diff --git a/hosts/carbon/services/monitoring/promtail.nix b/hosts/carbon/services/monitoring/promtail.nix
new file mode 100644
index 0000000..9db0047
--- /dev/null
+++ b/hosts/carbon/services/monitoring/promtail.nix
@@ -0,0 +1,39 @@
+{ pkgs, ... }: {
+
+
+  services.promtail = {
+    enable = true;
+    configuration =
+      {
+        server = {
+          http_listen_port = 0;
+          grpc_listen_port = 0;
+        };
+
+        clients = [
+          { url = "https//32.54.31.99:3100/api/prom/push"; }
+        ];
+
+        scrape_configs = [
+          {
+            job_name = "system";
+            pipeline_stages = [
+              { replace = { expression = "(?:[0-9]{1,3}\\.){3}([0-9]{1,3})"; replace = "***"; }; }
+            ];
+            static_configs = [
+              {
+                targets = [ "localhost" ];
+                labels = {
+                  job = "nginx_access_log";
+                  host = "carbon";
+                  agent = "promtail";
+                  __path__ = "/var/log/nginx/json_access.log";
+                };
+              }
+            ];
+          }
+        ];
+      };
+  };
+}
+
diff --git a/hosts/carbon/services/privacy/biblioreads.nix b/hosts/carbon/services/privacy/biblioreads.nix
new file mode 100644
index 0000000..66aefd2
--- /dev/null
+++ b/hosts/carbon/services/privacy/biblioreads.nix
@@ -0,0 +1,29 @@
+{ pkgs, config, ... }: {
+
+  virtualisation.oci-containers.containers = {
+
+
+    biblioreads = {
+      image = "nesaku/biblioreads:latest";
+      ports = [
+        "5484:3000"
+      ];
+    };
+  };
+  services.nginx = {
+    virtualHosts = {
+
+      "biblioreads.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = " http://127.0.0.1:5484";
+          extraConfig = ''
+            access_log /var/log/nginx/$server_name-access.log json_analytics;
+          '';
+        };
+      };
+    };
+  };
+
+}
diff --git a/hosts/carbon/services/privacy/priviblur.nix b/hosts/carbon/services/privacy/priviblur.nix
new file mode 100644
index 0000000..6646904
--- /dev/null
+++ b/hosts/carbon/services/privacy/priviblur.nix
@@ -0,0 +1,28 @@
+{ pkgs, config, ... }: {
+
+  virtualisation.oci-containers.containers = {
+
+    priviblur = {
+      image = "quay.io/pussthecatorg/priviblur:latest";
+      ports = [
+        "1484:8000"
+      ];
+    };
+  };
+  services.nginx = {
+    virtualHosts = {
+
+      "priviblur.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = " http://127.0.0.1:1484";
+          extraConfig = ''
+            access_log /var/log/nginx/$server_name-access.log json_analytics;
+          '';
+        };
+      };
+    };
+  };
+
+}
diff --git a/hosts/carbon/services/privacy/proxitok.nix b/hosts/carbon/services/privacy/proxitok.nix
new file mode 100644
index 0000000..02de3c2
--- /dev/null
+++ b/hosts/carbon/services/privacy/proxitok.nix
@@ -0,0 +1,169 @@
+# Auto-generated using compose2nix v0.2.0-pre.
+{ pkgs, lib, ... }:
+
+{
+  services.nginx = {
+    virtualHosts = {
+      "proxitok.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = " http://127.0.0.1:4772";
+          extraConfig = ''
+            access_log /var/log/nginx/$server_name-access.log json_analytics;
+          '';
+        };
+      };
+    };
+  };
+
+  # Containers
+  virtualisation.oci-containers.containers."proxitok-redis" = {
+    image = "redis:7-alpine";
+    cmd = [ "redis-server" "--save" "60" "1" "--loglevel" "warning" ];
+    user = "nobody";
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-drop=ALL"
+      "--network-alias=redis"
+      "--network=docker-compose_proxitok"
+      "--security-opt=no-new-privileges:true"
+    ];
+  };
+  systemd.services."podman-proxitok-redis" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_proxitok.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_proxitok.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+
+  virtualisation.oci-containers.containers."proxitok-signer" = {
+    image = "ghcr.io/pablouser1/signtok:master";
+    user = "nobody";
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-drop=ALL"
+      "--network-alias=signer"
+      "--network=docker-compose_proxitok"
+      "--security-opt=no-new-privileges:true"
+    ];
+  };
+  systemd.services."podman-proxitok-signer" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "\"no\"";
+    };
+    after = [
+      "podman-network-docker-compose_proxitok.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_proxitok.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+
+  virtualisation.oci-containers.containers."proxitok-web" = {
+    image = "ghcr.io/pablouser1/proxitok:master";
+    environment = {
+      API_CACHE = "redis";
+      API_SIGNER = "remote";
+      API_SIGNER_URL = "http://proxitok-signer:8080/signature";
+      LATTE_CACHE = "/cache";
+      REDIS_HOST = "proxitok-redis";
+      REDIS_PORT = "6379";
+    };
+    volumes = [
+      "proxitok-cache:/cache:rw"
+    ];
+    ports = [
+      "4772:8080/tcp"
+    ];
+    dependsOn = [
+      "proxitok-redis"
+      "proxitok-signer"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-add=CHOWN"
+      "--cap-add=SETGID"
+      "--cap-add=SETUID"
+      "--cap-drop=ALL"
+      "--network-alias=web"
+      "--network=docker-compose_proxitok"
+      "--security-opt=no-new-privileges:true"
+    ];
+  };
+  systemd.services."podman-proxitok-web" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "\"no\"";
+    };
+    after = [
+      "podman-network-docker-compose_proxitok.service"
+      "podman-volume-docker-compose_proxitok-cache.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_proxitok.service"
+      "podman-volume-docker-compose_proxitok-cache.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."podman-network-docker-compose_proxitok" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.podman}/bin/podman network rm -f docker-compose_proxitok";
+    };
+    script = ''
+      podman network inspect docker-compose_proxitok || podman network create docker-compose_proxitok
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+
+  # Volumes
+  systemd.services."podman-volume-docker-compose_proxitok-cache" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      podman volume inspect docker-compose_proxitok-cache || podman volume create docker-compose_proxitok-cache
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-docker-compose-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/hosts/carbon/services/privacy/scribe.nix b/hosts/carbon/services/privacy/scribe.nix
new file mode 100644
index 0000000..8897360
--- /dev/null
+++ b/hosts/carbon/services/privacy/scribe.nix
@@ -0,0 +1,31 @@
+{ pkgs, config, ... }: {
+
+
+  services.scribe = {
+    enable = true;
+    appDomain = "scribe.${config.networking.domain}";
+    port = 7283;
+    # TODO fix since it's readable by nix store...
+    environmentFile = ''
+      GITHUB_PERSONAL_ACCESS_TOKEN= ${builtins.readFile config.age.secrets.github-token.path}
+      GITHUB_USERNAME= ${builtins.readFile config.age.secrets.github-username.path}
+    '';
+  };
+
+  services.nginx = {
+    virtualHosts = {
+
+      "scribe.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = " http://127.0.0.1:7283";
+          extraConfig = ''
+            access_log /var/log/nginx/$server_name-access.log json_analytics;
+          '';
+        };
+      };
+    };
+  };
+
+}
diff --git a/hosts/carbon/services/privacy/wikiless.nix b/hosts/carbon/services/privacy/wikiless.nix
new file mode 100644
index 0000000..b8d1025
--- /dev/null
+++ b/hosts/carbon/services/privacy/wikiless.nix
@@ -0,0 +1,118 @@
+# Auto-generated using compose2nix v0.2.0-pre.
+{ pkgs, lib, ... }:
+
+{
+  services.nginx = {
+    virtualHosts = {
+      "wikiless.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = " http://127.0.0.1:8180";
+          extraConfig = ''
+            access_log /var/log/nginx/$server_name-access.log json_analytics;
+          '';
+        };
+      };
+    };
+  };
+
+  # Containers
+  virtualisation.oci-containers.containers."wikiless" = {
+    image = "ghcr.io/metastem/wikiless:latest";
+    environment = {
+      REDIS_HOST = "redis://172.4.0.5:6379";
+    };
+    ports = [
+      "127.0.0.1:8180:8080/tcp"
+    ];
+    dependsOn = [
+      "wikiless_redis"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-drop=ALL"
+      "--hostname=wikiless"
+      "--ip=172.4.0.6"
+      "--network-alias=wikiless"
+      "--network=docker-compose_wikiless_net"
+      "--security-opt=no-new-privileges:true"
+    ];
+  };
+  systemd.services."podman-wikiless" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_wikiless_net.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_wikiless_net.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."wikiless_redis" = {
+    image = "redis:latest";
+    user = "nobody";
+    log-driver = "journald";
+    extraOptions = [
+      "--cap-add=DAC_OVERRIDE"
+      "--cap-add=SETGID"
+      "--cap-add=SETUID"
+      "--cap-drop=ALL"
+      "--hostname=wikiless_redis"
+      "--ip=172.4.0.5"
+      "--network-alias=wikiless_redis"
+      "--network=docker-compose_wikiless_net"
+      "--security-opt=no-new-privileges:true"
+    ];
+  };
+  systemd.services."podman-wikiless_redis" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_wikiless_net.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_wikiless_net.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."podman-network-docker-compose_wikiless_net" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.podman}/bin/podman network rm -f docker-compose_wikiless_net";
+    };
+    script = ''
+      podman network inspect docker-compose_wikiless_net || podman network create docker-compose_wikiless_net --subnet=172.4.0.0/16
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-docker-compose-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
+
diff --git a/hosts/carbon/services/routes/learningpulsedev.nix b/hosts/carbon/services/routes/learningpulsedev.nix
new file mode 100644
index 0000000..cabe5d7
--- /dev/null
+++ b/hosts/carbon/services/routes/learningpulsedev.nix
@@ -0,0 +1,23 @@
+{ pkgs, config, ... }: {
+
+  services.nginx = {
+    virtualHosts = {
+      "lpdev.${config.networking.domain}" =
+        {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = " http://32.54.31.99:8181";
+          };
+          extraConfig = ''
+            proxy_set_header  Host              $host;
+            proxy_set_header  X-Real-IP         $remote_addr;
+            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header  X-Forwarded-Proto $scheme;
+          '';
+        };
+    };
+  };
+
+}
+
diff --git a/hosts/carbon/services/routes/penpot.nix b/hosts/carbon/services/routes/penpot.nix
new file mode 100644
index 0000000..4c73fa3
--- /dev/null
+++ b/hosts/carbon/services/routes/penpot.nix
@@ -0,0 +1,21 @@
+{ pkgs, config, ... }: {
+
+  services.nginx = {
+    virtualHosts = {
+      "penpot.${config.networking.domain}" =
+        {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = " http://32.54.31.241:9032";
+            extraConfig = ''
+              proxy_set_header  Host              $host;
+              proxy_set_header  X-Real-IP         $remote_addr;
+              proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+              proxy_set_header  X-Forwarded-Proto $scheme;
+            '';
+          };
+        };
+    };
+  };
+}
diff --git a/hosts/lime/services/penpot/docker-compose.nix b/hosts/lime/services/penpot/docker-compose.nix
new file mode 100644
index 0000000..00af8ee
--- /dev/null
+++ b/hosts/lime/services/penpot/docker-compose.nix
@@ -0,0 +1,283 @@
+# Auto-generated using compose2nix v0.1.9.
+{ pkgs, lib, ... }:
+
+{
+  # Runtime
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings = {
+      # Required for container networking to be able to use names.
+      dns_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+  # Containers
+  virtualisation.oci-containers.containers."docker-compose-penpot-backend" = {
+    image = "penpotapp/backend:latest";
+    environment = {
+      PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+      PENPOT_DATABASE_PASSWORD = "penpot";
+      PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+      PENPOT_DATABASE_USERNAME = "penpot";
+      PENPOT_FLAGS = "enable-registration enable-login-with-password disable-email-verification enable-smtp enable-prepl-server";
+      PENPOT_PUBLIC_URI = "https://penpot.4o1x5.dev";
+      PENPOT_REDIS_URI = "redis://penpot-redis/0";
+      PENPOT_SMTP_DEFAULT_FROM = "no-reply@example.com";
+      PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply@example.com";
+      PENPOT_SMTP_HOST = "penpot-mailcatch";
+      PENPOT_SMTP_PASSWORD = "";
+      PENPOT_SMTP_PORT = "1025";
+      PENPOT_SMTP_SSL = "false";
+      PENPOT_SMTP_TLS = "false";
+      PENPOT_SMTP_USERNAME = "";
+      PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+      PENPOT_TELEMETRY_ENABLED = "false";
+    };
+    volumes = [
+      "penpot_assets:/opt/data/assets:rw"
+    ];
+    dependsOn = [
+      "docker-compose-penpot-postgres"
+      "docker-compose-penpot-redis"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-backend"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-backend" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_assets.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_assets.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."docker-compose-penpot-exporter" = {
+    image = "penpotapp/exporter:latest";
+    environment = {
+      PENPOT_PUBLIC_URI = "http://penpot-frontend";
+      PENPOT_REDIS_URI = "redis://penpot-redis/0";
+    };
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-exporter"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-exporter" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."docker-compose-penpot-frontend" = {
+    image = "penpotapp/frontend:latest";
+    environment = {
+      PENPOT_FLAGS = "enable-registration enable-login-with-password";
+    };
+    volumes = [
+      "penpot_assets:/opt/data/assets:rw"
+    ];
+    ports = [
+      "9032:80/tcp"
+    ];
+    labels = {
+      "traefik.enable" = "true";
+    };
+    dependsOn = [
+      "docker-compose-penpot-backend"
+      "docker-compose-penpot-exporter"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-frontend"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-frontend" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_assets.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_assets.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."docker-compose-penpot-mailcatch" = {
+    image = "sj26/mailcatcher:latest";
+    ports = [
+      "1080:1080/tcp"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-mailcatch"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-mailcatch" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."docker-compose-penpot-postgres" = {
+    image = "postgres:15";
+    environment = {
+      POSTGRES_DB = "penpot";
+      POSTGRES_INITDB_ARGS = "--data-checksums";
+      POSTGRES_PASSWORD = "penpot";
+      POSTGRES_USER = "penpot";
+    };
+    volumes = [
+      "penpot_postgres_v15:/var/lib/postgresql/data:rw"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-postgres"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-postgres" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_postgres_v15.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+      "podman-volume-docker-compose_penpot_postgres_v15.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."docker-compose-penpot-redis" = {
+    image = "redis:7";
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=penpot-redis"
+      "--network=docker-compose_penpot"
+    ];
+  };
+  systemd.services."podman-docker-compose-penpot-redis" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    requires = [
+      "podman-network-docker-compose_penpot.service"
+    ];
+    partOf = [
+      "podman-compose-docker-compose-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-docker-compose-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."podman-network-docker-compose_penpot" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.podman}/bin/podman network rm -f docker-compose_penpot";
+    };
+    script = ''
+      podman network inspect docker-compose_penpot || podman network create docker-compose_penpot
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+
+  # Volumes
+  systemd.services."podman-volume-docker-compose_penpot_assets" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      podman volume inspect docker-compose_penpot_assets || podman volume create docker-compose_penpot_assets
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+  systemd.services."podman-volume-docker-compose_penpot_postgres_v15" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      podman volume inspect docker-compose_penpot_postgres_v15 || podman volume create docker-compose_penpot_postgres_v15
+    '';
+    partOf = [ "podman-compose-docker-compose-root.target" ];
+    wantedBy = [ "podman-compose-docker-compose-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-docker-compose-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/hosts/lime/services/penpot/docker-compose.yml b/hosts/lime/services/penpot/docker-compose.yml
new file mode 100644
index 0000000..07bd9bb
--- /dev/null
+++ b/hosts/lime/services/penpot/docker-compose.yml
@@ -0,0 +1,114 @@
+version: "3.8"
+
+networks:
+  penpot:
+
+volumes:
+  penpot_postgres_v15:
+  penpot_assets:
+
+services:
+  penpot-frontend:
+    image: "penpotapp/frontend:latest"
+    restart: always
+    ports:
+      - 9032:80
+
+    volumes:
+      - penpot_assets:/opt/data/assets
+
+    depends_on:
+      - penpot-backend
+      - penpot-exporter
+
+    networks:
+      - penpot
+
+    labels:
+      - "traefik.enable=true"
+
+    environment:
+      - PENPOT_FLAGS=enable-registration enable-login-with-password
+
+  penpot-backend:
+    image: "penpotapp/backend:latest"
+    restart: always
+
+    volumes:
+      - penpot_assets:/opt/data/assets
+
+    depends_on:
+      - penpot-postgres
+      - penpot-redis
+
+    networks:
+      - penpot
+
+    ## Configuration envronment variables for backend the
+    ## container.
+
+    environment:
+      - PENPOT_FLAGS=enable-registration enable-login-with-password disable-email-verification enable-smtp enable-prepl-server
+      - PENPOT_PUBLIC_URI=https://penpot.4o1x5.dev
+
+      - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot
+      - PENPOT_DATABASE_USERNAME=penpot
+      - PENPOT_DATABASE_PASSWORD=penpot
+
+      - PENPOT_REDIS_URI=redis://penpot-redis/0
+
+      - PENPOT_ASSETS_STORAGE_BACKEND=assets-fs
+      - PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/data/assets
+      - PENPOT_TELEMETRY_ENABLED=false
+
+      - PENPOT_SMTP_DEFAULT_FROM=no-reply@example.com
+      - PENPOT_SMTP_DEFAULT_REPLY_TO=no-reply@example.com
+      - PENPOT_SMTP_HOST=penpot-mailcatch
+      - PENPOT_SMTP_PORT=1025
+      - PENPOT_SMTP_USERNAME=
+      - PENPOT_SMTP_PASSWORD=
+      - PENPOT_SMTP_TLS=false
+      - PENPOT_SMTP_SSL=false
+
+  penpot-exporter:
+    image: "penpotapp/exporter:latest"
+    restart: always
+    networks:
+      - penpot
+
+    environment:
+      - PENPOT_PUBLIC_URI=http://penpot-frontend
+      - PENPOT_REDIS_URI=redis://penpot-redis/0
+
+  penpot-postgres:
+    image: "postgres:15"
+    restart: always
+    stop_signal: SIGINT
+
+    volumes:
+      - penpot_postgres_v15:/var/lib/postgresql/data
+
+    networks:
+      - penpot
+
+    environment:
+      - POSTGRES_INITDB_ARGS=--data-checksums
+      - POSTGRES_DB=penpot
+      - POSTGRES_USER=penpot
+      - POSTGRES_PASSWORD=penpot
+
+  penpot-redis:
+    image: redis:7
+    restart: always
+    networks:
+      - penpot
+
+  penpot-mailcatch:
+    image: sj26/mailcatcher:latest
+    restart: always
+    expose:
+      - "1025"
+    ports:
+      - "1080:1080"
+    networks:
+      - penpot
diff --git a/hosts/pink/services/monitoring/loki.nix b/hosts/pink/services/monitoring/loki.nix
new file mode 100644
index 0000000..b8e53bf
--- /dev/null
+++ b/hosts/pink/services/monitoring/loki.nix
@@ -0,0 +1,46 @@
+{ pkgs, ... }: {
+  #
+  services.loki = {
+    enable = false;
+    configuration = {
+      auth_enabled = false;
+      server = {
+        http_listen_port = 3100;
+      };
+      ingester = {
+        lifecycler = {
+          address = "0.0.0.0";
+          ring = {
+            kvstore.store = "inmemory";
+            replication_factor = 1;
+          };
+        };
+        chunk_idle_period = "15m";
+      };
+      schema_config.configs = [
+        {
+          from = "2020-02-25";
+          store = "boltdb";
+          object_store = "filesystem";
+          schema = "v11";
+          index = {
+            prefix = "index_";
+            period = "24h";
+          };
+        }
+      ];
+
+      storage_config = {
+        boltdb.directory = "/tmp/loki/index";
+      };
+      limits_config = {
+        enforce_metric_name = false;
+        reject_old_samples = true;
+        reject_old_samples_max_age = "500h";
+      };
+      chunk_store_config.max_look_back_period = "0s";
+
+    };
+  };
+}
+
diff --git a/secrets/carbon.nix b/secrets/carbon.nix
index 186ad3e..707be8b 100644
--- a/secrets/carbon.nix
+++ b/secrets/carbon.nix
@@ -1,3 +1,9 @@
 { pkgs, ... }: {
   age.secrets.forgejo-runner.file = ./forgejo-runner.age;
+  age.secrets.github-username.file = ./github-username.age;
+  age.secrets.github-token.file = ./github-token.age;
+  age.secrets.scribe-secret.file = ./scribe-secret.age;
+  age.secrets.piped.file = ./piped.age;
+  age.secrets.anonymousoverflow.file = ./anonymousoverflow.age;
+
 }
diff --git a/secrets/github-token.age b/secrets/github-token.age
new file mode 100644
index 0000000..7f19c4d
--- /dev/null
+++ b/secrets/github-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 VxAJjg BcQSeT5FRJ12Pk0e9j1Mv0D/0uG8T/UE51B49KYYe1I
+xSU3OJoeb6xPAG2DkRZvuTaclzPvQMCg/tTbOOvU/QM
+-> ssh-ed25519 pw11Hg L/r4k+wx7Vb2HimVLh8dmd+ZeICaNF26OCtKuzgc/Xo
+NZYAc3uOtJRXsWPgbCq6DfCpH5N4mi9kqh4YloWYPzs
+--- Cv+Cc5Qdi6Z72vq7suNXVeQ20fqzh+qYRrhW24Q9sEM
+�so�F�:�R�S��DŽDt3j��:��P��5zF��xTL��ij�s����R��P��_�[�~��(����>���
\ No newline at end of file
diff --git a/secrets/github-username.age b/secrets/github-username.age
new file mode 100644
index 0000000..be7bb83
--- /dev/null
+++ b/secrets/github-username.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 VxAJjg BPlZOaOlG/dT+mxNHrCtGXffhUlkSMyCXYiz3ehePBM
+ApUQIhgKA6wrHPAixEChyWFze2BuYqtWoXGETIx/xkM
+-> ssh-ed25519 pw11Hg Wm2qEsBZnq43+Pv20CxOr91wRQFkHKKcQskc962sGXk
+i9gnpoR2yr+sRwCwM1ImQpN6AVvRg3MlBS9nPG2+MuY
+--- NzFMu6okyjRaNQ1lOYYwT5QXmERZaXHtewsSystDRzk
+p�}��ښ�dS�a�X�=�z�I�2�t�/����H#
\ No newline at end of file
diff --git a/secrets/piped.age b/secrets/piped.age
new file mode 100644
index 0000000..f921352
Binary files /dev/null and b/secrets/piped.age differ
diff --git a/secrets/porkbun-user.age b/secrets/porkbun-user.age
index c02031d..a238c10 100644
--- a/secrets/porkbun-user.age
+++ b/secrets/porkbun-user.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 VxAJjg SAzffPLeKmWwiPBrxqb8b1lSjnvX0xXGoErceOwrfz8
-qOu9fsxq0yneo5Wx0S6sJriYl9I+0geuD85ZVK8LEUg
--> ssh-ed25519 2+o3cg ODYd9WzF/r4ScnLNmnxne3NiuqlAQ4E3koozu4EKBQE
-iiLf5yuAnGDTSFXLTbxm0PsQQBjnoFPVS7rh9v91GzY
---- BT5nFRlqsSubodxJI5M1+xE8yD/vzSHkvUTKhwOScWQ
-v�ˉ���(1�O��ɥvf�"(r����$5)Ћb;�
t1����
\ No newline at end of file
+-> ssh-ed25519 VxAJjg PovEnAxpyfLvVb0w/TaEY7anN5NsfkV+OodD8mu+IQ0
+x4mHqwXQ/sf7tuXkS146P/mrM/ShtGnZtLD3ap6FBzQ
+-> ssh-ed25519 2+o3cg I5NXmiKJfzguoDvYd13yOlfiIUuXwZUHNFKh+CSK3GU
+RuDsCnHg0CBsdYaPrALI+sJlY3q3Z2hM92G6btMdJPk
+--- Om0oMnr4C6xQMSvvz1J3veLMoEXzyPYtWrPpwks4Vmo
+V�L�C�K�T_���o)�q�:"��W���.q�A��n��}w�@�9b�O��I2�Ϊdf2:�ߋ��q��oGE'��Z�aV��&�w��8�M���7̣�
\ No newline at end of file
diff --git a/secrets/porkbun.age b/secrets/porkbun.age
index f37be8d..913d830 100644
Binary files a/secrets/porkbun.age and b/secrets/porkbun.age differ
diff --git a/secrets/scribe-secret.age b/secrets/scribe-secret.age
new file mode 100644
index 0000000..8469995
--- /dev/null
+++ b/secrets/scribe-secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 VxAJjg xDv23IBlJ1lrNTPQkOlVrg8Hufc0NDOpFALrbUMgSB4
+s0U4Iylpghexez0uA6o6OaNBBa27RrdlcrabwC1Na6s
+-> ssh-ed25519 pw11Hg SAYnexlOt8B7YnqGN4+gaRl1zrcMpnLHRhb0arlwZRI
+mw2AXbMDzU7y1ieDqFfEsJLiqXi6W3I1KAUEVUDXUKw
+--- 6wz/46U1kEIvlYl6PXmRVE3dh1Jqs+7D8A4EbDucy/w
+n��}R�:\2�v�Y��G�VĢv�(�hh�%)P��ac$�A�$*�|N����*<���r~�7
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6f39afc..afac64c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,6 +11,12 @@ in
   "anonymousoverflow.age".publicKeys = [ grape carbon ];
   "forgejo-runner.age".publicKeys = [ grape carbon ];
 
+  "piped.age".publicKeys = [ grape carbon ];
+  # scribe
+  "github-username.age".publicKeys = [ grape carbon ];
+  "github-token.age".publicKeys = [ grape carbon ];
+  "scribe-secret.age".publicKeys = [ grape carbon ];
+
   "porkbun.age".publicKeys = [ grape lime ];
   "porkbun-user.age".publicKeys = [ grape lime ];