diff --git a/modules/forgejo-actions-runner/default.nix b/modules/forgejo-actions-runner/default.nix
index 0cd3c8e2..27742370 100644
--- a/modules/forgejo-actions-runner/default.nix
+++ b/modules/forgejo-actions-runner/default.nix
@@ -8,7 +8,7 @@
 {
   age.secrets.forgejo-actions-runner-token = {
     file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
-    mode = "644";
+    mode = "440";
   };
 
   # Trust docker bridge interface traffic
diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix
index e8fa7181..1080a1da 100644
--- a/modules/grafana/default.nix
+++ b/modules/grafana/default.nix
@@ -8,17 +8,17 @@
 {
   age.secrets.grafana-admin-password = {
     file = "${flake.self}/secrets/grafana-admin-password.age";
-    mode = "644";
+    mode = "440";
     owner = "grafana";
   };
   age.secrets.grafana-smtp-password = {
     file = "${flake.self}/secrets/grafana-smtp-password.age";
-    mode = "644";
+    mode = "440";
     owner = "grafana";
   };
   age.secrets.grafana-keycloak-client-secret = {
     file = "${flake.self}/secrets/grafana-keycloak-client-secret.age";
-    mode = "644";
+    mode = "440";
     owner = "grafana";
   };
 
diff --git a/modules/prometheus/alert-rules.nix b/modules/prometheus/alert-rules.nix
new file mode 100644
index 00000000..fb832a0b
--- /dev/null
+++ b/modules/prometheus/alert-rules.nix
@@ -0,0 +1,253 @@
+{ lib }:
+
+let
+  # docker's filesystems disappear quickly, leading to false positives
+  deviceFilter = ''path!~"^(/var/lib/docker|/nix/store).*"'';
+in
+lib.mapAttrsToList
+  (name: opts: {
+    alert = name;
+    expr = opts.condition;
+    for = opts.time or "2m";
+    labels = { };
+    annotations.description = opts.description;
+  })
+  ({
+
+    # prometheus_too_many_restarts = {
+    #   condition = ''changes(process_start_time_seconds{job=~"prometheus|alertmanager"}[15m]) > 2'';
+    #   description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping.";
+    # };
+
+    # alert_manager_config_not_synced = {
+    #   condition = ''count(count_values("config_hash", alertmanager_config_hash)) > 1'';
+    #   description = "Configurations of AlertManager cluster instances are out of sync.";
+    # };
+
+    #alert_manager_e2e_dead_man_switch = {
+    #  condition = "vector(1)";
+    #  description = "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.";
+    #};
+
+    # prometheus_not_connected_to_alertmanager = {
+    #   condition = "prometheus_notifications_alertmanagers_discovered < 1";
+    #   description = "Prometheus cannot connect the alertmanager\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}";
+    # };
+
+    # prometheus_rule_evaluation_failures = {
+    #   condition = "increase(prometheus_rule_evaluation_failures_total[3m]) > 0";
+    #   description = "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}";
+    # };
+
+    # prometheus_template_expansion_failures = {
+    #   condition = "increase(prometheus_template_text_expansion_failures_total[3m]) > 0";
+    #   time = "0m";
+    #   description = "Prometheus encountered {{ $value }} template text expansion failures\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}";
+    # };
+
+    # promtail_file_lagging = {
+    #   condition = ''abs(promtail_file_bytes_total - promtail_read_bytes_total) > 1e6'';
+    #   time = "15m";
+    #   description = ''{{ $labels.instance }} {{ $labels.job }} {{ $labels.path }} has been lagging by more than 1MB for more than 15m.'';
+    # };
+
+    filesystem_root_full_80percent = {
+      condition = ''100 - ((node_filesystem_avail_bytes{fstype!="rootfs",mountpoint="/"} * 100) / node_filesystem_size_bytes{fstype!="rootfs",mountpoint="/"}) > 80'';
+      time = "10m";
+      description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 20% space left on its filesystem.";
+    };
+
+    filesystem_data_full_80percent = {
+      condition = ''100 - ((node_filesystem_avail_bytes{fstype!="rootfs",mountpoint="/var/lib"} * 100) / node_filesystem_size_bytes{fstype!="rootfs",mountpoint="/var/lib"}) > 80'';
+      time = "10m";
+      description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 20% space left on its filesystem.";
+    };
+
+    # filesystem_inodes_full = {
+    #   condition = ''disk_inodes_free / disk_inodes_total < 0.10'';
+    #   time = "10m";
+    #   description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% inodes left on its filesystem.";
+    # };
+
+    # daily_task_not_run = {
+    #   # give 6 hours grace period
+    #   condition = ''time() - task_last_run{state="ok",frequency="daily"} > (24 + 6) * 60 * 60'';
+    #   description = "{{$labels.instance}}: {{$labels.name}} was not run in the last 24h";
+    # };
+
+    # daily_task_failed = {
+    #   condition = ''task_last_run{state="fail"}'';
+    #   description = "{{$labels.instance}}: {{$labels.name}} failed to run";
+    # };
+    # } // (lib.genAttrs [
+    #   "borgbackup-turingmachine"
+    #   "borgbackup-eve"
+    #   "borgbackup-datastore"
+    # ]
+    #   (name: {
+    #     condition = ''absent_over_time(task_last_run{name="${name}"}[1d])'';
+    #     description = "status of ${name} is unknown: no data for a day";
+    #   }))
+    # // {
+
+    # borgbackup_matchbox_not_run = {
+    #   # give 6 hours grace period
+    #   condition = ''time() - task_last_run{state="ok",frequency="daily",name="borgbackup-matchbox"} > 7 * 24 * 60 * 60'';
+    #   description = "{{$labels.instance}}: {{$labels.name}} was not run in the last week";
+    # };
+
+    # borgbackup_matchbox = {
+    #   condition = ''absent_over_time(task_last_run{name="borgbackup-matchbox"}[7d])'';
+    #   description = "status of borgbackup-matchbox is unknown: no data for a week";
+    # };
+
+    # homeassistant = {
+    #   condition = ''
+    #     homeassistant_entity_available{domain="persistent_notification", entity!="persistent_notification.http_login"} >= 0'';
+    #   description =
+    #     "homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}";
+    # };
+
+    #swap_using_20percent = {
+    #  condition = "node_memory_SwapTotal_bytes - (node_memory_SwapCached_bytes + node_memory_SwapFree_bytes) > node_memory_SwapTotal_bytes * 0.2";
+    #  time = "30m";
+    #  description = "{{$labels.instance}} is using 20% of its swap space for at least 30 minutes.";
+    #};
+
+    systemd_service_failed = {
+      condition = ''node_systemd_unit_state{state="failed"} == 1'';
+      description = "{{$labels.instance}} failed to (re)start service {{$labels.name}}.";
+    };
+
+    restic_backup_too_old = {
+      condition = ''(time() - restic_snapshots_latest_time)/(60*60) > 24'';
+      description = "{{$labels.instance}} not backed up for more than 24 hours. ({{$value}})";
+    };
+
+    #host_down = {
+    #  condition = ''up{job="node-stats", instance!~"ahorn.wireguard:9100|kartoffel.wireguard:9100|mega.wireguard:9100"} == 0'';
+    #  description = "{{$labels.instance}} is down!";
+    #};
+
+    # service_not_running = {
+    #   condition = ''systemd_units_active_code{name=~"teamspeak3-server.service|tt-rss.service", sub!="running"}'';
+    #   description = "{{$labels.instance}} should have a running {{$labels.name}}.";
+    # };
+
+    ram_using_90percent = {
+      condition = "node_memory_Buffers_bytes + node_memory_MemFree_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";
+      time = "1h";
+      description = "{{$labels.instance}} is using at least 90% of its RAM for at least 1 hour.";
+    };
+
+    cpu_using_90percent = {
+      condition = ''100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90'';
+      time = "10m";
+      description = "{{$labels.instance}} is running with cpu usage > 90% for at least 10 minutes: {{$value}}";
+    };
+
+    reboot = {
+      condition = "node_boot_time_seconds < 300";
+      description = "{{$labels.instance}} just rebooted.";
+    };
+
+    uptime = {
+      condition = "(time() - node_boot_time_seconds ) / (60*60*24) > 30";
+      description = "Uptime monster: {{$labels.instance}} has been up for more than 30 days.";
+    };
+
+    flake_nixpkgs_outdated = {
+      condition = ''(time() - flake_input_last_modified{input="nixpkgs"}) / (60*60*24) > 30'';
+      description = "Nixpkgs outdated: Nixpkgs on {{$labels.instance}} has not been updated in 30 days";
+    };
+
+    /*
+      ping = {
+      condition = "ping_result_code{type!='mobile'} != 0";
+      description = "{{$labels.url}}: ping from {{$labels.instance}} has failed!";
+      };
+
+      ping_high_latency = {
+      condition = "ping_average_response_ms{type!='mobile'} > 5000";
+      description = "{{$labels.instance}}: ping probe from {{$labels.source}} is encountering high latency!";
+      };
+    */
+    #http_status = {
+    #  condition = ''probe_http_status_code{instance!~"https://pub.solar"} != 200'';
+    #  description = "http request failed from {{$labels.instance}}: {{$labels.result}}!";
+    #};
+    /*
+      http_match_failed = {
+      condition = "http_response_response_string_match == 0";
+      description = "{{$labels.server}} : http body not as expected; status code: {{$labels.status_code}}!";
+      };
+      dns_query = {
+      condition = "dns_query_result_code != 0";
+      description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}}!";
+      };
+      secure_dns_query = {
+      condition = "secure_dns_state != 0";
+      description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}} for protocol {{$labels.protocol}}!";
+      };
+      connection_failed = {
+      condition = "net_response_result_code != 0";
+      description = "{{$labels.server}}: connection to {{$labels.port}}({{$labels.protocol}}) failed from {{$labels.instance}}";
+      };
+      healthchecks = {
+      condition = "hc_check_up == 0";
+      description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!";
+      };
+    */
+    #cert_expiry = {
+    #  condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 30";
+    #  description = "{{$labels.instance}}: The TLS certificate will expire in less than 30 days: {{$value}}s";
+    #};
+
+    # ignore devices that disabled S.M.A.R.T (example if attached via USB)
+
+    # smart_errors = {
+    #   condition = ''smart_device_health_ok{enabled!="Disabled"} != 1'';
+    #   description =
+    #     "{{$labels.instance}}: S.M.A.R.T reports: {{$labels.device}} ({{$labels.model}}) has errors.";
+    # };
+
+    oom_kills = {
+      condition = "increase(node_vmstat_oom_kill[5m]) > 0";
+      description = "{{$labels.instance}}: OOM kill detected";
+    };
+
+    /*
+      unusual_disk_read_latency = {
+      condition =
+      "rate(diskio_read_time[1m]) / rate(diskio_reads[1m]) > 0.1 and rate(diskio_reads[1m]) > 0";
+      description = ''
+      {{$labels.instance}}: Disk latency is growing (read operations > 100ms)
+      '';
+      };
+
+      unusual_disk_write_latency = {
+      condition =
+      "rate(diskio_write_time[1m]) / rate(diskio_write[1m]) > 0.1 and rate(diskio_write[1m]) > 0";
+      description = ''
+      {{$labels.instance}}: Disk latency is growing (write operations > 100ms)
+      '';
+      };
+    */
+
+    host_memory_under_memory_pressure = {
+      condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
+      description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
+    };
+
+    # ext4_errors = {
+    #   condition = "ext4_errors_value > 0";
+    #   description =
+    #     "{{$labels.instance}}: ext4 has reported {{$value}} I/O errors: check /sys/fs/ext4/*/errors_count";
+    # };
+
+    # alerts_silences_changed = {
+    #   condition = ''abs(delta(alertmanager_silences{state="active"}[1h])) >= 1'';
+    #   description =
+    #     "alertmanager: number of active silences has changed: {{$value}}";
+    # };
+  })
diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix
index de5d88bb..f77081a8 100644
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@@ -11,6 +11,22 @@
     mode = "600";
     owner = "prometheus";
   };
+  age.secrets.alertmanager-envfile = {
+    file = "${flake.self}/secrets/alertmanager-envfile.age";
+    mode = "600";
+    owner = "alertmanager";
+  };
+
+  services.caddy.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = {
+    logFormat = lib.mkForce ''
+      output discard
+    '';
+    extraConfig = ''
+      bind 10.7.6.2 fd00:fae:fae:fae:fae:2::
+      tls internal
+      reverse_proxy :${toString config.services.prometheus.alertmanager.port}
+    '';
+  };
 
   services.prometheus = {
     enable = true;
@@ -73,5 +89,58 @@
         ];
       }
     ];
+
+    ruleFiles = [
+      (pkgs.writeText "prometheus-rules.yml" (
+        builtins.toJSON {
+          groups = [
+            {
+              name = "alerting-rules";
+              rules = import ./alert-rules.nix { inherit lib; };
+            }
+          ];
+        }
+      ))
+    ];
+
+    alertmanagers = [ { static_configs = [ { targets = [ "localhost:9093" ]; } ]; } ];
+
+    alertmanager = {
+      enable = true;
+      # port = 9093; # Default
+      webExternalUrl = "https://alerts.pub.solar";
+      environmentFile = "${config.age.secrets.alertmanager-envfile.path}";
+      configuration = {
+
+        route = {
+          receiver = "all";
+          group_by = [ "instance" ];
+          group_wait = "30s";
+          group_interval = "2m";
+          repeat_interval = "24h";
+        };
+
+        receivers = [
+          {
+            name = "all";
+            # Email config documentation: https://prometheus.io/docs/alerting/latest/configuration/#email_config
+            email_configs = [
+              {
+                send_resolved = true;
+                to = "admins@pub.solar";
+                from = "alerts@pub.solar";
+                smarthost = "mail.greenbaum.zone:465";
+                auth_username = "admins@pub.solar";
+                auth_password = "$SMTP_AUTH_PASSWORD";
+                require_tls = false;
+              }
+            ];
+            # TODO:
+            # For matrix notifications, look into: https://github.com/pinpox/matrix-hook and add a webhook
+            #   webhook_configs = [ { url = "http://127.0.0.1:11000/alert"; } ];
+          }
+        ];
+      };
+    };
   };
 }
diff --git a/secrets/alertmanager-envfile.age b/secrets/alertmanager-envfile.age
new file mode 100644
index 00000000..17191dc1
--- /dev/null
+++ b/secrets/alertmanager-envfile.age
@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 Y0ZZaw TsTaRLA+9WtN9+FJWpXeP12Af5EXMbo+ANTaLC9YlC8
+Yols084RY1C9gfOrDMwJcFRuGZ/5dgGuJey7RXqm7g0
+-> ssh-ed25519 uYcDNw ZLAINtv10PGMtK5TL5Tf0NyK/r1iww+vTC09ElMGoX0
+EgBB3aiHHdaDue9+Zdxg6mTV2VHeLoDN9wT+hlAzVMk
+-> ssh-rsa f5THog
+aiJqMs3/u06tzs8lx2ISlQm87TDatqEn47v3LB3HehPanRpZx9O1HUIRTeiWkMU9
+XroGe27HQCCPd63QunBHUH7WStA10IS4rHVpMcULB5IM4jwcbOhSYSiGyY2sbv8+
+Nn/04ZOwrfzTabC7moV1DqAw6hnlDqKWp/q5N6xMb780w5vn6Poni3OJfuLaBWaT
+r6WhE5evVt3F4jyYI64fB2hFw4AR2N/zIMOMvBncLFwJf9lbIFdbsENZf94cYceF
+Tj150xdMPuErBsSJQOlfDYSmyioNN3UJUWiYsDeM3nbPEVPHhfTk6b2/lMhSQkcY
+KcuMj/mN/7w7i4HSxW6mUcK2sUMV1BcSSGYRH9ZFf7kq++KpyiP7vB8vaZkcKbfJ
+qqrIcXTuXhR+/bWZWqf/GQOVwRwe1TnqN5MoZHipg3a/UCe0gMM617VwZcfhBzjA
+eW6VUdjSewwA8YHEuDrAeoQ4CMs7y56EaIlr2IlQy6uzJPX9eeO0auO9RZ5AR40a
+7un0FrlTJX9uorpCD/zi3tvd22W5qVoMGZ8vXJShZmT9he9K3Bv6XbzG4DJQ9/nv
+xZ676HUYhWeyYZFBvt6DnEBneiDJFeaV2AeuQY+juHBOfBrbYmlE0S4Pd8uRSJ7w
+u5UJTT+RV5TkZhpCqqYm7DphYocnrv7Ic+QKmvKE4ls
+-> ssh-rsa kFDS0A
+HhilpvIiUps80SXYUXg5vqNmcy8SACvxpC5dTVBU2n+4OVXQY/35Il5ZOrUX3U7a
+arfVp/KaQF7Oncu3x8F6Tp1ibUwmoyAV6OYqqs128nEPwkNbJvwrLY3aEBm+NIzm
+gMlLRjj6EP84TVWgOsenQCS4l957f0QoNVxQ3f+GWdOiZZJFsv//ndsflng8zPlF
+bGZy8c1TxDZfOD0/kW3Nx05c9X0EHKOEoDUc0p4qntrWlflxcvLONCgv1gZuPMF+
+jMsPFP81eu3rkEUxefJ1qbvvGuW0cbzfwiStv7iGQ+Skh/vcoM0qw6p+csNKyHVO
+8nYFcs9kD8067zMnyuqiUHASfZ4rPqTji0iiPC5kZn6N0YSgz2bybkXcoqmy3m6y
+qs0S+RD99o2vCLhW46hZyKAgUyTU1DW42EmnZkPrLoqV7uin8fAwPO/98Q/b3Rkr
+zBRtyTEbooHvOCL8limiRtDl+5LMcjRFNWk8AN+9vHMsYurXPNOCnd8n2Z4MbT2U
+AhpoAD/+8HXp0InBJ/sclITVAc6tPb2CbJW6mrFezH8Ri+/6u+zSF84JDd9ZrCOz
+oIshiGZmhP5mIuspVrxgKlm78a56vQrygpqzvuSSYk3zIJxmhEkZhw09/ga+rhyB
+pkKn7GRyZTfKjwt5nnvW5/bmQndTa13j+7RhkRgBSvU
+-> piv-p256 vRzPNw Awpc8paUfKnP6r0bYsaoeDE9GVSnads4/a3jCVScgS4V
+YydKOS09kyZDYN843SHIsYUimtSQKvGhIuycPWOFojc
+-> piv-p256 zqq/iw A54xbcufPkLpTD+N47AiIe/xZ/0vA5kDJ4p3rIZw0a4A
+1WFP2K3tfUxtdKDBEmT3cx/u1i5nCzFR7cK4kN3WjC4
+-> ssh-ed25519 YFSOsg L0lPSkoPVRKGlJ9MzkJx+cQvnZw/5m/j/JO4aRzd52Q
+o/N7zQkvbGGoadiJSvL6lfuP63uqzxEIxDtIg4tgKIo
+-> ssh-ed25519 iHV63A qfLWZhbDisCSJ4vFFTR+XpRUR0WViuAqarf56M0ekT4
+ZSWW34pFRr0M2jFhnphIPJ5ch37ASM6OgTzyHSo0KAs
+-> ssh-ed25519 BVsyTA JcFezSIfTF+AP8LYfFqz+wIpUrE0aoc1usiLtWxAPQE
+F9uhFyCPK46kIy+ud4V5/ESacQgc9R0JV+JTEZO6nBI
+-> ssh-ed25519 +3V2lQ G4yT1e7B5O2Gy6tusRMxuWOFScynWfFY5AjrJvxMK1o
+n1OVFRqzijWlc+B93cBNdFPz+8CBYOsI5hpF1wz7xr0
+--- 61u55uUc7z59iHF1IeyBLmcR6u7STUhpOPb/ODf75Vc
+<$kxp���H:}�*�/T��$��b�J\F*��W�z�6 �	���<�̹>e?񼐟6ڵ�~�!
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 94a3b110..36202b56 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -60,6 +60,7 @@ in
   "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys;
   "grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
 
+  "alertmanager-envfile.age".publicKeys = flora6Keys ++ adminKeys;
   "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys =
     flora6Keys ++ nachtigallKeys ++ adminKeys;
diff --git a/terraform/dns.tf b/terraform/dns.tf
index 15e47c01..039dd868 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -1,104 +1,109 @@
 # https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
 resource "namecheap_domain_records" "pub-solar" {
-  domain = "pub.solar"
-  mode = "OVERWRITE"
+  domain     = "pub.solar"
+  mode       = "OVERWRITE"
   email_type = "MX"
 
   record {
     hostname = "flora-6"
-    type = "A"
-    address = "80.71.153.210"
+    type     = "A"
+    address  = "80.71.153.210"
   }
   record {
     hostname = "auth"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "ci"
-    type = "A"
-    address = "80.71.153.210"
+    type     = "A"
+    address  = "80.71.153.210"
+  }
+  record {
+    hostname = "alerts"
+    type     = "A"
+    address  = "10.7.6.2"
   }
   record {
     hostname = "git"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "stream"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "list"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "obs-portal"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "vpn"
-    type = "A"
-    address = "80.71.153.210"
+    type     = "A"
+    address  = "80.71.153.210"
   }
   record {
     hostname = "cache"
-    type = "A"
-    address = "95.217.225.160"
+    type     = "A"
+    address  = "95.217.225.160"
   }
   record {
     hostname = "factorio"
-    type = "A"
-    address = "80.244.242.2"
+    type     = "A"
+    address  = "80.244.242.2"
   }
   record {
     hostname = "collabora"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "@"
-    type = "ALIAS"
-    address = "nachtigall.pub.solar."
-    ttl = 300
+    type     = "ALIAS"
+    address  = "nachtigall.pub.solar."
+    ttl      = 300
   }
   record {
     hostname = "chat"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "cloud"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "turn"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "grafana"
-    type = "A"
-    address = "80.71.153.210"
+    type     = "A"
+    address  = "80.71.153.210"
   }
   record {
     hostname = "hpb"
-    type = "A"
-    address = "80.71.153.239"
+    type     = "A"
+    address  = "80.71.153.239"
   }
   record {
     hostname = "files"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "search"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "stickers.chat"
@@ -107,80 +112,80 @@ resource "namecheap_domain_records" "pub-solar" {
   }
   record {
     hostname = "wiki"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "mastodon"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "matrix"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "tmate"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "www"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   record {
     hostname = "@"
-    type = "TXT"
-    address = "v=spf1 include:spf.greenbaum.zone a:list.pub.solar ~all"
+    type     = "TXT"
+    address  = "v=spf1 include:spf.greenbaum.zone a:list.pub.solar ~all"
   }
   record {
     hostname = "list"
-    type = "TXT"
-    address = "v=spf1 a:list.pub.solar ?all"
+    type     = "TXT"
+    address  = "v=spf1 a:list.pub.solar ?all"
   }
   record {
     hostname = "_dmarc"
-    type = "TXT"
-    address = "v=DMARC1; p=reject;"
+    type     = "TXT"
+    address  = "v=DMARC1; p=reject;"
   }
   record {
     hostname = "_dmarc.list"
-    type = "TXT"
-    address = "v=DMARC1; p=reject;"
+    type     = "TXT"
+    address  = "v=DMARC1; p=reject;"
   }
   record {
     hostname = "modoboa._domainkey"
-    type = "TXT"
-    address = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/EqLMpk0MyL1aQ0JVG44ypTRbZBVA13MFjEntxAvowaWtq1smRbnEwTTKgqUOrUyaM4dVmli1dedne4mk/ncqRAm02KuhtTY+5wXfhTKK53EhqehbKwH+Qvzb12983Qwdau/QTHiFHwXHufMaSsCvd9CRWCp9q68Q7noQqndJeLHT6L0eECd2Zk3ZxJuh+Fxdb7+Kw68Tf6z13Rs+MU01qLM7x0jmSQHa4cv2pk+7NTGMBRp6fVskfbqev5nFkZWJ7rhXEbP9Eukd/L3ro/ubs1quWJotG02gPRKE8fgkm1Ytlws1/pnqpuvKXQS1HzBEP1X2ExezJMzQ1SnZCigQIDAQAB"
+    type     = "TXT"
+    address  = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/EqLMpk0MyL1aQ0JVG44ypTRbZBVA13MFjEntxAvowaWtq1smRbnEwTTKgqUOrUyaM4dVmli1dedne4mk/ncqRAm02KuhtTY+5wXfhTKK53EhqehbKwH+Qvzb12983Qwdau/QTHiFHwXHufMaSsCvd9CRWCp9q68Q7noQqndJeLHT6L0eECd2Zk3ZxJuh+Fxdb7+Kw68Tf6z13Rs+MU01qLM7x0jmSQHa4cv2pk+7NTGMBRp6fVskfbqev5nFkZWJ7rhXEbP9Eukd/L3ro/ubs1quWJotG02gPRKE8fgkm1Ytlws1/pnqpuvKXQS1HzBEP1X2ExezJMzQ1SnZCigQIDAQAB"
   }
   record {
     hostname = "@"
-    type = "MX"
-    address = "mail.greenbaum.zone."
-    mx_pref = "0"
+    type     = "MX"
+    address  = "mail.greenbaum.zone."
+    mx_pref  = "0"
   }
   record {
     hostname = "list"
-    type = "MX"
-    address = "list.pub.solar."
-    mx_pref = "0"
+    type     = "MX"
+    address  = "list.pub.solar."
+    mx_pref  = "0"
   }
   record {
     hostname = "nachtigall"
-    type = "A"
-    address = "138.201.80.102"
+    type     = "A"
+    address  = "138.201.80.102"
   }
   record {
     hostname = "nachtigall"
-    type = "AAAA"
-    address = "2a01:4f8:172:1c25::1"
+    type     = "AAAA"
+    address  = "2a01:4f8:172:1c25::1"
   }
   record {
     hostname = "matrix.test"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
+    type     = "CNAME"
+    address  = "nachtigall.pub.solar."
   }
   # SRV records can only be changed via NameCheap Web UI
   # add comment