diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix
index fdabd61..497c280 100644
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -1,7 +1,17 @@
 { pkgs, lib, ... }:
 
-{
+let
 
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  programs.gnupg.package = custom_gnupg;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -9,7 +19,7 @@
   };
 
   environment.systemPackages = with pkgs; [
-    gnupg
+    custom_gnupg
     yubikey-personalization
     openpgp-card-tools
 
diff --git a/flake.lock b/flake.lock
index ccb80a2..7abc6b6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -288,11 +288,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1729256560,
-        "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
+        "lastModified": 1729413321,
+        "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
+        "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26",
         "type": "github"
       },
       "original": {
diff --git a/hosts/carbon/wg-clerie.nix b/hosts/carbon/wg-clerie.nix
index 14bf443..36965c6 100644
--- a/hosts/carbon/wg-clerie.nix
+++ b/hosts/carbon/wg-clerie.nix
@@ -5,5 +5,6 @@
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
     ipv4s = [ "10.20.30.111/32" ];
+    defaultViaVPN = false;
   };
 }
diff --git a/hosts/monitoring-3/prometheus.nix b/hosts/monitoring-3/prometheus.nix
index e26ac41..9e9fa52 100644
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -190,6 +190,7 @@ in {
               "www.fem.tu-ilmenau.de"
               "www.heise.de"
               "dyon.net.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -241,6 +242,7 @@ in {
               "matrix.bau-ha.us"
               "dyon.net.entr0py.de"
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -275,6 +277,7 @@ in {
           {
             targets = [
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix
index 234bddc..a8a845a 100644
--- a/modules/wg-clerie/default.nix
+++ b/modules/wg-clerie/default.nix
@@ -25,6 +25,11 @@ in
         default = [];
         description = "IPv4 interface addresses";
       };
+      defaultViaVPN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+      };
     };
   };
 
@@ -45,7 +50,9 @@ in
         { rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
       rules4 = (concatMap (ip: [
@@ -57,7 +64,9 @@ in
         { rule = "to 78.47.183.82/32 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
     };