diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index db917a5..29f0322 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -4,21 +4,19 @@
 
 { config, pkgs, ... }:
 let
-  extIface = "ens3";
-  ledgerVHost = "ledger.failco.de";
+  authorityFromUrl = url:
+    builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
 in {
   imports = [
     ./hardware-configuration.nix
     ../../modules/upgrade-pg-cluster.nix
     ../../modules/nix-config.nix
+    ../../modules/iohk.nix
+    ../../modules/timezone.nix
+    ../../modules/keybase.nix
+    ../../modules/ssh.nix
   ];
 
-  # Binary Cache for Haskell.nix
-  nix.settings.trusted-public-keys =
-    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
-
-  #nix.binaryCaches = [ "https://hydra.iohk.io" ];
-
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   # boot.loader.grub.efiSupport = true;
@@ -28,9 +26,6 @@ in {
   boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
   # boot.loader.systemd-boot.enable = true;
 
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
   age.secrets = {
     mailPass.file = ../../secrets/mailPass.age;
     paperless-mail.file = ../../secrets/paperless-mail.age;
@@ -46,7 +41,8 @@ in {
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
-  networking = {
+  networking = let extIface = "ens3";
+  in {
     hostName = "thrall";
     domain = "failco.de";
     wireless.enable = false;
@@ -145,14 +141,12 @@ in {
     htop
     tmux
     git
-    #agenix.defaultPackage.x86_64-linux
     restic # fast and secure backup
     rclone
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -171,20 +165,15 @@ in {
 
   # List services that you want to enable:
 
-  # depending on wireguard
   services.kresd = {
     enable = true;
     listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
   };
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
   services.lorri.enable = true;
 
   # configure backup via restic to gdrive
   services.restic.backups = { };
-  services.keybase = { enable = true; };
 
   services.nginx = {
     enable = true;
@@ -234,27 +223,31 @@ in {
     };
 
     # gitea
-    "git.failco.de" = {
+    "${config.services.gitea.settings.server.DOMAIN}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3001/";
+        proxyPass = "http://127.0.0.1:${
+            toString config.services.gitea.settings.server.HTTP_PORT
+          }/";
         proxyWebsockets = true;
       };
     };
 
     # paperless
-    "docs.failco.de" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3002/";
-        proxyWebsockets = true;
+    "${authorityFromUrl config.services.paperless.extraConfig.PAPERLESS_URL}" =
+      {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass =
+            "http://127.0.0.1:${toString config.services.paperless.port}/";
+          proxyWebsockets = true;
+        };
       };
-    };
 
     # hledger
-    "${ledgerVHost}" = {
+    "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
       forceSSL = true;
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
@@ -305,7 +298,7 @@ in {
 
   services.hledger-web = {
     enable = true;
-    baseUrl = "https://${ledgerVHost}";
+    baseUrl = "https://ledger.failco.de";
     port = 3003;
     capabilities = {
       view = true;
diff --git a/modules/iohk.nix b/modules/iohk.nix
new file mode 100644
index 0000000..b4215c9
--- /dev/null
+++ b/modules/iohk.nix
@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Binary Cache for Haskell.nix
+  nix.settings.trusted-public-keys =
+    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+
+  nix.settings.substituters = lib.mkAfter [ "https://hydra.iohk.io" ];
+}
diff --git a/modules/keybase.nix b/modules/keybase.nix
new file mode 100644
index 0000000..c652d72
--- /dev/null
+++ b/modules/keybase.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.keybase.enable = true;
+}
diff --git a/modules/ssh.nix b/modules/ssh.nix
new file mode 100644
index 0000000..3ae6158
--- /dev/null
+++ b/modules/ssh.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.openssh.enable = true;
+}
diff --git a/modules/timezone.nix b/modules/timezone.nix
new file mode 100644
index 0000000..8323310
--- /dev/null
+++ b/modules/timezone.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+}