diff --git a/.sops.yaml b/.sops.yaml
index 1b1bdbe..c264349 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,7 +5,7 @@ keys:
   - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
   - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
   - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
-  - &host_weinturm_pretix_prod age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m
+  - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
 creation_rules:
   - path_regex: hosts/aluminium/secrets\.yaml$
     key_groups:
diff --git a/hosts/default.nix b/hosts/default.nix
index 39b9858..322731b 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -14,8 +14,8 @@
     system = "x86_64-linux";
   };
   weinturm-pretix-prod = {
-    system = "x86_64-linux";
-    targetHost = "91.107.235.15";
+    system = "aarch64";
+    targetHost = "142.132.185.70";
   };
   iron = {
     system = "x86_64-linux";
diff --git a/hosts/weinturm-pretix-prod/configuration.nix b/hosts/weinturm-pretix-prod/configuration.nix
index b28d375..9a8f0f2 100644
--- a/hosts/weinturm-pretix-prod/configuration.nix
+++ b/hosts/weinturm-pretix-prod/configuration.nix
@@ -5,15 +5,33 @@
     ./services
   ];
 
-  networking = {
-    hostName = "weinturm-pretix-prod";
-    interfaces.ens3.ipv6.addresses = [{
-      address = "2a01:4f8:1c1e:ed47::";
-      prefixLength = 64;
-    }];
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "ens3";
+  networking.hostName = "weinturm-pretix-prod";
+
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      matchConfig.Name = "enp1s0";
+      networkConfig.DHCP = "no";
+      address = [
+        "142.132.185.70/32"
+        "2a01:4f8:c012:edd::/64"
+      ];
+      routes = [
+        {
+          routeConfig.Destination = "172.31.1.1";
+        }
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+        {
+          routeConfig.Gateway = "fe80::1";
+        }
+      ];
     };
   };
 
@@ -28,5 +46,10 @@
 
   services.netdata.enable = true;
 
+  jalr = {
+    bootloader = "systemd-boot";
+    uefi.enable = true;
+  };
+
   system.stateVersion = "22.11";
 }
diff --git a/hosts/weinturm-pretix-prod/hardware-configuration.nix b/hosts/weinturm-pretix-prod/hardware-configuration.nix
index 6679bdf..c96eb20 100644
--- a/hosts/weinturm-pretix-prod/hardware-configuration.nix
+++ b/hosts/weinturm-pretix-prod/hardware-configuration.nix
@@ -1,8 +1,52 @@
-{ modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 {
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub.device = "/dev/sda";
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
+      fsType = "btrfs";
+      options = [
+        "subvol=root"
+        "compress=zstd"
+      ];
+    };
+    "/home" = {
+      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
+      fsType = "btrfs";
+      options = [
+        "subvol=home"
+        "compress=zstd"
+      ];
+    };
+    "/nix" = {
+      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A586-15AC";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
diff --git a/hosts/weinturm-pretix-prod/secrets.yaml b/hosts/weinturm-pretix-prod/secrets.yaml
index 9e263b4..fe2b033 100644
--- a/hosts/weinturm-pretix-prod/secrets.yaml
+++ b/hosts/weinturm-pretix-prod/secrets.yaml
@@ -6,27 +6,27 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m
+        - recipient: age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeTl6WjVObjAxMTU2QWUz
-            VzNFYkg0VEd0WkZhL21zYjJCaHZ3emU5UmdrCnZaTmpleC9BNEpFYkl0RnRrNDdP
-            d2FpMWo4amxsa1RTVEJJSXh6RzJxbkUKLS0tIHl1YjlQaUtEbzNVcll1eHEzK2dL
-            N2VMRTNjR1RQVm00YnlpbVBzSmZPRkUKv7LCrjyKb4z0e4yBdzwRR5+ErQYHzZCv
-            +j8j4EuhA6NwsTydgIjueuORbrX/c6VxcgQwRd9En+vQVYhWhlu5Xw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RXR4RnVQNjFvZ2NSZVhj
+            QVZva0lKS1RxM09sYmJjZE12NTBMd3NrUlNjCkV0aklndEZDM1BaWFhxYUJ5TDBG
+            T24zODBSdFVWV2VCNVZoM2s3RHJ4WHMKLS0tIC9LdDFMRW13YTBHNlVOdUY0b1NX
+            U3pyTDB4c1FWdHBPVjVjV3VpTjFWamsKDtc9C3xy/3Zu83+jQYCnHk8vatWANt4M
+            +Zo5kZ5yfYVSnvMvgpWoAHk/quXSLNg2YhKUDrYP5y57Q/jZTX3YbA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-03-01T13:25:37Z"
     mac: ENC[AES256_GCM,data:WcF4i8b+YpJuZj/hP8SEEvXJNlrf77ymNF6Avg4vt2JUkIoLh5EAMOjqPWWhJXS65rRSOCQOW/uRLoAMs3b1lX8r93u1wlzxnF5L/1RnAyTcCI2Aiadq6QjOKevgRwfc4vvTVN7LHKwZ9f8kCqgYiuOYtVDx3N4UPQ4SPJ3MZRw=,iv:iliNHU5y+YL2hpvWIltkhP6bkUonMakL7Ssdyf/be38=,tag:4YO93pGujwpHWjX5IAOQfw==,type:str]
     pgp:
-        - created_at: "2023-02-23T00:30:25Z"
+        - created_at: "2023-07-08T09:50:21Z"
           enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hF4D3ylLYNOsO+0SAQdA2SmHfeFrNINSLf2aLONZeidpLaCScS7zmWq0YaeM/SUw
-            66MK2BqgIxX81M9lIexCXdQ9EVS1p0KGQ2dw0CpAN07qdDqqOnJeedgv9zZ3trwU
-            0l4BwoXSnuKxaLDs7vq6y9xrzyKZS5Mx8H7BxVRg0o1mAvSwFez23DmDQWnJyUgO
-            otTg9fp217ldr3VNwKIYtoO+1floZtbfmoH2EhZhpml36mz1oRCUUJvjQO++EpJW
-            =N9AT
+            hF4D3ylLYNOsO+0SAQdAMH1wIM+ENgeWlLsj7qUEorj8O1L5NlW9ABKB/Whmz3Ew
+            xm1SbZeFPPBPcT1dfVCF+W1CYDjrFau4DXhkcz5Z6x3ENg9rZujtRAZY9c+53aqD
+            0l4B4zxls8vy0K/kipHn010WKhHEPMmABJf+d0rAkT6tbVzcxU3TKlZ2BWxwifM+
+            BYDGZ2A6opgV8G4Q68n6CInyhMROIIzJJpWkP0YZCIzzVQ+9yelq9jZvuuxR7v9+
+            =Lkul
             -----END PGP MESSAGE-----
           fp: 66FB54F6081375106EEBF651A222365EB448F934
     unencrypted_suffix: _unencrypted