diff --git a/flake.lock b/flake.lock
index 5b7de92..59dacee 100644
--- a/flake.lock
+++ b/flake.lock
@@ -90,24 +90,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -187,11 +169,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1760106247,
-        "narHash": "sha256-6eoVSzv2sNlZx3wgIGvwYrbL8X/FpCb/5cw/N/f/v6c=",
+        "lastModified": 1761187190,
+        "narHash": "sha256-5ln16iOeWpEX5MO7M3jzFEBNFE42gpFsCvSvPjtF6tQ=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "8ba0df9f335050044eddae848a7be8d9269ecc76",
+        "rev": "77a07f5d3b775fba67550c38122ebb8d3ee3ba1c",
         "type": "github"
       },
       "original": {
@@ -220,11 +202,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1759395653,
-        "narHash": "sha256-sv9J1z6CrTPf9lRJLyCN90fZVdQz7LFeX7pIlInH8BQ=",
+        "lastModified": 1760940149,
+        "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "ba6e5e082a79901dc89b0d49c5da1b769d652aec",
+        "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5",
         "type": "github"
       },
       "original": {
@@ -265,17 +247,16 @@
     },
     "nix-vscode-extensions": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1760071578,
-        "narHash": "sha256-MZUsqax6PoXPDzhpLyduHoPY4CYYrzL97uKbsx/iGPE=",
+        "lastModified": 1761240986,
+        "narHash": "sha256-EjePxTz1P2cdFCPG+M33CGUpBVkD2W+zllZF0Cv1uDY=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "65365fe8c09b6c1b6bba1885a126723815376b1b",
+        "rev": "868d9f20e2d57e78cc53598f760c547a516f6ba7",
         "type": "github"
       },
       "original": {
@@ -286,11 +267,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1759994382,
-        "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
+        "lastModified": 1761016216,
+        "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
+        "rev": "481cf557888e05d3128a76f14c76397b7d7cc869",
         "type": "github"
       },
       "original": {
@@ -302,11 +283,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1759977445,
-        "narHash": "sha256-LYr4IDfuihCkFAkSYz5//gT2r1ewcWBYgd5AxPzPLIo=",
+        "lastModified": 1760965567,
+        "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2dad7af78a183b6c486702c18af8a9544f298377",
+        "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
         "type": "github"
       },
       "original": {
@@ -415,34 +396,20 @@
         ]
       },
       "locked": {
-        "lastModified": 1760271116,
-        "narHash": "sha256-cdQwPsIryhPrv3Cr99Wupmlj7zycJWk+tDH24TbpqFY=",
-        "ref": "refs/heads/main",
-        "rev": "f814eeedc16455c0c9c2c83e28e227633ae4b52a",
-        "revCount": 217,
+        "lastModified": 1760288584,
+        "narHash": "sha256-2eY1f4LV9s5Hc/tb1iuJYPewE4Seyeguf7VdzC9bbbo=",
+        "ref": "service-improvements",
+        "rev": "1bb73d664dac78c5d69a02ae67169d76cca7aab4",
+        "revCount": 218,
         "type": "git",
         "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"
       },
       "original": {
+        "ref": "service-improvements",
         "type": "git",
         "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"
       }
     },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {
@@ -463,11 +430,11 @@
     "xwayland-satellite-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1759707084,
-        "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=",
+        "lastModified": 1761173223,
+        "narHash": "sha256-FumZh+fPRaKXkl9Y1uTh5KV7Io/AyOZso+UkqLhLArs=",
         "owner": "Supreeeme",
         "repo": "xwayland-satellite",
-        "rev": "a9188e70bd748118b4d56a529871b9de5adb9988",
+        "rev": "bf745144acda1343934e9a094cf9458a54d57889",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index b9d02da..b046911 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,7 +35,7 @@
     };
 
     servicepoint-tanks = {
-      url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git";
+      url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git?ref=service-improvements";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -252,7 +252,6 @@
             self.nixosModules.nix-ld
             self.nixosModules.quiet-boot
             self.nixosModules.firmware-updates
-            self.nixosModules.servicepoint-tanks
 
             home-manager.nixosModules.home-manager
             servicepoint-simulator.nixosModules.default
diff --git a/nixosModules/nix-ld.nix b/nixosModules/nix-ld.nix
index 382aa3d..0d09078 100644
--- a/nixosModules/nix-ld.nix
+++ b/nixosModules/nix-ld.nix
@@ -17,6 +17,7 @@
       util-linux
       xz
       systemd
+      icu
     ];
   };
 }
diff --git a/nixosModules/servicepoint-tanks.nix b/nixosModules/servicepoint-tanks.nix
deleted file mode 100644
index 67709f8..0000000
--- a/nixosModules/servicepoint-tanks.nix
+++ /dev/null
@@ -1,121 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.servicepoint-tanks;
-  default-user-name = "servicepoint-tanks";
-in
-{
-  options.services.servicepoint-tanks = {
-    enable = lib.mkEnableOption "servicepoint-tanks";
-    package = lib.mkPackageOption pkgs "servicepoint-tanks" { };
-    urls = lib.mkOption {
-      default = [ "http://localhost:5000" ];
-      description = ''
-        Configures which protocol to bind on which host:port combination.
-      '';
-      type = lib.types.listOf lib.types.str;
-      example = [
-        "http://0.0.0.0"
-        "http://localhost:5000"
-        # TODO: allow HTTPS
-      ];
-    };
-    user = lib.mkOption {
-      default = default-user-name;
-      description = ''
-        The user under which servicepoint-tanks is run.
-
-        This module utilizes systemd's DynamicUser feature. See the corresponding section in
-        {manpage}`systemd.exec(5)` for more details.
-      '';
-      type = lib.types.str;
-    };
-    group = lib.mkOption {
-      default = default-user-name;
-      description = ''
-        The group under which servicepoint-tanks is run.
-
-        This module utilizes systemd's DynamicUser feature. See the corresponding section in
-        {manpage}`systemd.exec(5)` for more details.
-      '';
-      type = lib.types.str;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    users = {
-      users = lib.mkIf (cfg.user == default-user-name) {
-        "${default-user-name}" = {
-          isSystemUser = true;
-          group = cfg.group;
-        };
-      };
-
-      groups = lib.mkIf (cfg.group == default-user-name) {
-        "${default-user-name}" = { };
-      };
-    };
-
-    systemd.services.sericepoint-tanks = {
-      description = "Run the servicepoint-tanks server";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-
-      environment = {
-        ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}";
-      };
-
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        DynamicUser = true;
-
-        Type = "exec";
-        ExecStart = "${lib.getBin cfg.package}/bin/TanksServer";
-
-        # hardening
-        NoNewPrivileges = true;
-        CapabilityBoundingSet = null;
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-        SystemCallArchitectures = "native";
-        AmbientCapabilities = "";
-        PrivateMounts = true;
-        PrivateUsers = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectHome = true;
-        ProtectClock = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ProtectControlGroups = "strict";
-        LockPersonality = true;
-        RemoveIPC = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RestrictNamespaces = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-
-          # TODO: enable unix domain socket bind
-          # "AF_UNIX"
-        ];
-
-        # TODO: try fully AOT build with:
-        #MemoryDenyWriteExecute = true;
-      };
-    };
-  };
-}