w����.�Ր\����R��Cz4�ES9��P+�
���l/Q<2��G�MN� �k��l
\ No newline at end of file
diff --git a/secrets/matrix-maubot-cfg.age b/secrets/matrix-maubot-cfg.age
new file mode 100644
index 0000000..c7e5e13
Binary files /dev/null and b/secrets/matrix-maubot-cfg.age differ
diff --git a/secrets/metrics-pve.age b/secrets/metrics-pve.age
new file mode 100644
index 0000000..c528f96
--- /dev/null
+++ b/secrets/metrics-pve.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 jxhkLg fMyFt2LR3vCmiEBnsa8l+66q41O6so6vIfwwfR0dXVk
++eW719i/+MlQgJVbM9yP95FK+akVScstte2wWYulBGY
+-> ssh-ed25519 hKRBdw DjmDRh5sqxmbSckrYIliu8zFVZDIpzltqK5rCO1qRB8
+8isUMp0G0zE/MK7s3ubTzEZlFh3DSJVYD3hP2cfBODo
+--- JOvIpPS8459oTkMN0OqtifBDC3I5ccn/A64k6WLbWbA
+u�d����D��#���«��<
�Z���u�"�U�Y�b�]��!N����6�SO;����ߋ3�W��i�x�����WY���{�,��ż�J��\l�����ٻJa���^8�	
\ No newline at end of file
diff --git a/secrets/power-password-file.age b/secrets/power-password-file.age
index 3ca795b..3a277e4 100644
--- a/secrets/power-password-file.age
+++ b/secrets/power-password-file.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jxhkLg +kc3WvRZu+M7FPObE9sUEBrRZUjaKQ3uDX01e30bvH4
-jp7GGPCdUHMFYAdZ6eHlb2Rpjbr7fgxO5i5A4JCuBFQ
--> ssh-ed25519 DVDL4g u3KhmxBa+ycZKj6g9/p9VfdWJe3sXNIYWqvnxS0LOFk
-+6czbSa2PsgCNrsWFYtFJpW6YRttVpC3tlJpvMyKVlo
---- 6giEp6Qr8xXyII1KyBbEtT0a4qUkYtvby2NVshaHvK8
-�����+&
��PWt�FApOL� '���
g��Q[�
\ No newline at end of file
+-> ssh-ed25519 jxhkLg oln5ya/9gIVWvlWBE11ZgUQYCN4tZQFa4Fe13q3o81s
+69a7qRWUtQ6KAgT9zH6HzPqmoBx5OPMv8mhoc3F+FlQ
+-> ssh-ed25519 DVDL4g m2lTL6SD1HxqSJelHrpDli1uOCgM6/cjJApBQ0a4UD0
+QhjMpiWQcovOPMxwX/658PkO0hgppG0rs5wQO5OUH78
+--- IW3/EHx3kYU5kLkRt9x2SQtqx/+krXcT4aPv3zh+u+0
+��8���P�����R�D��3��7���d�R3���܂w� ��
\ No newline at end of file
diff --git a/secrets/proxy-dns-provider-config.age b/secrets/proxy-dns-provider-config.age
index db8b410..c3e2fce 100644
--- a/secrets/proxy-dns-provider-config.age
+++ b/secrets/proxy-dns-provider-config.age
@@ -1,7 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 jxhkLg anodHENUqRaCT66sUwK09KEUOUsApe5VfLioUKylKGM
-IyzgkxtINRFeRCa5hdvuUruBrE+07vrjsGsns7Ydwx4
--> ssh-ed25519 FOCPAw DLnVp2X2Nu2wB4/F3R0zfZT5ZcSY9TjY0pKyEeA/AHM
-3IQ4Wvl/ei2eOveqXpmk1hZPhgpNn7zb6kjoWXmwZaY
---- oZOshy18oF7M5znbecsTb4np2FAQqU4henZZFTrQUAI
-]��Yi1/���`�n�E�PZ[%S�}�F��U1Q0�k����9�S�ұ��I��܆v���-
��2���M�r��W����r�$���Y-(c��_����&=�'�����g���3��H��o�|�8��ı���c��(�C�ױ�x�E�W��sz'�Z�/�Q	'X�]G=lʩ5���D���'C�ȏ���M]��
\ No newline at end of file
+-> ssh-ed25519 jxhkLg TBe8hP/bpnNG/b5h9YeeBruy3znMSWNhjDUWVvNEd04
+TPuNvPhRlvg+wdLCulhBNu+qbXs7pWhFngcrWwcC2Zs
+-> ssh-ed25519 FOCPAw Hwq5xX/6uL8uVxudKKkwwS+NSJn69dqabFBDQr5o00A
+bz+UUYKhSgrKS4KHFor5XpjZAnuOZrHuNHuvXSP/JR8
+--- VvsmTUj/PZTAwxzT5bFLKhcur6hv7qODo/5L94cW4LY
+dnC�����E�B���j�*n?��/�����606��9
+�葺W
xaO�
f�,ö�v�ѡ��yH>�7�Y�r��"�?��إ��L��ͽށg�c�	�������88V
j�
+����s�q�<((~���3�����vf��Se�դw�	A��F��Uv��?:��*	A2F�@�70��G娂o��^Ϩ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 684ac63..d661fa1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -24,6 +24,12 @@ in
   "finances-app-key.age".publicKeys = users ++ [
     keys.finances
   ];
+  "matrix-maubot-cfg.age".publicKeys = users ++ [
+    keys.matrix
+  ];
+  "metrics-pve.age".publicKeys = users ++ [
+    keys.metrics
+  ];
   "power-password-file.age".publicKeys = users ++ [
     keys.power
   ];
diff --git a/secrets/yarrr-env.age b/secrets/yarrr-env.age
index 3608f6a..19109b4 100644
Binary files a/secrets/yarrr-env.age and b/secrets/yarrr-env.age differ