diff --git a/nix/modules/nixos/infrastructure/hetzner-instance/default.nix b/nix/modules/nixos/infrastructure/hetzner-instance/default.nix
index dc3d2b6..cc60dec 100644
--- a/nix/modules/nixos/infrastructure/hetzner-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/hetzner-instance/default.nix
@@ -37,15 +37,6 @@ let
   };
   firewallRules = firewallTcpRules ++ firewallUdpRules ++ firewallIcmpRules ++ cfg.extraFirewallRules;
   firewallEnable = config.networking.firewall.enable;
-  tldFromFqdn =
-    fqdn:
-    let
-      split = lib.strings.splitString "." fqdn;
-    in
-    if lib.lists.length split < 3 then
-      fqdn
-    else
-      lib.strings.removePrefix "${builtins.head split}." fqdn;
 in
 {
   options.khscodes.infrastructure.hetzner-instance = {
diff --git a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
index b0e7152..b641ed5 100644
--- a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
@@ -59,15 +59,6 @@ let
     }
   ];
   firewallRules = firewallTcpRules ++ firewallUdpRules ++ firewallIcmpRules ++ cfg.extraFirewallRules;
-  tldFromFqdn =
-    fqdn:
-    let
-      split = lib.strings.splitString "." fqdn;
-    in
-    if lib.lists.length split < 3 then
-      fqdn
-    else
-      lib.strings.removePrefix "${builtins.head split}." fqdn;
 in
 {
   options.khscodes.infrastructure.khs-openstack-instance = {
diff --git a/nix/systems/aarch64-linux/kas.codes/mailserver/dkim.nix b/nix/systems/aarch64-linux/kas.codes/mailserver/dkim.nix
index 13b0301..32fdf7f 100644
--- a/nix/systems/aarch64-linux/kas.codes/mailserver/dkim.nix
+++ b/nix/systems/aarch64-linux/kas.codes/mailserver/dkim.nix
@@ -79,7 +79,7 @@ in
           name = "snm_rsa._domainkey";
           zone_id = "\${ data.cloudflare_zone.kas_codes.id }";
           type = "TXT";
-          content = ''"v=DKIM1;k=rsa;p=${dkimPublicKey "tls_private_key.dkim_rsa"}"'';
+          content = ''"''${ join("\" \"", regexall(".{1,255}", "v=DKIM1;k=rsa;p=${dkimPublicKey "tls_private_key.dkim_rsa"}" )) }"'';
           comment = "app=kas.codes";
           ttl = 600;
         };
@@ -88,7 +88,7 @@ in
           name = "snm_ed25519._domainkey";
           zone_id = "\${ data.cloudflare_zone.kas_codes.id }";
           type = "TXT";
-          content = ''"v=DKIM1;k=ed25519;p=${dkimPublicKey "tls_private_key.dkim_ed25519"}"'';
+          content = ''"''${ join("\" \"", regexall(".{1,255}", "v=DKIM1;k=ed25519;p=${dkimPublicKey "tls_private_key.dkim_ed25519"}" )) }"'';
           comment = "app=kas.codes";
           ttl = 600;
         };
diff --git a/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix b/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
index 3cd8c3d..52edc66 100644
--- a/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
+++ b/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
@@ -1,6 +1,3 @@
-let
-  bcrypt = expr: "\${ jsonencode(bcrypt(${expr})) }";
-in
 {
   khscodes.services.vault-agent.templates = [
     {
@@ -42,7 +39,7 @@ in
           name = "mailserver/users/forgejo";
           data_json = ''
             {
-              "hashed_password": ${bcrypt "resource.random_password.forgejo_mail_passwd.result"},
+              "hashed_password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.bcrypt_hash) },
               "password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.result) }
             }
           '';