diff --git a/.gitignore b/.gitignore
index 217032a..c56a9cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 .direnv
 .pre-commit-config.yaml
 result
-.manifests
diff --git a/README.md b/README.md
index cbf1cd4..19e76c3 100644
--- a/README.md
+++ b/README.md
@@ -5,84 +5,74 @@ We use [Kubenix](https://kubenix.org/) to write Kubernetes deployments in Nix!
 ## Images used
 
 Legend:
-
-- ✨: Image built with Nix (including
-  [NixNG](https://github.com/nix-community/NixNG))
+- ✨: Image built with Nix (including [NixNG](https://github.com/nix-community/NixNG))
 - ✅: Official image or trusted publisher
 - 🫤: Unofficial image
 
-| Status | Image                                          | Comments                                                  |
-| ------ | ---------------------------------------------- | --------------------------------------------------------- |
-| ✨     | `nixng-blog`                                   |                                                           |
-| ✨     | `nixng-dnsmasq`                                |                                                           |
-| ✨     | `nixng-attic`                                  |                                                           |
-| ✨     | `nixng-ntfy-sh`                                |                                                           |
-| ✨     | `nixng-radicale`                               |                                                           |
-| ✨     | `nixng-jellyseerr`                             |                                                           |
-| ✨     | `nixng-radarr`                                 |                                                           |
-| ✨     | `nixng-sonarr`                                 |                                                           |
-| ✨     | `nixng-bazarr`                                 |                                                           |
-| ✨     | `nixng-prowlarr`                               |                                                           |
-| ✨     | `nixng-deluge`                                 |                                                           |
-| ✨     | `nixng-mealie`                                 |                                                           |
-| ✨     | `nixng-atuin`                                  |                                                           |
-| ✅     | `jellyfin/jellyfin`                            |                                                           |
-| ✅     | `postgres:14`                                  | Database for Atuin                                        |
-| ✅     | `ghcr.io/paperless-ngx/paperless-ngx`          |                                                           |
-| ✅     | `docker.io/library/redis:7`                    | Database for Paperless-ngx                                |
-| ✅     | `nextcloud`                                    |                                                           |
-| ✅     | `postgres:15`                                  | Database for Attic, Nextcloud, Paperless-ngx and Hedgedoc |
-| ✅     | `inbucket/inbucket`                            |                                                           |
-| ✅     | `lscr.io/linuxserver/syncthing`                |                                                           |
-| ✅     | `codeberg.org/forgejo/forgejo`                 |                                                           |
-| ✅     | `pihole/pihole`                                |                                                           |
-| ✅     | `ghcr.io/immich-app/immich-server`             |                                                           |
-| ✅     | `ghcr.io/immich-app/immich-machine-learning`   |                                                           |
-| ✅     | `docker.io/redis:6.2-alpine`                   | Database for Immich                                       |
-| ✅     | `docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0` | Database for Immich                                       |
-| ✅     | `tombursch/kitchenowl`                         |                                                           |
-| ✅     | `freshrss/freshrss`                            |                                                           |
-| ✅     | `ubuntu/bind9`                                 |                                                           |
-| ✅     | `quay.io/hedgedoc/hedgedoc`                    |                                                           |
-| 🫤     | `itzg/minecraft-server`                        |                                                           |
-| 🫤     | `teddysun/kms`                                 |                                                           |
-| 🫤     | `mpepping/cyberchef`                           |                                                           |
+| Status   | Image    | Comments       |
+| ---    | ---   | ---     |
+| ✨ | `nixng-blog` | |
+| ✨ | `nixng-dnsmasq` | |
+| ✨ | `nixng-attic` | |
+| ✨ | `nixng-ntfy-sh` | |
+| ✨ | `nixng-radicale` | |
+| ✨ | `nixng-jellyseerr` | |
+| ✨ | `nixng-radarr` | |
+| ✨ | `nixng-sonarr` | |
+| ✨ | `nixng-bazarr` | |
+| ✨ | `nixng-prowlarr` | |
+| ✅ | `jellyfin/jellyfin` | |
+| ✅ | `linuxserver/deluge` | |
+| ✅ | `ghcr.io/atuinsh/atuin` | |
+| ✅ | `postgres:14` | Database for Atuin |
+| ✅ | `ghcr.io/paperless-ngx/paperless-ngx` | |
+| ✅ | `docker.io/library/redis:7` | Database for Paperless-ngx |
+| ✅ | `nextcloud` | |
+| ✅ | `postgres:15` | Database for Attic, Nextcloud, Paperless-ngx and Hedgedoc |
+| ✅ | `inbucket/inbucket` | |
+| ✅ | `lscr.io/linuxserver/syncthing` | |
+| ✅ | `codeberg.org/forgejo/forgejo` | |
+| ✅ | `pihole/pihole` | |
+| ✅ | `ghcr.io/immich-app/immich-server` | |
+| ✅ | `ghcr.io/immich-app/immich-machine-learning` | |
+| ✅ | `docker.io/redis:6.2-alpine` | Database for Immich |
+| ✅ | `docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0` | Database for Immich |
+| ✅ | `tombursch/kitchenowl` | |
+| ✅ | `freshrss/freshrss` | |
+| ✅ | `ubuntu/bind9` | |
+| ✅ | `quay.io/hedgedoc/hedgedoc` | |
+| 🫤 | `itzg/minecraft-server` | |
+| 🫤 | `teddysun/kms` | |
+| 🫤 | `mpepping/cyberchef` | |
 
 ## Acknowledgements
 
-- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS
-  zones
-- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to
-  develop Nix flakes
-- [kubenix](https://kubenix.org/): Declare and deploy Kubernetes resources using
-  Nix
+- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
+- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
+- [kubenix](https://kubenix.org/): Declare and deploy Kubernetes resources using Nix
 - [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts
 - [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix
 
 ## Prerequisites
 
-To deploy to the Kubernetes cluster, first make sure you have an admin account
-on the cluster. You can generate this using
-`nix run '.#gen-k3s-cert' <username> <servername> ~/.kube`, assuming you have
-SSH access to the master node. This puts a private key, signed certificate and a
-kubeconfig in the kubeconfig directory
+To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
+You can generate this using `nix run '.#gen-k3s-cert' <username> <servername> ~/.kube`, assuming you have SSH access to the master node.
+This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory
 
 ## Bootstrapping
 
-We are now ready to deploy to the Kubernetes cluster. Deployments are done
-through an experimental Kubernetes feature called
-[ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects).
+We are now ready to deploy to the Kubernetes cluster.
+Deployments are done through an experimental Kubernetes feature called [ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects).
 Each applyset is responsible for a set number of resources within a namespace.
 
-If the cluster has not been initialized yet, we must bootstrap it first. Run
-these deployments:
-
+If the cluster has not been initialized yet, we must bootstrap it first.
+Run these deployments:
 - `nix run '.#bootstrap-default-deploy'`
 - `nix run '.#bootstrap-kube-system-deploy'`
 
 ## Deployment
 
-Now the cluster has been initialized and we can deploy applications. To explore
-which applications we can deploy, run `nix flake show`. Then, for each
-application, run `nix run '.#<application>-deploy'`. Or, if you're lazy:
-`nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"`.
+Now the cluster has been initialized and we can deploy applications.
+To explore which applications we can deploy, run `nix flake show`.
+Then, for each application, run `nix run '.#<application>-deploy'`.
+Or, if you're lazy: `nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"`.
diff --git a/applyset-deploy.sh b/applyset-deploy.sh
index f7ec8e7..81bc8dc 100644
--- a/applyset-deploy.sh
+++ b/applyset-deploy.sh
@@ -2,31 +2,11 @@
 
 set -euo pipefail
 
-CREATE_LOCAL_GCROOT=false
-
-while [[ "$#" -gt 0 ]]; do
-	case "$1" in
-	--help)
-		echo "Use --create-local-gcroot to create local GC root"
-		exit 0
-		;;
-	--create-local-gcroot)
-		CREATE_LOCAL_GCROOT=true
-		shift
-		;;
-	*)
-		echo "Unknown option: $1"
-		exit 1
-		;;
-	esac
-done
-
 first_server="${SERVERS%% *}"
-previous_manifest=$(
-	envsubst <<EOF | ssh -T "root@$first_server"
-        if [[ -f "$GCROOTDIR/$NAME.yml" ]]; then
-                cat "$GCROOTDIR/$NAME.yml"
-        fi
+previous_manifest=$(ssh -T "root@$first_server" << EOF
+if [[ -f "$GCROOTDIR/${NAME}.yml" ]]; then
+	cat "$GCROOTDIR/${NAME}.yml"
+fi
 EOF
 )
 
@@ -34,35 +14,30 @@ set +e
 if [ -z "$previous_manifest" ]; then
 	echo No previous manifest found!
 else
-	$DYFF between <(echo "$previous_manifest") "$MANIFEST" \
+	$DYFF between <(echo $previous_manifest) $MANIFEST \
 		--exclude-regexp metadata.labels.kubenix/hash \
 		--exclude-regexp labels.kubenix/hash \
-		--set-exit-code
+		--set-exit-code 
+
+	if [ $? -eq 0 ]; then
+		exit 0
+	fi
 fi
 set -e
 
-read -r -p "Continue? " _
+read -r -p "Continue? " response
 
 echo Uploading closure...
 for server in $SERVERS; do
-	echo Uploading closure to "$server"...
-	nix copy --to "ssh://root@$server" "$MANIFEST"
+	echo Uploading closure to $server...
+	nix copy --to "ssh://root@$server.dmz" $MANIFEST
+	ssh "root@$server.dmz" "mkdir -p $GCROOTDIR && ln -sf $MANIFEST $GCROOTDIR/${NAME}.yml"
 done
 
 echo Applying Kubernetes manifest...
 export KUBECTL_APPLYSET=true
-vals eval -fail-on-missing-key-in-map <"$MANIFEST" |
-	kubectl apply -f - \
-		--prune \
-		--applyset applyset-"$NAME" \
-		--namespace "$NAMESPACE"
-
-echo Creating GC roots
-for server in $SERVERS; do
-	ssh "root@$server" "mkdir -p $GCROOTDIR && ln -sf $MANIFEST $GCROOTDIR/${NAME}.yml"
-done
-
-if $CREATE_LOCAL_GCROOT; then
-	mkdir -p ./.manifests
-	ln -sf "$MANIFEST" "./.manifests/${NAME}.yml"
-fi
+vals eval -fail-on-missing-key-in-map <$MANIFEST | \
+kubectl apply -f - \
+	--prune \
+	--applyset applyset-$NAME \
+	--namespace $NAMESPACE
diff --git a/deployments.nix b/deployments.nix
index 6469c14..eb0433d 100644
--- a/deployments.nix
+++ b/deployments.nix
@@ -123,14 +123,4 @@
     module.ntfy.enable = true;
     namespace = "ntfy";
   };
-
-  authentik = {
-    module.authentik.enable = true;
-    namespace = "authentik";
-  };
-
-  mealie = {
-    module.mealie.enable = true;
-    namespace = "mealie";
-  };
 }
diff --git a/flake.lock b/flake.lock
index d8fa2dc..6ad2f9b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -6,11 +6,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1740929559,
-        "narHash": "sha256-53kqXVABAkjh+ujEDoID51kLrYzTufwkYLaKftdSRMI=",
+        "lastModified": 1735508994,
+        "narHash": "sha256-SMMX3irZ4Y+0QEAq0mOYEnJIYRe3YnXHrkCSRvdxHxU=",
         "ref": "refs/heads/master",
-        "rev": "0494eff9f5433aad58d9eedbf53dfa591ec1d128",
-        "revCount": 26,
+        "rev": "433c1ef4b5874e2c4782be7322604d17182035ab",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.kun.is/pim/blog"
       },
@@ -19,6 +19,47 @@
         "url": "https://git.kun.is/pim/blog"
       }
     },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat_4",
+        "nixpkgs": "nixpkgs_4",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "servers",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729712798,
+        "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "dns": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -27,11 +68,33 @@
         ]
       },
       "locked": {
-        "lastModified": 1737653493,
-        "narHash": "sha256-qTbv8Pm9WWF63M5Fj0Od9E54/lsbMSQUBHw/s30eFok=",
+        "lastModified": 1733919067,
+        "narHash": "sha256-ZsL5pKwEDhcZhVJh+3IwgHus7kSW/N8qOlBscwB6BCI=",
         "owner": "kirelagin",
         "repo": "dns.nix",
-        "rev": "96e548ae8bd44883afc5bddb9dacd0502542276d",
+        "rev": "a23f43f9762aa96d3e35c8eeefa7610bd0cdf456",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "type": "github"
+      }
+    },
+    "dns_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": [
+          "servers",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726867691,
+        "narHash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ=",
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "rev": "a3196708a56dee76186a9415c187473b94e6cbae",
         "type": "github"
       },
       "original": {
@@ -88,6 +151,70 @@
         "type": "github"
       }
     },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_6": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_7": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -109,6 +236,28 @@
         "type": "github"
       }
     },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "servers",
+          "nix-snapshotter",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1704152458,
+        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1614513358,
@@ -147,11 +296,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -163,6 +312,39 @@
       "inputs": {
         "systems": "systems_5"
       },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "locked": {
+        "lastModified": 1614513358,
+        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_6": {
+      "inputs": {
+        "systems": "systems_8"
+      },
       "locked": {
         "lastModified": 1726560853,
         "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@@ -201,14 +383,39 @@
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1742058297,
-        "narHash": "sha256-b4SZc6TkKw8WQQssbN5O2DaCEzmFfvSTPYHlx/SFW9Y=",
+        "lastModified": 1734797603,
+        "narHash": "sha256-ulZN7ps8nBV31SE+dwkDvKIzvN6hroRY8sYOT0w+E28=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "59f17850021620cd348ad2e9c0c64f4e6325ce2a",
+        "rev": "f0f0dc4920a903c3e08f5bdb9246bb572fcae498",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "git-hooks_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_5",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "servers",
+          "nixpkgs-unstable"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1730302582,
+        "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
         "type": "github"
       },
       "original": {
@@ -238,6 +445,28 @@
         "type": "github"
       }
     },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "servers",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "globset": {
       "inputs": {
         "nixpkgs-lib": [
@@ -304,14 +533,38 @@
         "type": "github"
       }
     },
+    "kubenix_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_6",
+        "nixpkgs": [
+          "servers",
+          "nixpkgs-unstable"
+        ],
+        "systems": "systems_9",
+        "treefmt": "treefmt_2"
+      },
+      "locked": {
+        "lastModified": 1717788185,
+        "narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=",
+        "owner": "pizzapim",
+        "repo": "kubenix",
+        "rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pizzapim",
+        "repo": "kubenix",
+        "type": "github"
+      }
+    },
     "nginx": {
       "flake": false,
       "locked": {
-        "lastModified": 1741624327,
-        "narHash": "sha256-O5AHLXzkJUfDjKKzPQcGDhj3L381cGkb58ByJoy1Ttk=",
+        "lastModified": 1735301654,
+        "narHash": "sha256-PHcSyHYyPUwPAls0BgtnGu2e936vhxW2nt7bQxDyGAQ=",
         "owner": "nginx",
         "repo": "nginx",
-        "rev": "d31305653701bd99e8e5e6aa48094599a08f9f12",
+        "rev": "e3a9b6ad08a86e799a3d77da3f2fc507d3c9699e",
         "type": "github"
       },
       "original": {
@@ -329,11 +582,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
         "owner": "nix-community",
         "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
         "type": "github"
       },
       "original": {
@@ -344,11 +597,11 @@
     },
     "nix-kube-generators": {
       "locked": {
-        "lastModified": 1729269463,
-        "narHash": "sha256-8jDDpC99fYl5CSHjZyPwb5PK7nQSknhkpfe8+DXI910=",
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
         "owner": "farcaller",
         "repo": "nix-kube-generators",
-        "rev": "2be4f3cb99e179d9f94e6c8723862421437f8efb",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
         "type": "github"
       },
       "original": {
@@ -380,6 +633,29 @@
         "type": "github"
       }
     },
+    "nix-snapshotter_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_7",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "servers",
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729627456,
+        "narHash": "sha256-TCZdXCmnqCPsd3PjLv/LDSKJhTspLliL0DE+c/XP9BY=",
+        "owner": "pdtpartners",
+        "repo": "nix-snapshotter",
+        "rev": "f2957822a3748c91e678657a1cfd009b0440bbfd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pdtpartners",
+        "repo": "nix-snapshotter",
+        "type": "github"
+      }
+    },
     "nixhelm": {
       "inputs": {
         "flake-utils": "flake-utils_3",
@@ -391,11 +667,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1742237758,
-        "narHash": "sha256-DMQKqoVUPA0ktYnRrgq5eJo3kViZEwW4Es4drULBFTE=",
+        "lastModified": 1735607967,
+        "narHash": "sha256-hdOdhQskvxyPPrf4w/k484xfVEVsqktHjwS0noTRRCw=",
         "owner": "farcaller",
         "repo": "nixhelm",
-        "rev": "2e60d786f987b452464847f7cfed1b2b6a5f50b8",
+        "rev": "6ce9cfd0e06bbf609af333069b3c4e84cd739755",
         "type": "github"
       },
       "original": {
@@ -412,20 +688,73 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1736029062,
-        "narHash": "sha256-7X65+TP0luFpQsA6KV80R05qnWp7NxMaIDryFfJ4MqI=",
+        "lastModified": 1735726395,
+        "narHash": "sha256-rwhsZuwJzJ825Et7YI73G7+wHiPLFfx3SOnozWZfLJ0=",
         "owner": "pizzapim",
         "repo": "NixNG",
-        "rev": "6211c11d7ef2cc8067efcd169e0b8fd02f1816b6",
+        "rev": "dbbbb22d8feed064455a8653a0450b3da5a31424",
         "type": "github"
       },
       "original": {
         "owner": "pizzapim",
-        "ref": "dinit-fixes",
+        "ref": "kubernetes",
         "repo": "NixNG",
         "type": "github"
       }
     },
+    "nixng_2": {
+      "inputs": {
+        "nixpkgs": [
+          "servers",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726571270,
+        "narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
+        "owner": "pizzapim",
+        "repo": "NixNG",
+        "rev": "9538892da603608f0176d07d33b1265e038c0adf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pizzapim",
+        "ref": "dnsmasq",
+        "repo": "NixNG",
+        "type": "github"
+      }
+    },
+    "nixos-facter-modules": {
+      "locked": {
+        "lastModified": 1730737399,
+        "narHash": "sha256-PzJrTMhHb9f46uMxmRD4GjnyVuNqxeyEvxaq7OierUQ=",
+        "owner": "numtide",
+        "repo": "nixos-facter-modules",
+        "rev": "c22b916f629fee6941a2976c62247b0bec68082b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nixos-facter-modules",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1729742320,
+        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1714076141,
@@ -442,13 +771,45 @@
         "type": "github"
       }
     },
+    "nixpkgs-bazarr": {
+      "locked": {
+        "lastModified": 1735086895,
+        "narHash": "sha256-893hOoQn5t9g0r57N0D8/G5WC4pPaNlprjAYO0TWRxc=",
+        "owner": "r-ryantm",
+        "repo": "nixpkgs",
+        "rev": "89e79d58769436a8cfd0d80ae28012d51134f2f3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "r-ryantm",
+        "ref": "auto-update/bazarr",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-jellyseerr": {
+      "locked": {
+        "lastModified": 1735406088,
+        "narHash": "sha256-Cwah5iXhOJ3cbrPYG5oeSyhQ7F7BsAabHTeezD4elh0=",
+        "owner": "coonce",
+        "repo": "nixpkgs",
+        "rev": "25569750ccc0c692128e667a77585d6d27ff7e57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "coonce",
+        "ref": "jellyseerr",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1742241638,
-        "narHash": "sha256-Y/1tCsLOp47lwMTVTdsb/5/ldN0lTFLMHt2dAd9OQEY=",
+        "lastModified": 1735935963,
+        "narHash": "sha256-i6xTJb3sb4BeWypD/DjAmslDzGXZUGU1OFJliaKFuuc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ee090321f15e3cdc78455c91afbcc1f8745544b3",
+        "rev": "20166d17f391d2e11311baaa74344381fa44e4a0",
         "type": "github"
       },
       "original": {
@@ -458,18 +819,82 @@
         "type": "github"
       }
     },
-    "nixpkgs-prowlarr": {
+    "nixpkgs-radicale": {
       "locked": {
-        "lastModified": 1744321727,
-        "narHash": "sha256-+DCwKaFrUQAgFN4DLwQu7/FyX58m35hJ1u6eNaSv7v4=",
-        "owner": "rhoriguchi",
+        "lastModified": 1735496163,
+        "narHash": "sha256-oqUP98g0eqfzCDA/i88qRIBq4BIyxEk9um7dfNGiw+I=",
+        "owner": "erictapen",
         "repo": "nixpkgs",
-        "rev": "07251d38564ea52ccb36255222709a59c18a5677",
+        "rev": "e14050d0c94dc929543f7e4502fda8539d36536f",
         "type": "github"
       },
       "original": {
-        "owner": "rhoriguchi",
-        "ref": "prowlarr",
+        "owner": "erictapen",
+        "ref": "radicale",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_3": {
+      "locked": {
+        "lastModified": 1729357638,
+        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1729818716,
+        "narHash": "sha256-XRfkUsxLzFkMn3Tpstio1gNOIQ+2PZPCKbifJ2IXxlw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "062c4f59744fcffa2e5aa3ef443dc8b4d1674ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -492,11 +917,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1742069588,
-        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
+        "lastModified": 1735471104,
+        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
+        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
         "type": "github"
       },
       "original": {
@@ -508,11 +933,43 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1735554305,
-        "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1726871744,
+        "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0e82ab234249d8eee3e8c91437802b32c74bb3fd",
+        "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1733097829,
+        "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
         "type": "github"
       },
       "original": {
@@ -534,11 +991,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1738741221,
-        "narHash": "sha256-UiTOA89yQV5YNlO1ZAp4IqJUGWOnTyBC83netvt8rQE=",
+        "lastModified": 1718285706,
+        "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "be1fe795035d3d36359ca9135b26dcc5321b31fb",
+        "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
         "type": "github"
       },
       "original": {
@@ -559,9 +1016,67 @@
         "nixhelm": "nixhelm",
         "nixng": "nixng",
         "nixpkgs": "nixpkgs_3",
+        "nixpkgs-bazarr": "nixpkgs-bazarr",
+        "nixpkgs-jellyseerr": "nixpkgs-jellyseerr",
         "nixpkgs-master": "nixpkgs-master",
-        "nixpkgs-prowlarr": "nixpkgs-prowlarr",
+        "nixpkgs-radicale": "nixpkgs-radicale",
+        "servers": "servers",
+        "treefmt-nix": "treefmt-nix_4"
+      }
+    },
+    "servers": {
+      "inputs": {
+        "deploy-rs": "deploy-rs",
+        "disko": "disko",
+        "dns": "dns_2",
+        "flake-utils": "flake-utils_6",
+        "git-hooks": "git-hooks_2",
+        "kubenix": "kubenix_2",
+        "nix-snapshotter": "nix-snapshotter_2",
+        "nixng": "nixng_2",
+        "nixos-facter-modules": "nixos-facter-modules",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
         "treefmt-nix": "treefmt-nix_3"
+      },
+      "locked": {
+        "lastModified": 1733068232,
+        "narHash": "sha256-iZJ/cq07OVk2TQy6UV9JaXgLARQqJedmuPIHTtgVeeo=",
+        "ref": "refs/heads/master",
+        "rev": "68b79e086c4cc6b850ba12c60f3a978d18bd41b1",
+        "revCount": 495,
+        "type": "git",
+        "url": "https://git.kun.is/home/nixos-servers"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.kun.is/home/nixos-servers"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "servers",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_3"
+      },
+      "locked": {
+        "lastModified": 1729775275,
+        "narHash": "sha256-J2vtHq9sw1wWm0aTMXpEEAzsVCUMZDTEe5kiBYccpLE=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "78a0e634fc8981d6b564f08b6715c69a755c4c7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
@@ -639,6 +1154,20 @@
       }
     },
     "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_7": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -653,6 +1182,35 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_9": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
     "treefmt": {
       "inputs": {
         "nixpkgs": [
@@ -683,11 +1241,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1730120726,
-        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
+        "lastModified": 1717850719,
+        "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
+        "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
         "type": "github"
       },
       "original": {
@@ -716,14 +1274,14 @@
     },
     "treefmt-nix_3": {
       "inputs": {
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1739829690,
-        "narHash": "sha256-mL1szCeIsjh6Khn3nH2cYtwO5YXG6gBiTw1A30iGeDU=",
+        "lastModified": 1730025913,
+        "narHash": "sha256-Y9NtFmP8ciLyRsopcCx1tyoaaStKeq+EndwtGCgww7I=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "3d0579f5cc93436052d94b73925b48973a104204",
+        "rev": "bae131e525cc8718da22fbeb8d8c7c43c4ea502a",
         "type": "github"
       },
       "original": {
@@ -731,6 +1289,64 @@
         "repo": "treefmt-nix",
         "type": "github"
       }
+    },
+    "treefmt-nix_4": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_6"
+      },
+      "locked": {
+        "lastModified": 1735649548,
+        "narHash": "sha256-/4pTzlmABhx26AOTYvFN1OTCxJJL/LBUB49giqoMhJA=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "597705118f16d1dcd0fef99707700d13b2b324d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt_2": {
+      "inputs": {
+        "nixpkgs": [
+          "servers",
+          "kubenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_7"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 815df0d..c875d9f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,10 +4,12 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-master.url = "github:nixos/nixpkgs/master";
-    nixpkgs-prowlarr.url = "github:rhoriguchi/nixpkgs/prowlarr";
     flake-utils.url = "github:numtide/flake-utils";
     treefmt-nix.url = "github:numtide/treefmt-nix";
     blog.url = "git+https://git.kun.is/pim/blog";
+    nixpkgs-jellyseerr.url = "github:coonce/nixpkgs?ref=jellyseerr";
+    nixpkgs-bazarr.url = "github:r-ryantm/nixpkgs?ref=auto-update/bazarr";
+    nixpkgs-radicale.url = "github:erictapen/nixpkgs?ref=radicale";
 
     git-hooks = {
       url = "github:cachix/git-hooks.nix";
@@ -29,8 +31,13 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    servers = {
+      url = "git+https://git.kun.is/home/nixos-servers";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nixng = {
-      url = "github:pizzapim/NixNG/dinit-fixes";
+      url = "github:pizzapim/NixNG/kubernetes";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -53,6 +60,5 @@
       ./formatter.nix
       ./shell.nix
       ./nixng-configurations
-      ./nixng-modules
     ];
 }
diff --git a/globals.nix b/globals.nix
index 9085f1b..40081c5 100644
--- a/globals.nix
+++ b/globals.nix
@@ -1,26 +1,28 @@
-_: {
+{servers, ...}: let
   globals = {
     images = {
-      jellyfin = "jellyfin/jellyfin:10.10.7";
+      jellyfin = "jellyfin/jellyfin:10.10.3";
+      deluge = "linuxserver/deluge:2.1.1";
+      atuin = "ghcr.io/atuinsh/atuin:18.3.0";
       postgres14 = "postgres:14";
       kms = "teddysun/kms:latest";
-      paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.15.3";
+      paperless = "ghcr.io/paperless-ngx/paperless-ngx:2.13.5";
       redis7 = "docker.io/library/redis:7";
-      nextcloud = "nextcloud:30.0.6";
+      nextcloud = "nextcloud:30.0.2";
       postgres15 = "postgres:15";
       inbucket = "inbucket/inbucket:edge";
-      syncthing = "lscr.io/linuxserver/syncthing:1.29.5";
-      forgejo = "codeberg.org/forgejo/forgejo:11.0.1";
-      pihole = "pihole/pihole:2025.02.1";
-      immich = "ghcr.io/immich-app/immich-server:v1.132.1";
-      immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.132.1";
-      immich-redis = "docker.io/valkey/valkey:8-bookworm@sha256:42cba146593a5ea9a622002c1b7cba5da7be248650cbb64ecb9c6c33d29794b1";
-      immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52";
-      kitchenowl = "tombursch/kitchenowl:v0.6.11";
+      syncthing = "lscr.io/linuxserver/syncthing:1.28.0";
+      forgejo = "codeberg.org/forgejo/forgejo:9.0.2";
+      pihole = "pihole/pihole:2024.07.0";
+      immich = "ghcr.io/immich-app/immich-server:v1.122.3";
+      immich-machine-learning = "ghcr.io/immich-app/immich-machine-learning:v1.122.3";
+      immich-redis = "docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8";
+      immich-postgres = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
+      kitchenowl = "tombursch/kitchenowl:v0.6.4";
       cyberchef = "mpepping/cyberchef:latest";
-      freshrss = "freshrss/freshrss:1.26.2";
+      freshrss = "freshrss/freshrss:1.24.3";
       bind9 = "ubuntu/bind9:9.18-22.04_beta";
-      hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.3";
+      hedgedoc = "quay.io/hedgedoc/hedgedoc:1.10.0";
       minecraft = "itzg/minecraft-server:latest";
     };
 
@@ -33,33 +35,7 @@ _: {
         hasMedia = "true";
       };
     };
-
-    routerPublicIPv4 = "89.220.7.89";
-    #routerPublicIPv6 = "2a0d:6e00:1a77::1";
-    bind9Ipv6 = "2a0d:6e00:1a77:30::134";
-
-    # Load balancer IPv4
-    traefikIPv4 = "192.168.30.128";
-    kmsIPv4 = "192.168.30.129";
-    inbucketIPv4 = "192.168.30.130";
-    piholeIPv4 = "192.168.30.131";
-    gitIPv4 = "192.168.30.132";
-    transmissionIPv4 = "192.168.30.133";
-    bind9IPv4 = "192.168.30.134";
-    dnsmasqIPv4 = "192.168.30.135";
-    minecraftIPv4 = "192.168.30.136";
-    jellyseerrIPv4 = "192.168.30.137";
-    syncthingIPv4 = "192.168.30.138";
-    longhornIPv4 = "192.168.30.139";
-    radarrIPv4 = "192.168.30.140";
-    prowlarrIPv4 = "192.168.30.141";
-    sonarrIPv4 = "192.168.30.142";
-    bazarrIPv4 = "192.168.30.143";
-    paperlessIPv4 = "192.168.30.144";
-    radicaleIPv4 = "192.168.30.145";
-    freshrssIPv4 = "192.168.30.146";
-    immichIPv4 = "192.168.30.147";
-    nextcloudIPv4 = "192.168.30.148";
-    nzbgetIPv4 = "192.168.30.149";
   };
+in {
+  globals = globals // servers.globals;
 }
diff --git a/kubenix.nix b/kubenix.nix
index 6f55e05..64806b8 100644
--- a/kubenix.nix
+++ b/kubenix.nix
@@ -8,7 +8,7 @@ inputs @ {
 flake-utils.lib.eachDefaultSystem
 (system: let
   pkgs = nixpkgs.legacyPackages.${system};
-  inherit (pkgs) lib;
+  lib = pkgs.lib;
   deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: {
     buildCommand = "${old.buildCommand}\npatchShebangs $out";
   });
@@ -64,7 +64,7 @@ flake-utils.lib.eachDefaultSystem
       pkgs.symlinkJoin
       {
         name = "applyset-deploy.sh";
-        paths = [deployScript pkgs.vals pkgs.kubectl pkgs.gettext];
+        paths = [deployScript pkgs.vals pkgs.kubectl];
         buildInputs = [pkgs.makeWrapper];
         passthru.manifest = result;
         meta.mainProgram = "applyset-deploy.sh";
diff --git a/modules/attic.nix b/modules/attic.nix
index 3c6a77b..2742b7b 100644
--- a/modules/attic.nix
+++ b/modules/attic.nix
@@ -1,4 +1,5 @@
 {
+  self,
   utils,
   lib,
   config,
diff --git a/modules/atuin.nix b/modules/atuin.nix
index 9552e8f..7485f9f 100644
--- a/modules/atuin.nix
+++ b/modules/atuin.nix
@@ -1,6 +1,5 @@
 {
   config,
-  utils,
   globals,
   lib,
   ...
@@ -30,17 +29,35 @@
           metadata.labels.app = "atuin";
 
           spec = {
-            volumes.database.persistentVolumeClaim.claimName = "database";
+            volumes = {
+              data.persistentVolumeClaim.claimName = "data";
+              database.persistentVolumeClaim.claimName = "database";
+            };
 
             containers = {
               atuin = {
-                image = utils.mkNixNGImage "atuin";
+                image = globals.images.atuin;
+                imagePullPolicy = "IfNotPresent";
                 ports.web.containerPort = 8888;
+                args = ["server" "start"];
 
-                env.ATUIN_DB_URI.valueFrom.secretKeyRef = {
-                  name = "database";
-                  key = "databaseURL";
+                env = {
+                  ATUIN_HOST.value = "0.0.0.0";
+                  ATUIN_PORT.value = "8888";
+                  ATUIN_OPEN_REGISTRATION.value = "false";
+
+                  ATUIN_DB_URI.valueFrom.secretKeyRef = {
+                    name = "database";
+                    key = "databaseURL";
+                  };
                 };
+
+                volumeMounts = [
+                  {
+                    name = "data";
+                    mountPath = "/config";
+                  }
+                ];
               };
 
               database = {
@@ -89,9 +106,16 @@
         };
       };
 
-      longhorn.persistentVolumeClaim.database = {
-        volumeName = "atuin-db";
-        storage = "300Mi";
+      longhorn.persistentVolumeClaim = {
+        data = {
+          volumeName = "atuin";
+          storage = "300Mi";
+        };
+
+        database = {
+          volumeName = "atuin-db";
+          storage = "300Mi";
+        };
       };
     };
   };
diff --git a/modules/authentik.nix b/modules/authentik.nix
deleted file mode 100644
index ad09497..0000000
--- a/modules/authentik.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{
-  nixhelm,
-  system,
-  config,
-  lib,
-  ...
-}: {
-  options.authentik.enable = lib.mkEnableOption "authentik";
-
-  config = lib.mkIf config.authentik.enable {
-    kubernetes = {
-      helm.releases.authentik = {
-        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
-        includeCRDs = true;
-        namespace = "authentik";
-
-        values = {
-          authentik = {
-            email = {
-              host = "mail.smtp2go.com";
-              port = 2525;
-              from = "Authentik authentik@kun.is";
-            };
-          };
-
-          postgresql = {
-            enabled = true;
-            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
-            primary.persistence.existingClaim = "db";
-            primary.extraEnvVarsSecret = "postgresql-env";
-          };
-
-          redis = {
-            enabled = true;
-            master.persistence.existingClaim = "redis";
-          };
-        };
-      };
-
-      resources = let
-        env = {
-          AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
-          AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
-          AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
-          AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
-        };
-      in {
-        secrets.postgresql-env.stringData = {
-          POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
-        };
-
-        deployments = {
-          authentik-server.spec.template.spec.containers.server.env = env;
-          authentik-worker.spec.template.spec.containers.worker.env = env;
-        };
-      };
-    };
-
-    lab = {
-      longhorn.persistentVolumeClaim = {
-        db = {
-          volumeName = "authentik-db";
-          storage = "10Gi";
-        };
-
-        redis = {
-          volumeName = "authentik-redis";
-          storage = "5Gi";
-        };
-      };
-
-      ingresses.authentik = {
-        host = "authentik.kun.is";
-
-        service = {
-          name = "authentik-server";
-          portName = "http";
-        };
-      };
-
-      tailscaleIngresses = {
-        tailscale-authentik = {
-          host = "authentik";
-          service = {
-            name = "authentik-server";
-            portName = "http";
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/modules/bind9/default.nix b/modules/bind9/default.nix
index 68d4025..5cebe2a 100644
--- a/modules/bind9/default.nix
+++ b/modules/bind9/default.nix
@@ -117,7 +117,6 @@ in {
         bind9-udp = {
           metadata.annotations = {
             "metallb.universe.tf/loadBalancerIPs" = "${globals.bind9IPv4},${globals.bind9Ipv6}";
-            # "metallb.universe.tf/loadBalancerIPs" = "${globals.bind9IPv4}";
             "metallb.universe.tf/allow-shared-ip" = "dns";
           };
 
@@ -138,7 +137,6 @@ in {
         bind9-tcp = {
           metadata.annotations = {
             "metallb.universe.tf/loadBalancerIPs" = "${globals.bind9IPv4},${globals.bind9Ipv6}";
-            # "metallb.universe.tf/loadBalancerIPs" = "${globals.bind9IPv4}";
             "metallb.universe.tf/allow-shared-ip" = "dns";
           };
 
diff --git a/modules/bind9/kun.is.zone.nix b/modules/bind9/kun.is.zone.nix
index 00999e8..3c12587 100644
--- a/modules/bind9/kun.is.zone.nix
+++ b/modules/bind9/kun.is.zone.nix
@@ -5,7 +5,7 @@ with dns.lib.combinators; {
   SOA = {
     nameServer = "ns1";
     adminEmail = "webmaster.kun.is";
-    serial = 2024041302;
+    serial = 2024041301;
   };
 
   NS = [
@@ -24,15 +24,13 @@ with dns.lib.combinators; {
   subdomains = rec {
     "*".A = [globals.routerPublicIPv4];
 
-    ns1 = {
+    ns = {
       A = [globals.routerPublicIPv4];
       AAAA = [];
     };
 
-    ns2 = {
-      A = ["192.145.57.90"];
-      AAAA = [];
-    };
+    ns1 = ns;
+    ns2 = ns;
 
     wg = {
       A = [globals.routerPublicIPv4];
diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix
index 32f4d69..edc12e8 100644
--- a/modules/bootstrap-default.nix
+++ b/modules/bootstrap-default.nix
@@ -16,6 +16,11 @@
           includeCRDs = true;
         };
 
+        # argo-workflows = {
+        #   chart = nixhelm.chartsDerivations.${system}.argoproj.argo-workflows;
+        #   includeCRDs = true;
+        # };
+
         longhorn = {
           chart = nixhelm.chartsDerivations.${system}.longhorn.longhorn;
           includeCRDs = true;
@@ -57,13 +62,11 @@
           minecraft = {};
           tailscale = {};
           ntfy = {};
-          authentik = {};
-          mealie = {};
         };
 
         nodes =
           builtins.mapAttrs
-          (_name: labels: {
+          (name: labels: {
             metadata.labels = labels;
           })
           globals.nodeLabels;
@@ -75,16 +78,30 @@
           concurrency = 1;
         };
 
-        backuptargets.backup.spec = {
-          backupTargetURL = "nfs://lewis.dmz:/mnt/longhorn/persistent/longhorn-backup";
-          pollInterval = "5m0s";
-        };
-
         ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"];
         l2Advertisements.main.metadata = {};
 
-        # We don't need backups for music, just replication is enough.
-        persistentVolumes.music.spec.csi.volumeAttributes.recurringJobSelector = lib.mkForce "";
+        persistentVolumes = {
+          music-syncthing.spec = {
+            capacity.storage = "1Gi";
+            accessModes = ["ReadWriteMany"];
+
+            nfs = {
+              server = "lewis.dmz";
+              path = "/mnt/longhorn/persistent/media/music";
+            };
+          };
+
+          media-media.spec = {
+            capacity.storage = "1Gi";
+            accessModes = ["ReadWriteMany"];
+
+            nfs = {
+              server = "lewis.dmz";
+              path = "/mnt/longhorn/persistent/media";
+            };
+          };
+        };
       };
     };
 
@@ -92,6 +109,7 @@
       longhorn.persistentVolume = {
         freshrss.storage = "1Gi";
         radicale.storage = "200Mi";
+        atuin.storage = "300Mi";
         atuin-db.storage = "300Mi";
         nextcloud.storage = "50Gi";
         nextcloud-db.storage = "400Mi";
@@ -109,22 +127,16 @@
         immich-db.storage = "5Gi";
         attic.storage = "15Gi";
         attic-db.storage = "150Mi";
-        jellyfin.storage = "10Gi";
+        jellyfin.storage = "5Gi";
         transmission.storage = "25Mi";
         jellyseerr.storage = "75Mi";
         radarr.storage = "300Mi";
         prowlarr.storage = "150Mi";
-        sonarr.storage = "250Mi";
+        sonarr.storage = "150Mi";
         bazarr.storage = "25Mi";
         minecraft.storage = "1Gi";
         ntfy.storage = "300Mi";
         deluge.storage = "500Mi";
-        keepassxc.storage = "100Mi";
-        authentik-db.storage = "10Gi";
-        authentik-redis.storage = "5Gi";
-        mealie.storage = "3Gi";
-        music.storage = "70Gi";
-        nzbget.storage = "150Mi";
       };
 
       tailscaleIngresses.tailscale-longhorn = {
diff --git a/modules/default.nix b/modules/default.nix
index f730e1c..c976c14 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -29,7 +29,5 @@
     ./tailscale.nix
     ./ntfy.nix
     ./minecraft.nix
-    ./authentik.nix
-    ./mealie.nix
   ];
 }
diff --git a/modules/dummy-types.nix b/modules/dummy-types.nix
index d54dd1f..0a6a7f7 100644
--- a/modules/dummy-types.nix
+++ b/modules/dummy-types.nix
@@ -38,19 +38,5 @@
       version = "v1beta1";
       kind = "RecurringJob";
     };
-
-    middlewares = {
-      attrName = "middlewares";
-      group = "traefik.io";
-      version = "v1alpha1";
-      kind = "Middleware";
-    };
-
-    backuptargets = {
-      attrName = "backuptargets";
-      group = "longhorn.io";
-      version = "v1beta1";
-      kind = "BackupTarget";
-    };
   };
 }
diff --git a/modules/forgejo/config.nix b/modules/forgejo/config.nix
index 133ad38..7f49f33 100644
--- a/modules/forgejo/config.nix
+++ b/modules/forgejo/config.nix
@@ -7,18 +7,11 @@
   "repository.pull-request".DEFAULT_MERGE_STYLE = "merge";
   "repository.signing".DEFAULT_TRUST_MODEL = "committer";
   ui.DEFAULT_THEME = "forgejo-light";
-
   oauth2 = {
-    ENABLED = true;
+    ENABLED = false;
     JWT_SECRET = "ref+sops://secrets.yml#/forgejo/jwtSecret";
   };
 
-  oauth2_client = {
-    ENABLE_AUTO_REGISTRATION = true;
-    ACCOUNT_LINKING = "auto";
-    USERNAME = "email";
-  };
-
   DEFAULT = {
     APP_NAME = "Forgejo: Beyond coding. We forge.";
     RUN_MODE = "prod";
@@ -92,11 +85,11 @@
   };
 
   service = {
-    DISABLE_REGISTRATION = false;
+    DISABLE_REGISTRATION = true;
     REQUIRE_SIGNIN_VIEW = false;
     REGISTER_EMAIL_CONFIRM = false;
     ENABLE_NOTIFY_MAIL = false;
-    ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+    ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
     ENABLE_CAPTCHA = false;
     DEFAULT_KEEP_EMAIL_PRIVATE = true;
     DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
@@ -105,7 +98,7 @@
   };
 
   openid = {
-    ENABLE_OPENID_SIGNIN = false;
+    ENABLE_OPENID_SIGNIN = true;
     ENABLE_OPENID_SIGNUP = false;
   };
 }
diff --git a/modules/freshrss.nix b/modules/freshrss.nix
index 614fb78..0581d95 100644
--- a/modules/freshrss.nix
+++ b/modules/freshrss.nix
@@ -36,13 +36,6 @@
                 CRON_MIN.value = "2,32";
                 ADMIN_EMAIL.value = "pim@kunis.nl";
                 PUBLISHED_PORT.value = "443";
-                OIDC_ENABLED.value = "1";
-                OIDC_PROVIDER_METADATA_URL.value = "https://authentik.kun.is/application/o/freshrss/.well-known/openid-configuration";
-                OIDC_CLIENT_ID.value = "5J2L7Ufq4KMayQ8qrqxHCslxHWL2SXNMKJmsbbiQ";
-                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/freshrss/client_secret";
-                OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
-                OIDC_SCOPES.value = "openid email profile";
-                OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";
 
                 ADMIN_PASSWORD.valueFrom.secretKeyRef = {
                   name = "server";
diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix
index b9471b4..d41b200 100644
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@@ -54,17 +54,6 @@
                   CMD_PROTOCOL_USESSL.value = "true";
                   CMD_CSP_ENABLE.value = "false";
 
-                  CMD_OAUTH2_PROVIDERNAME.value = "Authentik";
-                  CMD_OAUTH2_CLIENT_ID.value = "ZF56062l4BPnq2INv2zaO9cEiE6sAj7CrxbWhExj";
-                  CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/hedgedoc/client_secret";
-                  CMD_OAUTH2_SCOPE.value = "openid email profile";
-                  CMD_OAUTH2_USER_PROFILE_URL.value = "https://authentik.kun.is/application/o/userinfo/";
-                  CMD_OAUTH2_TOKEN_URL.value = "https://authentik.kun.is/application/o/token/";
-                  CMD_OAUTH2_AUTHORIZATION_URL.value = "https://authentik.kun.is/application/o/authorize/";
-                  CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username";
-                  CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name";
-                  CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email";
-
                   CMD_DB_URL.valueFrom.secretKeyRef = {
                     name = "hedgedoc";
                     key = "databaseURL";
diff --git a/modules/inbucket.nix b/modules/inbucket.nix
index 7da77a7..7fbc481 100644
--- a/modules/inbucket.nix
+++ b/modules/inbucket.nix
@@ -21,14 +21,7 @@
 
             containers.inbucket = {
               image = globals.images.inbucket;
-              env = {
-                INBUCKET_MAILBOXNAMING.value = "full";
-                INBUCKET_SMTP_DEFAULTACCEPT.value = "false";
-                INBUCKET_SMTP_ACCEPTDOMAINS.value = "kun.is";
-                INBUCKET_SMTP_DEFAULTSTORE.value = "false";
-                INBUCKET_SMTP_STOREDOMAINS.value = "kun.is";
-                INBUCKET_STORAGE_RETENTIONPERIOD.value = "168h";
-              };
+
               ports = {
                 web.containerPort = 9000;
                 smtp.containerPort = 2500;
diff --git a/modules/ingress.nix b/modules/ingress.nix
index d6a27aa..9dbcb86 100644
--- a/modules/ingress.nix
+++ b/modules/ingress.nix
@@ -47,7 +47,7 @@ in {
 
           rules = [
             {
-              inherit (ingress) host;
+              host = ingress.host;
 
               http.paths = [
                 {
@@ -55,7 +55,7 @@ in {
                   pathType = "Prefix";
 
                   backend.service = {
-                    inherit (ingress.service) name;
+                    name = ingress.service.name;
                     port.name = ingress.service.portName;
                   };
                 }
diff --git a/modules/kitchenowl.nix b/modules/kitchenowl.nix
index d2bbf15..1042468 100644
--- a/modules/kitchenowl.nix
+++ b/modules/kitchenowl.nix
@@ -33,16 +33,9 @@
               ports.web.containerPort = 8080;
               imagePullPolicy = "IfNotPresent";
 
-              env = {
-                FRONT_URL.value = "https://boodschappen.kun.is";
-                OIDC_ISSUER.value = "https://authentik.kun.is/application/o/kitchenowl/";
-                OIDC_CLIENT_ID.value = "OptR5S9hPix9beuJWFdfNBWRBr2l0nPx7mj8FpB3";
-                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/kitchenowl/client_secret";
-
-                JWT_SECRET_KEY.valueFrom.secretKeyRef = {
-                  name = "server";
-                  key = "jwtSecretKey";
-                };
+              env.JWT_SECRET_KEY.valueFrom.secretKeyRef = {
+                name = "server";
+                key = "jwtSecretKey";
               };
 
               volumeMounts = [
diff --git a/modules/longhorn-volume.nix b/modules/longhorn-volume.nix
index db08037..6eb4bfd 100644
--- a/modules/longhorn-volume.nix
+++ b/modules/longhorn-volume.nix
@@ -3,7 +3,7 @@
   config,
   ...
 }: let
-  longhornVolumeOpts = _: {
+  longhornVolumeOpts = {name, ...}: {
     options = {
       storage = lib.mkOption {
         type = lib.types.str;
@@ -16,7 +16,7 @@
     };
   };
 
-  longhornPVOpts = _: {
+  longhornPVOpts = {name, ...}: {
     options = {
       storage = lib.mkOption {
         type = lib.types.str;
@@ -71,7 +71,7 @@ in {
 
               claimRef = {
                 inherit name;
-                inherit (longhornVolume) namespace;
+                namespace = longhornVolume.namespace;
               };
 
               csi = {
@@ -134,7 +134,7 @@ in {
       persistentVolumeClaims =
         lib.mergeAttrs
         (builtins.mapAttrs
-          (_name: longhornVolume: {
+          (name: longhornVolume: {
             spec = {
               accessModes = ["ReadWriteOnce"];
               resources.requests.storage = longhornVolume.storage;
@@ -143,12 +143,12 @@ in {
           })
           config.lab.longhornVolumes)
         (builtins.mapAttrs
-          (_name: longhornPVC: {
+          (name: longhornPVC: {
             spec = {
               accessModes = ["ReadWriteOnce"];
               resources.requests.storage = longhornPVC.storage;
               storageClassName = "";
-              inherit (longhornPVC) volumeName;
+              volumeName = longhornPVC.volumeName;
             };
           })
           config.lab.longhorn.persistentVolumeClaim);
diff --git a/modules/mealie.nix b/modules/mealie.nix
deleted file mode 100644
index df3db99..0000000
--- a/modules/mealie.nix
+++ /dev/null
@@ -1,76 +0,0 @@
-{
-  lib,
-  config,
-  utils,
-  ...
-}: {
-  options.mealie.enable = lib.mkEnableOption "mealie";
-
-  config = lib.mkIf config.mealie.enable {
-    kubernetes.resources = {
-      deployments.mealie.spec = {
-        selector.matchLabels.app = "mealie";
-
-        strategy = {
-          type = "RollingUpdate";
-
-          rollingUpdate = {
-            maxSurge = 0;
-            maxUnavailable = 1;
-          };
-        };
-
-        template = {
-          metadata.labels.app = "mealie";
-
-          spec = {
-            containers.mealie = {
-              image = utils.mkNixNGImage "mealie";
-              ports.web.containerPort = 8000;
-
-              env = {
-                SMTP_USER.value = "ref+sops://secrets.yml#/smtp2go/username";
-                SMTP_PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
-                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/mealie/client_secret";
-              };
-
-              volumeMounts = [
-                {
-                  name = "mealie";
-                  mountPath = "/data";
-                }
-              ];
-            };
-
-            volumes.mealie.persistentVolumeClaim.claimName = "mealie";
-          };
-        };
-      };
-
-      services.mealie.spec = {
-        selector.app = "mealie";
-
-        ports.web = {
-          port = 80;
-          targetPort = "web";
-        };
-      };
-    };
-
-    lab = {
-      ingresses.mealie = {
-        host = "mealie.kun.is";
-
-        service = {
-          name = "mealie";
-          portName = "web";
-        };
-      };
-
-      longhorn.persistentVolumeClaim.mealie = {
-        volumeName = "mealie";
-        storage = "3Gi";
-      };
-    };
-  };
-}
diff --git a/modules/media.nix b/modules/media.nix
index a9b4565..3b4be3e 100644
--- a/modules/media.nix
+++ b/modules/media.nix
@@ -4,742 +4,550 @@
   lib,
   utils,
   ...
-}: let
-  cfg = config.media;
-in {
-  options.media = {
-    enable = lib.mkEnableOption "media";
-    jellyfin.enable = (lib.mkEnableOption "jellyfin") // {default = true;};
-    deluge.enable = (lib.mkEnableOption "deluge") // {default = true;};
-    jellyseerr.enable = (lib.mkEnableOption "jellyseerr") // {default = true;};
-    radarr.enable = (lib.mkEnableOption "radarr") // {default = true;};
-    prowlarr.enable = (lib.mkEnableOption "prowlarr") // {default = true;};
-    sonarr.enable = (lib.mkEnableOption "sonarr") // {default = true;};
-    bazarr.enable = (lib.mkEnableOption "bazarr") // {default = true;};
-    nzbget.enable = (lib.mkEnableOption "nzbget") // {default = true;};
-  };
+}: {
+  options.media.enable = lib.mkEnableOption "media";
 
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf config.media.enable {
     kubernetes.resources = {
       deployments = {
-        jellyfin = lib.mkIf cfg.jellyfin.enable {
-          spec = {
-            selector.matchLabels = {
+        jellyfin.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "jellyfin";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "jellyfin";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              containers.jellyfin = {
+                image = globals.images.jellyfin;
+                ports.web.containerPort = 8096;
+                imagePullPolicy = "IfNotPresent";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
+                env.JELLYFIN_PublishedServerUrl.value = "https://media.kun.is";
 
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "jellyfin";
-              };
-
-              spec = {
-                containers.jellyfin = {
-                  image = globals.images.jellyfin;
-                  ports.web.containerPort = 8096;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env.JELLYFIN_PublishedServerUrl.value = "https://media.kun.is";
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                    {
-                      name = "cache";
-                      mountPath = "/config/transcodes";
-                    }
-                    {
-                      name = "music";
-                      mountPath = "/media/music";
-                    }
-                  ];
-                };
-
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "jellyfin";
-                  cache.persistentVolumeClaim.claimName = "jellyfin-cache";
-                  music.persistentVolumeClaim.claimName = "music";
-
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
-                };
-
-                securityContext = {
-                  fsGroup = 0;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                volumeMounts = [
                   {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                  {
+                    name = "media";
+                    mountPath = "/media";
+                  }
+                  {
+                    name = "cache";
+                    mountPath = "/config/transcodes";
                   }
                 ];
               };
+
+              volumes = {
+                config.persistentVolumeClaim.claimName = "jellyfin";
+                cache.persistentVolumeClaim.claimName = "jellyfin-cache";
+
+                media.hostPath = {
+                  path = "/mnt/longhorn/persistent/media";
+                  type = "Directory";
+                };
+              };
+
+              securityContext = {
+                fsGroup = 0;
+                fsGroupChangePolicy = "OnRootMismatch";
+              };
+
+              affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                {
+                  matchExpressions = [
+                    {
+                      key = "hasMedia";
+                      operator = "In";
+                      values = ["true"];
+                    }
+                  ];
+                }
+              ];
             };
           };
         };
 
-        deluge = lib.mkIf cfg.deluge.enable {
-          spec = {
-            selector.matchLabels = {
+        deluge.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "deluge";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "deluge";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              containers.deluge = {
+                image = globals.images.deluge;
+                imagePullPolicy = "IfNotPresent";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
-
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "deluge";
-              };
-
-              spec = {
-                containers.deluge = {
-                  image = utils.mkNixNGImage "deluge";
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    PUID.value = "1000";
-                    PGID.value = "1000";
-                    TZ.value = "Europe/Amsterdam";
-                    DELUGE_LOGLEVEL.value = "info";
-                  };
-
-                  ports = {
-                    web.containerPort = 8112;
-                    bittorrent.containerPort = 31780;
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                  ];
+                env = {
+                  PUID.value = "1000";
+                  PGID.value = "1000";
+                  TZ.value = "Europe/Amsterdam";
+                  DELUGE_LOGLEVEL.value = "info";
                 };
 
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "deluge";
-
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
+                ports = {
+                  web.containerPort = 8112;
+                  bittorrent.containerPort = 31780;
                 };
 
-                securityContext = {
-                  fsGroup = 51;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                volumeMounts = [
                   {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                  {
+                    name = "media";
+                    mountPath = "/media";
                   }
                 ];
               };
+
+              volumes = {
+                config.persistentVolumeClaim.claimName = "deluge";
+                media.persistentVolumeClaim.claimName = "media";
+              };
             };
           };
         };
 
-        nzbget = lib.mkIf cfg.nzbget.enable {
-          spec = {
-            selector.matchLabels = {
-              app = "media";
-              component = "nzbget";
-            };
+        jellyseerr.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "jellyseerr";
+          };
 
-            strategy = {
-              type = "RollingUpdate";
+          strategy = {
+            type = "RollingUpdate";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
-
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "nzbget";
-              };
-
-              spec = {
-                containers.nzbget = {
-                  image = utils.mkNixNGImage "nzbget";
-                  imagePullPolicy = "IfNotPresent";
-                  stdin = true;
-                  tty = true;
-
-                  ports.web.containerPort = 6789;
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/home/nzbget";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                  ];
-                };
-
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "nzbget";
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
-                  {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
-                  }
-                ];
-              };
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
             };
           };
-        };
 
-        jellyseerr = lib.mkIf cfg.jellyseerr.enable {
-          spec = {
-            selector.matchLabels = {
+          template = {
+            metadata.labels = {
               app = "media";
               component = "jellyseerr";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              volumes.config.persistentVolumeClaim.claimName = "jellyseerr";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
+              containers.jellyseerr = {
+                image = utils.mkNixNGImage "jellyseerr";
+                ports.web.containerPort = 5055;
+                imagePullPolicy = "IfNotPresent";
 
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "jellyseerr";
-              };
-
-              spec = {
-                volumes.config.persistentVolumeClaim.claimName = "jellyseerr";
-
-                containers.jellyseerr = {
-                  image = utils.mkNixNGImage "jellyseerr";
-                  ports.web.containerPort = 5055;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    LOG_LEVEL.value = "debug";
-                    TZ.value = "Europe/Amsterdam";
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/app/config";
-                    }
-                  ];
+                env = {
+                  LOG_LEVEL.value = "debug";
+                  TZ.value = "Europe/Amsterdam";
                 };
 
-                securityContext = {
-                  # TODO: don't hardcode this
-                  fsGroup = 51;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
+                volumeMounts = [
+                  {
+                    name = "config";
+                    mountPath = "/app/config";
+                  }
+                ];
+              };
+
+              securityContext = {
+                fsGroup = 0;
+                fsGroupChangePolicy = "OnRootMismatch";
               };
             };
           };
         };
 
-        radarr = lib.mkIf cfg.radarr.enable {
-          spec = {
-            selector.matchLabels = {
+        radarr.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "radarr";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "radarr";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              containers.radarr = {
+                image = utils.mkNixNGImage "radarr";
+                ports.web.containerPort = 7878;
+                imagePullPolicy = "IfNotPresent";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
-
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "radarr";
-              };
-
-              spec = {
-                containers.radarr = {
-                  image = utils.mkNixNGImage "radarr";
-                  ports.web.containerPort = 7878;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    PUID.value = "1000";
-                    PGID.value = "1000";
-                    TZ.value = "Europe/Amsterdam";
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                  ];
+                env = {
+                  PUID.value = "1000";
+                  PGID.value = "1000";
+                  TZ.value = "Europe/Amsterdam";
                 };
 
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "radarr";
-
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
-                };
-
-                securityContext = {
-                  fsGroup = 410;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                volumeMounts = [
                   {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                  {
+                    name = "media";
+                    mountPath = "/media";
                   }
                 ];
               };
+
+              volumes = {
+                config.persistentVolumeClaim.claimName = "radarr";
+                media.persistentVolumeClaim.claimName = "media";
+              };
+
+              securityContext = {
+                fsGroup = 1000;
+                fsGroupChangePolicy = "OnRootMismatch";
+              };
             };
           };
         };
 
-        prowlarr = lib.mkIf cfg.prowlarr.enable {
-          spec = {
-            selector.matchLabels = {
+        prowlarr.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "prowlarr";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "prowlarr";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              volumes.config.persistentVolumeClaim.claimName = "prowlarr";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
+              containers.prowlarr = {
+                image = utils.mkNixNGImage "prowlarr";
+                ports.web.containerPort = 9696;
+                imagePullPolicy = "IfNotPresent";
 
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "prowlarr";
-              };
-
-              spec = {
-                volumes.config.persistentVolumeClaim.claimName = "prowlarr";
-
-                containers.prowlarr = {
-                  image = utils.mkNixNGImage "prowlarr";
-                  ports.web.containerPort = 9696;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    PUID.value = "1000";
-                    PGID.value = "1000";
-                    TZ.value = "Europe/Amsterdam";
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                  ];
+                env = {
+                  PUID.value = "1000";
+                  PGID.value = "1000";
+                  TZ.value = "Europe/Amsterdam";
                 };
 
-                securityContext = {
-                  fsGroup = 413;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
+                volumeMounts = [
+                  {
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                ];
+              };
+
+              securityContext = {
+                fsGroup = 1000;
+                fsGroupChangePolicy = "OnRootMismatch";
               };
             };
           };
         };
 
-        sonarr = lib.mkIf cfg.sonarr.enable {
-          spec = {
-            selector.matchLabels = {
+        sonarr.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "sonarr";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "sonarr";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              containers.sonarr = {
+                image = utils.mkNixNGImage "sonarr";
+                ports.web.containerPort = 8989;
+                imagePullPolicy = "IfNotPresent";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
-
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "sonarr";
-              };
-
-              spec = {
-                containers.sonarr = {
-                  image = utils.mkNixNGImage "sonarr";
-                  ports.web.containerPort = 8989;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    PUID.value = "1000";
-                    PGID.value = "1000";
-                    TZ.value = "Europe/Amsterdam";
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                  ];
+                env = {
+                  PUID.value = "1000";
+                  PGID.value = "1000";
+                  TZ.value = "Europe/Amsterdam";
                 };
 
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "sonarr";
-
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
-                };
-
-                securityContext = {
-                  fsGroup = 411;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                volumeMounts = [
                   {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                  {
+                    name = "media";
+                    mountPath = "/media";
                   }
                 ];
               };
+
+              volumes = {
+                config.persistentVolumeClaim.claimName = "sonarr";
+                media.persistentVolumeClaim.claimName = "media";
+              };
+
+              securityContext = {
+                fsGroup = 1000;
+                fsGroupChangePolicy = "OnRootMismatch";
+              };
             };
           };
         };
 
-        bazarr = lib.mkIf cfg.bazarr.enable {
-          spec = {
-            selector.matchLabels = {
+        bazarr.spec = {
+          selector.matchLabels = {
+            app = "media";
+            component = "bazarr";
+          };
+
+          strategy = {
+            type = "RollingUpdate";
+
+            rollingUpdate = {
+              maxSurge = 0;
+              maxUnavailable = 1;
+            };
+          };
+
+          template = {
+            metadata.labels = {
               app = "media";
               component = "bazarr";
             };
 
-            strategy = {
-              type = "RollingUpdate";
+            spec = {
+              containers.bazarr = {
+                image = utils.mkNixNGImage "bazarr";
+                ports.web.containerPort = 6767;
+                imagePullPolicy = "IfNotPresent";
 
-              rollingUpdate = {
-                maxSurge = 0;
-                maxUnavailable = 1;
-              };
-            };
-
-            template = {
-              metadata.labels = {
-                app = "media";
-                component = "bazarr";
-              };
-
-              spec = {
-                containers.bazarr = {
-                  image = utils.mkNixNGImage "bazarr";
-                  ports.web.containerPort = 6767;
-                  imagePullPolicy = "IfNotPresent";
-
-                  env = {
-                    PUID.value = "1000";
-                    PGID.value = "1000";
-                    TZ.value = "Europe/Amsterdam";
-                  };
-
-                  volumeMounts = [
-                    {
-                      name = "config";
-                      mountPath = "/config";
-                    }
-                    {
-                      name = "media";
-                      mountPath = "/media";
-                    }
-                  ];
+                env = {
+                  PUID.value = "1000";
+                  PGID.value = "1000";
+                  TZ.value = "Europe/Amsterdam";
                 };
 
-                volumes = {
-                  config.persistentVolumeClaim.claimName = "bazarr";
-
-                  media.hostPath = {
-                    path = "/mnt/longhorn/persistent/media";
-                    type = "Directory";
-                  };
-                };
-
-                securityContext = {
-                  fsGroup = 412;
-                  fsGroupChangePolicy = "OnRootMismatch";
-                };
-
-                affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms = [
+                volumeMounts = [
                   {
-                    matchExpressions = [
-                      {
-                        key = "hasMedia";
-                        operator = "In";
-                        values = ["true"];
-                      }
-                    ];
+                    name = "config";
+                    mountPath = "/config";
+                  }
+                  {
+                    name = "media";
+                    mountPath = "/media";
                   }
                 ];
               };
+
+              volumes = {
+                config.persistentVolumeClaim.claimName = "bazarr";
+                media.persistentVolumeClaim.claimName = "media";
+              };
+
+              securityContext = {
+                fsGroup = 1000;
+                fsGroupChangePolicy = "OnRootMismatch";
+              };
             };
           };
         };
       };
 
       services = {
-        jellyfin = lib.mkIf cfg.jellyfin.enable {
-          spec = {
-            selector = {
-              app = "media";
-              component = "jellyfin";
+        jellyfin.spec = {
+          selector = {
+            app = "media";
+            component = "jellyfin";
+          };
+
+          ports.web = {
+            port = 80;
+            targetPort = "web";
+          };
+        };
+
+        deluge.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.transmissionIPv4;
+
+          selector = {
+            app = "media";
+            component = "deluge";
+          };
+
+          ports = {
+            bittorrent = {
+              port = 31780;
+              targetPort = "bittorrent";
             };
 
-            ports.web = {
+            web = {
               port = 80;
               targetPort = "web";
             };
           };
         };
 
-        deluge = lib.mkIf cfg.deluge.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.transmissionIPv4;
+        jellyseerr.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.jellyseerrIPv4;
 
-            selector = {
-              app = "media";
-              component = "deluge";
-            };
+          selector = {
+            app = "media";
+            component = "jellyseerr";
+          };
 
-            ports = {
-              bittorrent = {
-                port = 31780;
-                targetPort = "bittorrent";
-              };
-
-              web = {
-                port = 80;
-                targetPort = "web";
-              };
-            };
+          ports.web = {
+            port = 80;
+            targetPort = "web";
           };
         };
 
-        jellyseerr = lib.mkIf cfg.jellyseerr.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.jellyseerrIPv4;
+        radarr.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.radarrIPv4;
 
-            selector = {
-              app = "media";
-              component = "jellyseerr";
-            };
+          selector = {
+            app = "media";
+            component = "radarr";
+          };
 
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
+          ports.web = {
+            port = 80;
+            targetPort = "web";
           };
         };
 
-        radarr = lib.mkIf cfg.radarr.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.radarrIPv4;
+        prowlarr.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.prowlarrIPv4;
 
-            selector = {
-              app = "media";
-              component = "radarr";
-            };
+          selector = {
+            app = "media";
+            component = "prowlarr";
+          };
 
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
+          ports.web = {
+            port = 80;
+            targetPort = "web";
           };
         };
 
-        prowlarr = lib.mkIf cfg.prowlarr.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.prowlarrIPv4;
+        sonarr.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.sonarrIPv4;
 
-            selector = {
-              app = "media";
-              component = "prowlarr";
-            };
+          selector = {
+            app = "media";
+            component = "sonarr";
+          };
 
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
+          ports.web = {
+            port = 80;
+            targetPort = "web";
           };
         };
 
-        sonarr = lib.mkIf cfg.sonarr.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.sonarrIPv4;
+        bazarr.spec = {
+          type = "LoadBalancer";
+          loadBalancerIP = globals.bazarrIPv4;
 
-            selector = {
-              app = "media";
-              component = "sonarr";
-            };
-
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
+          selector = {
+            app = "media";
+            component = "bazarr";
           };
-        };
 
-        bazarr = lib.mkIf cfg.bazarr.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.bazarrIPv4;
-
-            selector = {
-              app = "media";
-              component = "bazarr";
-            };
-
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
-          };
-        };
-
-        nzbget = lib.mkIf cfg.nzbget.enable {
-          spec = {
-            type = "LoadBalancer";
-            loadBalancerIP = globals.nzbgetIPv4;
-
-            selector = {
-              app = "media";
-              component = "nzbget";
-            };
-
-            ports.web = {
-              port = 80;
-              targetPort = "web";
-            };
+          ports.web = {
+            port = 80;
+            targetPort = "web";
           };
         };
       };
 
-      persistentVolumeClaims.jellyfin-cache = lib.mkIf cfg.jellyfin.enable {
-        spec = {
+      persistentVolumeClaims = {
+        jellyfin-cache.spec = {
           accessModes = ["ReadWriteOnce"];
           resources.requests.storage = "20Gi";
         };
+
+        media.spec = {
+          accessModes = ["ReadWriteMany"];
+          storageClassName = "";
+          resources.requests.storage = "1Mi";
+          volumeName = "media-media";
+        };
       };
     };
 
     lab = {
       ingresses = {
-        jellyfin = lib.mkIf cfg.jellyfin.enable {
+        jellyfin = {
           host = "media.kun.is";
 
           service = {
@@ -748,7 +556,7 @@ in {
           };
         };
 
-        jellyseerr = lib.mkIf cfg.jellyseerr.enable {
+        jellyseerr = {
           host = "jellyseerr.kun.is";
           entrypoint = "localsecure";
 
@@ -760,87 +568,72 @@ in {
       };
 
       tailscaleIngresses = {
-        tailscale-jellyseerr = lib.mkIf cfg.jellyseerr.enable {
+        tailscale-jellyseerr = {
           host = "jellyseerr";
           service.name = "jellyseerr";
         };
 
-        tailscale-radarr = lib.mkIf cfg.radarr.enable {
+        tailscale-radarr = {
           host = "radarr";
           service.name = "radarr";
         };
 
-        tailscale-sonarr = lib.mkIf cfg.sonarr.enable {
+        tailscale-sonarr = {
           host = "sonarr";
           service.name = "sonarr";
         };
 
-        tailscale-bazarr = lib.mkIf cfg.bazarr.enable {
+        tailscale-bazarr = {
           host = "bazarr";
           service.name = "bazarr";
         };
 
-        tailscale-prowlarr = lib.mkIf cfg.prowlarr.enable {
+        tailscale-prowlarr = {
           host = "prowlarr";
           service.name = "prowlarr";
         };
 
-        tailscale-deluge = lib.mkIf cfg.deluge.enable {
+        tailscale-deluge = {
           host = "deluge";
           service.name = "deluge";
         };
-
-        tailscale-nzbget = lib.mkIf cfg.nzbget.enable {
-          host = "nzbget";
-          service.name = "nzbget";
-        };
       };
 
       longhorn.persistentVolumeClaim = {
-        jellyfin = lib.mkIf cfg.jellyfin.enable {
+        jellyfin = {
           volumeName = "jellyfin";
-          storage = "10Gi";
+          storage = "5Gi";
         };
 
-        deluge = lib.mkIf cfg.deluge.enable {
+        deluge = {
           volumeName = "deluge";
           storage = "500Mi";
         };
 
-        jellyseerr = lib.mkIf cfg.jellyseerr.enable {
+        jellyseerr = {
           volumeName = "jellyseerr";
           storage = "75Mi";
         };
 
-        radarr = lib.mkIf cfg.radarr.enable {
+        radarr = {
           volumeName = "radarr";
           storage = "300Mi";
         };
 
-        prowlarr = lib.mkIf cfg.prowlarr.enable {
+        prowlarr = {
           volumeName = "prowlarr";
           storage = "150Mi";
         };
 
-        sonarr = lib.mkIf cfg.sonarr.enable {
+        sonarr = {
           volumeName = "sonarr";
-          storage = "250Mi";
+          storage = "150Mi";
         };
 
-        bazarr = lib.mkIf cfg.bazarr.enable {
+        bazarr = {
           volumeName = "bazarr";
           storage = "25Mi";
         };
-
-        music = lib.mkIf cfg.jellyfin.enable {
-          volumeName = "music";
-          storage = "70Gi";
-        };
-
-        nzbget = lib.mkIf cfg.nzbget.enable {
-          volumeName = "nzbget";
-          storage = "150Mi";
-        };
       };
     };
   };
diff --git a/modules/ntfy.nix b/modules/ntfy.nix
index d4f49f3..d970fbe 100644
--- a/modules/ntfy.nix
+++ b/modules/ntfy.nix
@@ -50,11 +50,6 @@
               attachment-cache.persistentVolumeClaim.claimName = "attachment-cache";
               data.persistentVolumeClaim.claimName = "data";
             };
-
-            securityContext = {
-              fsGroup = 407;
-              fsGroupChangePolicy = "Always";
-            };
           };
         };
       };
diff --git a/modules/paperless.nix b/modules/paperless.nix
index e0e4824..5ac3937 100644
--- a/modules/paperless.nix
+++ b/modules/paperless.nix
@@ -57,25 +57,6 @@
                   PAPERLESS_OCR_LANGUAGE.value = "nld";
                   USERMAP_UID.value = "33";
                   USERMAP_GID.value = "33";
-                  PAPERLESS_APPS.value = "allauth.socialaccount.providers.openid_connect";
-                  PAPERLESS_SOCIALACCOUNT_PROVIDERS.value = ''
-                    {
-                      "openid_connect": {
-                        "APPS": [
-                          {
-                            "provider_id": "authentik",
-                            "name": "Authentik",
-                            "client_id": "z5PlhxTB1eXJ9L39Ix2BfhLV72TbF3vbGJZUtyBJ",
-                            "secret": "ref+sops://secrets.yml#/authentik/oauth2/paperless-ngx/client_secret+",
-                            "settings": {
-                              "server_url": "https://authentik.kun.is/application/o/paperless-ngx/.well-known/openid-configuration"
-                            }
-                          }
-                        ],
-                        "OAUTH_PKCE_ENABLED": "True"
-                      }
-                    }
-                  '';
 
                   PAPERLESS_DBPASS.valueFrom.secretKeyRef = {
                     name = "database";
diff --git a/modules/syncthing.nix b/modules/syncthing.nix
index 31bde21..c06b81a 100644
--- a/modules/syncthing.nix
+++ b/modules/syncthing.nix
@@ -45,15 +45,15 @@
                   mountPath = "/config";
                 }
                 {
-                  name = "keepassxc";
-                  mountPath = "/keepassxc";
+                  name = "music";
+                  mountPath = "/music";
                 }
               ];
             };
 
             volumes = {
               config.persistentVolumeClaim.claimName = "config";
-              keepassxc.persistentVolumeClaim.claimName = "keepassxc";
+              music.persistentVolumeClaim.claimName = "music";
             };
 
             securityContext = {
@@ -74,19 +74,19 @@
           targetPort = "web";
         };
       };
+
+      persistentVolumeClaims.music.spec = {
+        accessModes = ["ReadWriteMany"];
+        storageClassName = "";
+        resources.requests.storage = "1Mi";
+        volumeName = "music-syncthing";
+      };
     };
 
     lab = {
-      longhorn.persistentVolumeClaim = {
-        config = {
-          volumeName = "syncthing";
-          storage = "400Mi";
-        };
-
-        keepassxc = {
-          volumeName = "keepassxc";
-          storage = "100Mi";
-        };
+      longhorn.persistentVolumeClaim.config = {
+        volumeName = "syncthing";
+        storage = "400Mi";
       };
 
       tailscaleIngresses.tailscale = {
diff --git a/modules/tailscale-ingress.nix b/modules/tailscale-ingress.nix
index 23eedb3..83e3f96 100644
--- a/modules/tailscale-ingress.nix
+++ b/modules/tailscale-ingress.nix
@@ -42,7 +42,7 @@
                 pathType = "Prefix";
 
                 backend.service = {
-                  inherit (service) name;
+                  name = service.name;
                   port.name = service.portName;
                 };
               }
diff --git a/modules/traefik.nix b/modules/traefik.nix
index e512b99..b59253d 100644
--- a/modules/traefik.nix
+++ b/modules/traefik.nix
@@ -20,7 +20,7 @@
             ports = {
               localsecure = {
                 port = 8444;
-                expose.default = true;
+                expose = true;
                 exposedPort = 444;
                 protocol = "TCP";
 
diff --git a/nixng-configurations/atuin.nix b/nixng-configurations/atuin.nix
deleted file mode 100644
index 189895e..0000000
--- a/nixng-configurations/atuin.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  dinit.enable = true;
-  init.services.atuin.shutdownOnExit = true;
-
-  services.atuin = {
-    enable = true;
-
-    settings = {
-      open_registration = false;
-    };
-  };
-}
diff --git a/nixng-configurations/bazarr.nix b/nixng-configurations/bazarr.nix
index 703ee94..03d7b6a 100644
--- a/nixng-configurations/bazarr.nix
+++ b/nixng-configurations/bazarr.nix
@@ -1,23 +1,9 @@
-{
-  lib,
-  nglib,
-  config,
-  ...
-}: {
+{...}: {
   dinit.enable = true;
-
-  init.services.bazarr = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
+  init.services.bazarr.shutdownOnExit = true;
 
   services.bazarr = {
     enable = true;
     configDir = "/config";
   };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["bazarr"];
-  };
 }
diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix
index c2a60d5..80375cb 100644
--- a/nixng-configurations/default.nix
+++ b/nixng-configurations/default.nix
@@ -5,8 +5,10 @@
   nginx,
   blog,
   nixpkgs,
+  nixpkgs-jellyseerr,
+  nixpkgs-bazarr,
+  nixpkgs-radicale,
   nixpkgs-master,
-  nixpkgs-prowlarr,
   ...
 }:
 flake-utils.lib.eachDefaultSystem (system: let
@@ -21,10 +23,7 @@ flake-utils.lib.eachDefaultSystem (system: let
     bazarr = ./bazarr.nix;
     prowlarr = ./prowlarr.nix;
     blog = ./blog.nix;
-    deluge = ./deluge.nix;
-    mealie = ./mealie.nix;
-    atuin = ./atuin.nix;
-    nzbget = ./nzbget.nix;
+    generic-device-plugin = ./generic-device-plugin.nix;
   };
 in {
   nixngConfigurations = builtins.mapAttrs (name: configFile:
@@ -39,23 +38,16 @@ in {
       };
 
       extraModules = [
-        self.nixngModules.ids
-        self.nixngModules.bazarr
-        self.nixngModules.radicale
-        self.nixngModules.jellyseerr
-        self.nixngModules.radarr
-        self.nixngModules.sonarr
-        self.nixngModules.prowlarr
-        self.nixngModules.deluge
-        self.nixngModules.mealie
-        self.nixngModules.atuin
-        self.nixngModules.nzbget
         {
           nixpkgs.overlays = [
-            (_final: _prev: {
+            (final: _prev: {
               # From master branch
-              inherit (nixpkgs-master.legacyPackages.${system}) jellyseerr radicale bazarr;
-              inherit (nixpkgs-prowlarr.legacyPackages.${system}) prowlarr;
+              prowlarr = nixpkgs-master.legacyPackages.${system}.prowlarr;
+
+              # From forks
+              bazarr = nixpkgs-bazarr.legacyPackages.${system}.bazarr;
+              jellyseerr = nixpkgs-jellyseerr.legacyPackages.${system}.jellyseerr;
+              radicale = nixpkgs-radicale.legacyPackages.${system}.radicale;
             })
           ];
         }
diff --git a/nixng-configurations/deluge.nix b/nixng-configurations/deluge.nix
deleted file mode 100644
index 3f44f37..0000000
--- a/nixng-configurations/deluge.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  config,
-  nglib,
-  lib,
-  ...
-}: {
-  dinit.enable = true;
-  init.services = {
-    deluged = {
-      shutdownOnExit = true;
-      group = lib.mkForce "media";
-    };
-
-    deluge-web = {
-      shutdownOnExit = true;
-      group = lib.mkForce "media";
-    };
-  };
-
-  services.deluge = {
-    enable = true;
-    configDir = "/config";
-    web.enable = true;
-  };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["deluge"];
-  };
-}
diff --git a/nixng-configurations/generic-device-plugin.nix b/nixng-configurations/generic-device-plugin.nix
new file mode 100644
index 0000000..abb2406
--- /dev/null
+++ b/nixng-configurations/generic-device-plugin.nix
@@ -0,0 +1,10 @@
+{globals, ...}: {
+  dinit.enable = true;
+  init.services.generic-device-plugin.shutdownOnExit = true;
+
+  services.generic-device-plugin = {
+    enable = true;
+    settings = {
+    };
+  };
+}
diff --git a/nixng-configurations/jellyseerr.nix b/nixng-configurations/jellyseerr.nix
index 034306c..b86802e 100644
--- a/nixng-configurations/jellyseerr.nix
+++ b/nixng-configurations/jellyseerr.nix
@@ -1,22 +1,9 @@
-{
-  config,
-  lib,
-  nglib,
-  ...
-}: {
+{...}: {
   dinit.enable = true;
-  init.services.jellyseerr = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
+  init.services.jellyseerr.shutdownOnExit = true;
 
   services.jellyseerr = {
     enable = true;
     configDir = "/app/config";
   };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["jellyseerr"];
-  };
 }
diff --git a/nixng-configurations/mealie.nix b/nixng-configurations/mealie.nix
deleted file mode 100644
index bd3350c..0000000
--- a/nixng-configurations/mealie.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  dinit.enable = true;
-  init.services.mealie.shutdownOnExit = true;
-
-  services.mealie = {
-    enable = true;
-
-    settings = {
-      DATA_DIR = "/data";
-      BASE_URL = "https://mealie.kun.is";
-      ALLOW_SIGNUP = "False";
-      SMTP_HOST = "mail.smtp2go.com";
-      SMTP_PORT = "2525";
-      SMTP_FROM_NAME = "Mealie";
-      SMTP_AUTH_STRATEGY = "ssl";
-      SMTP_FROM_EMAIL = "mealie@kun.is";
-      OIDC_AUTH_ENABLED = "True";
-      OIDC_CONFIGURATION_URL = "https://authentik.kun.is/application/o/mealie/.well-known/openid-configuration";
-      OIDC_CLIENT_ID = "lvkHoIPacUXjY4jr9YyEQC7YyhccOH0atbpOiKmG";
-      OIDC_AUTO_REDIRECT = "True";
-      OIDC_PROVIDER_NAME = "Authentik";
-      OIDC_REMEMBER_ME = "True";
-    };
-  };
-}
diff --git a/nixng-configurations/ntfy.nix b/nixng-configurations/ntfy.nix
index a957c42..7fc7ef1 100644
--- a/nixng-configurations/ntfy.nix
+++ b/nixng-configurations/ntfy.nix
@@ -1,4 +1,4 @@
-{
+{...}: {
   dinit.enable = true;
   init.services.ntfy-sh.shutdownOnExit = true;
 
diff --git a/nixng-configurations/nzbget.nix b/nixng-configurations/nzbget.nix
deleted file mode 100644
index 5a85465..0000000
--- a/nixng-configurations/nzbget.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  lib,
-  nglib,
-  config,
-  ...
-}: {
-  dinit.enable = true;
-
-  init.services.nzbget = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
-
-  services.nzbget = {
-    enable = true;
-  };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["nzbget"];
-  };
-}
diff --git a/nixng-configurations/prowlarr.nix b/nixng-configurations/prowlarr.nix
index 7214747..e12e1bb 100644
--- a/nixng-configurations/prowlarr.nix
+++ b/nixng-configurations/prowlarr.nix
@@ -1,22 +1,9 @@
-{
-  lib,
-  nglib,
-  config,
-  ...
-}: {
+{...}: {
   dinit.enable = true;
-  init.services.prowlarr = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
+  init.services.prowlarr.shutdownOnExit = true;
 
   services.prowlarr = {
     enable = true;
     dataDir = "/config";
   };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["prowlarr"];
-  };
 }
diff --git a/nixng-configurations/radarr.nix b/nixng-configurations/radarr.nix
index 21cd30a..c647100 100644
--- a/nixng-configurations/radarr.nix
+++ b/nixng-configurations/radarr.nix
@@ -1,22 +1,9 @@
-{
-  lib,
-  nglib,
-  config,
-  ...
-}: {
+{...}: {
   dinit.enable = true;
-  init.services.radarr = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
+  init.services.radarr.shutdownOnExit = true;
 
   services.radarr = {
     enable = true;
     dataDir = "/config";
   };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["radarr"];
-  };
 }
diff --git a/nixng-configurations/sonarr.nix b/nixng-configurations/sonarr.nix
index f756fde..b98f9cf 100644
--- a/nixng-configurations/sonarr.nix
+++ b/nixng-configurations/sonarr.nix
@@ -1,22 +1,9 @@
-{
-  lib,
-  config,
-  nglib,
-  ...
-}: {
+{...}: {
   dinit.enable = true;
-  init.services.sonarr = {
-    shutdownOnExit = true;
-    group = lib.mkForce "media";
-  };
+  init.services.sonarr.shutdownOnExit = true;
 
   services.sonarr = {
     enable = true;
     dataDir = "/config";
   };
-
-  users.groups.media = nglib.mkDefaultRec {
-    gid = config.ids.gids.media;
-    members = ["sonarr"];
-  };
 }
diff --git a/nixng-modules/atuin.nix b/nixng-modules/atuin.nix
deleted file mode 100644
index 914f5a7..0000000
--- a/nixng-modules/atuin.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{
-  pkgs,
-  lib,
-  nglib,
-  config,
-  ...
-}: let
-  cfg = config.services.atuin;
-  cfgInit = config.init.services.atuin;
-  settingsFormat = pkgs.formats.toml {};
-in {
-  options.services.atuin = {
-    enable = lib.mkEnableOption "atuin";
-    package = lib.mkPackageOption pkgs "atuin" {};
-
-    settings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = settingsFormat.type;
-
-        options = {
-          host = lib.mkOption {
-            type = lib.types.str;
-            default = "0.0.0.0";
-            description = "The host to listen on";
-          };
-
-          port = lib.mkOption {
-            type = lib.types.port;
-            default = 8888;
-            description = "The TCP port to listen on";
-          };
-
-          open_registration = lib.mkOption {
-            type = lib.types.bool;
-            default = false;
-            description = "If true, accept new user registrations";
-          };
-
-          db_uri = lib.mkOption {
-            type = with lib.types; nullOr str;
-            default = null;
-            description = "A valid PostgreSQL URI, for saving history";
-          };
-
-          path = lib.mkOption {
-            type = lib.types.str;
-            default = "";
-            description = "A path to prepend to all the routes of the server";
-          };
-        };
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.atuin = {
-      enabled = true;
-      user = lib.mkDefault "atuin";
-      group = lib.mkDefault "atuin";
-
-      script = pkgs.writeShellScript "atuin-run" ''
-        ${lib.getExe cfg.package} server start
-      '';
-    };
-
-    environment = {
-      systemPackages = [cfg.package];
-
-      variables.ATUIN_CONFIG_DIR = let
-        settingsFile = settingsFormat.generate "server.toml" (lib.filterAttrs (_: v: v != null) cfg.settings);
-      in
-        toString (pkgs.writeTextDir "server.toml" (builtins.readFile settingsFile));
-    };
-
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
-      description = "atuin";
-      inherit (cfgInit) group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.atuin;
-    };
-
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.atuin;};
-  };
-}
diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix
deleted file mode 100644
index c5e5ffe..0000000
--- a/nixng-modules/bazarr.nix
+++ /dev/null
@@ -1,49 +0,0 @@
-{
-  lib,
-  nglib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.bazarr;
-  cfgInit = config.init.services.bazarr;
-in {
-  options.services.bazarr = {
-    enable = lib.mkEnableOption "bazarr";
-    package = lib.mkPackageOption pkgs "bazarr" {};
-
-    configDir = lib.mkOption {
-      description = "Where Bazarr's configuration files are stored.";
-      type = lib.types.str;
-      default = "/config";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.bazarr = {
-      enabled = true;
-      user = lib.mkDefault "bazarr";
-      group = lib.mkDefault "bazarr";
-
-      script = pkgs.writeShellScript "bazarr-run" ''
-        umask 0002
-        ${lib.getExe cfg.package} \
-          --no-update \
-          --config '${cfg.configDir}'
-      '';
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "bazarr") (nglib.mkDefaultRec {
-      description = "bazarr";
-      group = cfgInit.group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.bazarr;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "bazarr") (nglib.mkDefaultRec {gid = config.ids.gids.bazarr;});
-  };
-}
diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix
deleted file mode 100644
index 05c22df..0000000
--- a/nixng-modules/default.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-_: {
-  nixngModules = {
-    bazarr = import ./bazarr.nix;
-    radicale = import ./radicale.nix;
-    jellyseerr = import ./jellyseerr.nix;
-    radarr = import ./radarr.nix;
-    sonarr = import ./sonarr.nix;
-    prowlarr = import ./prowlarr.nix;
-    ids = import ./ids.nix;
-    deluge = import ./deluge.nix;
-    mealie = import ./mealie.nix;
-    atuin = import ./atuin.nix;
-    nzbget = import ./nzbget.nix;
-  };
-}
diff --git a/nixng-modules/deluge.nix b/nixng-modules/deluge.nix
deleted file mode 100644
index 505f4bf..0000000
--- a/nixng-modules/deluge.nix
+++ /dev/null
@@ -1,85 +0,0 @@
-{
-  lib,
-  nglib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.deluge;
-  cfgInit = config.init.services.deluged;
-in {
-  options.services.deluge = {
-    enable = lib.mkEnableOption "deluge";
-    package = lib.mkPackageOption pkgs "deluge-2_x" {};
-
-    configDir = lib.mkOption {
-      type = lib.types.path;
-      default = "/var/lib/deluge";
-
-      description = ''
-        Directory for Deluge's run-time configuration
-      '';
-    };
-
-    web = {
-      enable = lib.mkEnableOption "Deluge web daemon";
-
-      port = lib.mkOption {
-        type = lib.types.port;
-        default = 8112;
-        description = ''
-          Deluge web UI port
-        '';
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services = {
-      deluged = {
-        enabled = true;
-        user = lib.mkDefault "deluge";
-        group = lib.mkDefault "deluge";
-        tmpfiles = with nglib.nottmpfiles.dsl; [(d cfg.configDir "-" cfgInit.user cfgInit.group _ _)];
-
-        script = pkgs.writeShellScript "deluged-run" ''
-          # TODO: make init-level option?
-          umask 0002
-          ${cfg.package}/bin/deluged \
-            --do-not-daemonize \
-            --config ${cfg.configDir}
-        '';
-      };
-
-      deluge-web = {
-        enabled = cfg.web.enable;
-        dependencies = ["deluged"];
-        user = lib.mkDefault "deluge";
-        group = lib.mkDefault "deluge";
-
-        script = pkgs.writeShellScript "deluge-web-run" ''
-          ${cfg.package}/bin/deluge-web \
-            --do-not-daemonize \
-            --port ${toString cfg.web.port} \
-            --config ${cfg.configDir}
-        '';
-      };
-    };
-
-    environment = {
-      systemPackages = [cfg.package];
-      variables.PYTHON_EGG_CACHE = "${config.users.users.${cfgInit.user}.home}/.cache";
-    };
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "deluge") (nglib.mkDefaultRec {
-      description = "deluge";
-      inherit (cfgInit) group;
-      createHome = true;
-      home = "/home/deluge";
-      useDefaultShell = true;
-      uid = config.ids.uids.deluge;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "deluge") (nglib.mkDefaultRec {gid = config.ids.gids.deluge;});
-  };
-}
diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix
deleted file mode 100644
index f113fe9..0000000
--- a/nixng-modules/ids.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  ids = {
-    uids = {
-      radicale = 408;
-      jellyseerr = 409;
-      radarr = 410;
-      sonarr = 411;
-      bazarr = 412;
-      prowlarr = 413;
-      deluge = 414;
-      mealie = 415;
-      atuin = 416;
-      nzbget = 417;
-    };
-
-    gids = {
-      media = 51;
-      radicale = 408;
-      jellyseerr = 409;
-      radarr = 410;
-      sonarr = 411;
-      bazarr = 412;
-      prowlarr = 413;
-      deluge = 414;
-      mealie = 415;
-      atuin = 416;
-      nzbget = 417;
-    };
-  };
-}
diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix
deleted file mode 100644
index 745ba4c..0000000
--- a/nixng-modules/jellyseerr.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{
-  lib,
-  nglib,
-  pkgs,
-  config,
-  ...
-}: let
-  cfg = config.services.jellyseerr;
-  cfgInit = config.init.services.jellyseerr;
-in {
-  options.services.jellyseerr = {
-    enable = lib.mkEnableOption "jellyseerr";
-    package = lib.mkPackageOption pkgs "jellyseerr" {};
-
-    port = lib.mkOption {
-      description = ''
-        The port Jellyseerr should listen on.
-      '';
-      type = lib.types.port;
-      example = 8080;
-      default = 5055;
-    };
-
-    configDir = lib.mkOption {
-      description = ''
-        The directory to save run-time configuration.
-      '';
-      type = lib.types.str;
-      example = "/jellyseerr";
-      default = "/var/lib/jellyseerr";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.jellyseerr = {
-      enabled = true;
-      script = pkgs.writeShellScript "jellyseerr-run" ''
-        umask 0002
-        ${lib.getExe cfg.package}
-      '';
-      user = lib.mkDefault "jellyseerr";
-      group = lib.mkDefault "jellyseerr";
-    };
-
-    environment = {
-      systemPackages = [cfg.package];
-
-      variables = {
-        PORT = builtins.toString cfg.port;
-        CONFIG_DIRECTORY = cfg.configDir;
-      };
-    };
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "jellyseerr") (nglib.mkDefaultRec {
-      description = "jellyseerr";
-      group = cfgInit.group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.jellyseerr;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "jellyseerr") (nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;});
-  };
-}
diff --git a/nixng-modules/mealie.nix b/nixng-modules/mealie.nix
deleted file mode 100644
index 583d4b4..0000000
--- a/nixng-modules/mealie.nix
+++ /dev/null
@@ -1,85 +0,0 @@
-{
-  lib,
-  nglib,
-  pkgs,
-  config,
-  ...
-}: let
-  cfg = config.services.mealie;
-  cfgInit = config.init.services.mealie;
-in {
-  options.services.mealie = {
-    enable = lib.mkEnableOption "mealie";
-    package = lib.mkPackageOption pkgs "mealie" {};
-    settings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = with lib.types; attrsOf str;
-
-        options = {
-          PRODUCTION = lib.mkOption {
-            type = lib.types.str;
-            default = "true";
-          };
-
-          DATA_DIR = lib.mkOption {
-            type = with lib.types; nullOr str;
-            default = null;
-          };
-
-          DB_ENGINE = lib.mkOption {
-            type = with lib.types; nullOr str;
-            default = "sqlite";
-          };
-
-          ALEMBIC_CONFIG_FILE = lib.mkOption {
-            type = with lib.types; nullOr str;
-            default = "${cfg.package}/alembic.ini";
-          };
-        };
-      };
-
-      description = ''
-        Configuration of the Mealie service.
-
-        See [the Mealie documentation](https://nightly.mealie.io/documentation/getting-started/installation/backend-config/) for available options and default values.
-      '';
-      default = {};
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.mealie = {
-      enabled = true;
-      user = lib.mkDefault "mealie";
-      group = lib.mkDefault "mealie";
-
-      tmpfiles = with nglib.nottmpfiles.dsl; lib.optional (cfg.settings.DATA_DIR != null) (d "${cfg.settings.DATA_DIR}" "-" cfgInit.user cfgInit.group "-" _);
-
-      execStart =
-        pkgs.writeShellScript "mealie-run"
-        (let
-          # Mealie can only be configured via environmental variables.
-          # With this, we don't accidentally overwrite env variables set by the user.
-          extraEnvLines = lib.mapAttrsToList (key: value: ''export ${key}=''${${key}:=${value}}'') cfg.settings;
-        in ''
-          ${lib.concatStringsSep "\n" extraEnvLines}
-          ${cfg.package}/libexec/init_db
-
-          ${lib.getExe cfg.package} -b 0.0.0.0:8000
-        '');
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
-      description = "mealie";
-      inherit (cfgInit) group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.mealie;
-    };
-
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.mealie;};
-  };
-}
diff --git a/nixng-modules/nzbget.nix b/nixng-modules/nzbget.nix
deleted file mode 100644
index 428f51a..0000000
--- a/nixng-modules/nzbget.nix
+++ /dev/null
@@ -1,49 +0,0 @@
-{
-  pkgs,
-  lib,
-  nglib,
-  config,
-  ...
-}: let
-  cfg = config.services.nzbget;
-  cfgInit = config.init.services.nzbget;
-  stateDir = "/home/nzbget";
-  configFile = "${stateDir}/nzbget.conf";
-in {
-  options.services.nzbget = {
-    enable = lib.mkEnableOption "nzbget";
-    package = lib.mkPackageOption pkgs "nzbget" {};
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.nzbget = {
-      enabled = true;
-      user = lib.mkDefault "nzbget";
-      group = lib.mkDefault "nzbget";
-
-      execStartPre = pkgs.writeShellScript "nzbget-pre.sh" ''
-        if [ ! -f ${configFile} ]; then
-          ${pkgs.coreutils}/bin/install -m 0700 ${cfg.package}/share/nzbget/nzbget.conf ${configFile}
-        fi
-      '';
-
-      script = pkgs.writeShellScript "nzbget-run.sh" ''
-        umask 0002
-        ${lib.getExe cfg.package} --server --configfile ${configFile}
-      '';
-    };
-
-    environment.systemPackages = with pkgs; [cfg.package unrar p7zip];
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "nzbget") (nglib.mkDefaultRec {
-      description = "nzbget";
-      inherit (cfgInit) group;
-      createHome = true;
-      home = "/home/nzbget";
-      useDefaultShell = true;
-      uid = config.ids.uids.nzbget;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "nzbget") (nglib.mkDefaultRec {gid = config.ids.gids.nzbget;});
-  };
-}
diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix
deleted file mode 100644
index cf79cea..0000000
--- a/nixng-modules/prowlarr.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{
-  pkgs,
-  lib,
-  nglib,
-  config,
-  ...
-}: let
-  cfg = config.services.prowlarr;
-  cfgInit = config.init.services.prowlarr;
-in {
-  options.services.prowlarr = {
-    enable = lib.mkEnableOption "prowlarr";
-    package = lib.mkPackageOption pkgs "prowlarr" {};
-
-    dataDir = lib.mkOption {
-      description = "Directory to store Prowlarr's data";
-      type = lib.types.str;
-      default = "/config";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.prowlarr = {
-      enabled = true;
-      user = lib.mkDefault "prowlarr";
-      group = lib.mkDefault "prowlarr";
-
-      script = pkgs.writeShellScript "prowlarr-run" ''
-        ${lib.getExe cfg.package} \
-          -nobrowser \
-          -data=${cfg.dataDir}
-      '';
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "prowlarr") (nglib.mkDefaultRec {
-      description = "prowlarr";
-      group = cfgInit.group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.prowlarr;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "prowlarr") (nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;});
-  };
-}
diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix
deleted file mode 100644
index 8ea2b39..0000000
--- a/nixng-modules/radarr.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{
-  config,
-  lib,
-  nglib,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.radarr;
-  cfgInit = config.init.services.radarr;
-in {
-  options.services.radarr = {
-    enable = lib.mkEnableOption "radarr";
-    package = lib.mkPackageOption pkgs "radarr" {};
-
-    dataDir = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/radarr/.config/Radarr";
-      description = "The directory where Radarr stores its data files.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.radarr = {
-      enabled = true;
-      user = lib.mkDefault "radarr";
-      group = lib.mkDefault "radarr";
-
-      script = pkgs.writeShellScript "radarr-run.sh" ''
-        umask 0002
-        ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}'
-      '';
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "radarr") (nglib.mkDefaultRec {
-      description = "radarr";
-      inherit (cfgInit) group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.radarr;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "radarr") (nglib.mkDefaultRec {gid = config.ids.gids.radarr;});
-  };
-}
diff --git a/nixng-modules/radicale.nix b/nixng-modules/radicale.nix
deleted file mode 100644
index 80dd38a..0000000
--- a/nixng-modules/radicale.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  nglib,
-  ...
-}: let
-  cfg = config.services.radicale;
-  cfgInit = config.init.services.radicale;
-
-  settingsFormat = pkgs.formats.ini {
-    listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {});
-  };
-in {
-  options.services.radicale = {
-    enable = lib.mkEnableOption "radicale";
-    package = lib.mkPackageOption pkgs "radicale" {};
-
-    settings = lib.mkOption {
-      type = settingsFormat.type;
-      default = {};
-
-      description = ''
-        Configuration for Radicale. See
-        <https://radicale.org/v3.html#configuration>.
-      '';
-
-      example = lib.literalExpression ''
-        server = {
-          hosts = [ "0.0.0.0:5232" "[::]:5232" ];
-        };
-        auth = {
-          type = "htpasswd";
-          htpasswd_filename = "/etc/radicale/users";
-          htpasswd_encryption = "bcrypt";
-        };
-        storage = {
-          filesystem_folder = "/var/lib/radicale/collections";
-        };
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable (let
-    configFile = settingsFormat.generate "radicale.ini" cfg.settings;
-  in {
-    init.services.radicale = {
-      enabled = true;
-      user = lib.mkDefault "radicale";
-      group = lib.mkDefault "radicale";
-
-      script = pkgs.writeShellScript "radicale-run" ''
-        ${cfg.package}/bin/radicale \
-          --config ${configFile}
-      '';
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = nglib.mkDefaultRec {
-      description = "radicale";
-      group = cfgInit.group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.radicale;
-    };
-
-    users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;};
-  });
-}
diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix
deleted file mode 100644
index b78a4cc..0000000
--- a/nixng-modules/sonarr.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{
-  lib,
-  nglib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.sonarr;
-  cfgInit = config.init.services.sonarr;
-in {
-  options.services.sonarr = {
-    enable = lib.mkEnableOption "sonarr";
-    package = lib.mkPackageOption pkgs "sonarr" {};
-
-    dataDir = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/sonarr/.config/NzbDrone";
-      description = "The directory where Sonarr stores its data files.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    init.services.sonarr = {
-      enabled = true;
-      user = lib.mkDefault "sonarr";
-      group = lib.mkDefault "sonarr";
-      tmpfiles = with nglib.nottmpfiles.dsl; [(e "${cfg.dataDir}/logs" "-" cfgInit.user cfgInit.group "7d" _)];
-
-      script = pkgs.writeShellScript "sonarr-run" ''
-        umask 0002
-        ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir}
-      '';
-    };
-
-    environment.systemPackages = [cfg.package];
-
-    users.users.${cfgInit.user} = lib.mkIf (cfgInit.user == "sonarr") (nglib.mkDefaultRec {
-      description = "sonarr";
-      inherit (cfgInit) group;
-      createHome = false;
-      home = "/var/empty";
-      useDefaultShell = true;
-      uid = config.ids.uids.sonarr;
-    });
-
-    users.groups.${cfgInit.group} = lib.mkIf (cfgInit.group == "sonarr") (nglib.mkDefaultRec {gid = config.ids.gids.sonarr;});
-  };
-}
diff --git a/scripts/gen-k3s-cert.sh b/scripts/gen-k3s-cert.sh
index 71ad441..405f9f9 100644
--- a/scripts/gen-k3s-cert.sh
+++ b/scripts/gen-k3s-cert.sh
@@ -13,11 +13,6 @@ if [ -z "$username" ] || [ -z "$host" ]
     exit 1
 fi
 
-if [ ! -d "$output_path" ]; then
-    echo "Output directory $output_path does not exist!"
-    exit 1
-fi
-
 # Create a temporary directory
 temp=$(mktemp -d)
 
diff --git a/secrets.yml b/secrets.yml
index 8d8e5c1..170dd31 100644
--- a/secrets.yml
+++ b/secrets.yml
@@ -1,16 +1,11 @@
 freshrss:
     password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str]
-    oidc_crypto_key: ENC[AES256_GCM,data:dFQKZtFVd5l8W2go6WcK76o7O7hpQWnQKXCGTf9EhSVURvWigv6zzBULie7Y4lkJCsItG8oKmIiCYSy3MhFnU3DJTUJcenm4I7NHyINjvzHOBgUVPXbYQjQhouJwOlPkdqlSKv1f38ItZKNPJebMObZj+kACKbjdik6e6yM40RM=,iv:g6Ygval2qTQwKnrliI+n/r9OxJFePT9MKYyBLU6b3UQ=,tag:kWXTbm2JIR5aL/s4OX2Tqg==,type:str]
 pihole:
     password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str]
 hedgedoc:
     databaseURL: ENC[AES256_GCM,data:6+IV4TaClIGE1XVkUf7JwXzqx3EvWiIKFx9X5x7QKvQKC7bIieD1ADVeAMQmiQfibnH/YV5TgjNY8Ft+3eX881c3yD+2j7mM+O1fX6taK/BCokDnqhIwTN2qxHsu+mrPcM/Pgg5Zqy8HvUgX8jM=,iv:bCwuNk5CVgK2T5IgLebcKwxwloi6FkWMWhnxwJek1GM=,tag:UDQ0KmRDVlDh35Fjm6eaAA==,type:str]
     sessionSecret: ENC[AES256_GCM,data:7FdRjAShjjue1fFwizCgK+94mkbT4ohAPxdyn/8Z8/f2nvGWPZHO/hGexOixbRGLPewJSaMunTMeJL+IzFlGlg==,iv:iz7640b8Mlb6mNps20b+TbphWDEFUbKwKNUXc0kR5NY=,tag:fdEr1tbes1h8VCA/q+0sOw==,type:str]
     databasePassword: ENC[AES256_GCM,data:wdRhCluNx2IzgDqouAoIcG6yOWwNLOaEkpqgYEeFvJDZsMC8OUuV7Q==,iv:Csut0c+LRKWD2b4uVuQpGnwwVqnGT6Sk6T/ODlH57Bk=,tag:7bS6a18GyRifq2D6cIheaw==,type:str]
-    oidc:
-        client_secret:
-            password: ENC[AES256_GCM,data:rLkMFkEzCF3+ejGAUliaBMpfOrxL5b3pJVvkblEFIvHupmr9DTS71L4T6/oo616E4IoCuZxqKh0FxhdWZRM4KrEk5YZMbgp9,iv:TbySrCTY+Kps4v/q5maQglm4aOzuUPch2ECBHPp4FYc=,tag:mz71m6JqIemVCypf93hkBQ==,type:str]
-            digest: ENC[AES256_GCM,data:m+abt7SEXZoeOA+ioB3BmiWN09CDpCWdZ5eNRhShvuUJW7rjbSJAQ2NTZkMTnFoNv6PO6rSUD6lmStFfO/mqVUFvWXBBDMK3xK+ILcgDoZZ1Pnmr19noqTL5OxyYLAtUHRNOohsUBYlZKyv2lFNQlqxk6kOi+fUPitmmsO6BO1nrq2s=,iv:CmC0JLXuT9O29Rtu7Pp8i0h/SyaEAT0bsXQb2LRFAkk=,tag:/IL39BCMuw+bqxv2OaNwhw==,type:str]
 nextcloud:
     databasePassword: ENC[AES256_GCM,data:jRLgW96FnMEpU0T5z/iQOX/CgjpH2ZykZGd1qGFHK8o=,iv:YrY9IsrlCaiQ8BFYqu+UnOxnvvB/JN4iYfy3vMa3wcw=,tag:41iWc4iVqjdUr02O5CLu7g==,type:str]
 paperless:
@@ -34,29 +29,6 @@ immich:
 tailscale:
     clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str]
     clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str]
-authentik:
-    secret_key: ENC[AES256_GCM,data:bbEEpymADAGY/fDNMU7FfzveyK2SBUBCitQLN85tB5C5u32PRsRnOa2MDjKGU4kArnyV/WtJQXT4HJ//nMLVh53Q8BYclWYYVFourEjaajTixkZ2gkAfcMJ1mMaQG09ylrwMhLsZWbeaLFzW6dfPSQOCchvj3VhgvJSXuhNmr90=,iv:aE/DGt/yd9wL5qlWfdyT/9SIsCj7U3GcljArcGIdh9k=,tag:CVeiZITOJ71/jdLzjZjteA==,type:str]
-    postgresql_password: ENC[AES256_GCM,data:4okPqDzPDnx7ZBFQV2Jtk6SEHTskRd2GVG4XLdpMQrgivKsuhQJf1QAnCWHrjmtg74xdlUy2TdPwTWGd5UiM1G90GwHSzLPSJt6X0IFMxCuq/eyYYbD9w8Wk1pVuvqoluPcjN6WoRJdCzap1QITih8B+oSkTJ/rk84xczsjah4U=,iv:r0dYWcsIqdH8FGuBd2dxAJ1AjRmk6k4QYKq0cnZITk4=,tag:errORaXgO7yJW7ERbmdtRg==,type:str]
-    oauth2:
-        freshrss:
-            client_secret: ENC[AES256_GCM,data:e7wdwWRS8KivGkcWaMgSrUEEuOTHzj1oim+qUcLD35/DA/V6itM2XqVPhqIOXHrf6pOyYgprEv14bEx8zUvtT6iXV4fsEUEWeWTgt4NI3YULtx/t0yVDq9Zc8fN9cIqGxGeig1mcQwmm7vByq58mNJEpcfz46swjN2ATf/CPJQs=,iv:xeNgSKd+g4ne8NLw/2KQjTXSvNkqezOhMn5niuWpD38=,tag:ElOUMg0oZ+q15hCgh/Mzug==,type:str]
-        hedgedoc:
-            client_secret: ENC[AES256_GCM,data:hdNQzatO6Pf6mxvfO4h1XrhycKMBUHElEwacGttzByi4JDbIndAwYc2GXdwUmytPMYs/s+lVjcdHhspUFWS01DETWQfnWm/GN73GzW18uj3XyRXqt62HhMf18GvRlOWkGX+jYpUTGGoonYes2xijhD/mNCjxKk5Q+6FVFT2mdJ4=,iv:pScEX6YnoU7HelxmCes8A9vJjPdvFbqbclHYMme8OOE=,tag:FURxphI8IDMvOwB4ahD8hg==,type:str]
-        paperless-ngx:
-            client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str]
-        forgejo:
-            client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str]
-        immich:
-            client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str]
-        nextcloud:
-            client_secret: ENC[AES256_GCM,data:zLejYbfudK/4OquLXPYTv9YOmFpCVfg0KLNkDSDCpFrxroDUAXBCLtYXiGuYkYrD/t7LAzRt+OTq70d7ciuHhBNSLclP2U97BQoXCWscWnxQauRZ+UCABvP+DB9VPQmCwU+uKPrKQ8l51baj+MkpIDdk2lwavpONMU57Zov6N2o=,iv:aQ4bsXUXn177tCxe1kAsSMP9ynEzvDwN0hwFhrT3Nko=,tag:EFcnf6VmyFt2i4+aL56sWw==,type:str]
-        kitchenowl:
-            client_secret: ENC[AES256_GCM,data:x4Xsd3d3El59HKBYNV56ah314hYSRhzt46upW34cOopXNHSB3zCDrD46LUa6i8g6V5GJyrMpMfO5mv+b80JrmfHkhGUXZXuTwDNu6ijnO6ZCvC2Bdlo+T0tlkJe25OMCBseJkkC++UBrpKQQTAhyVjnPSVrGVvtY4WtdAw+X/OY=,iv:pOowIhPD7kb2F3ylFzLwNW3BhPZyzoFCGRm2+KCmhno=,tag:GxFI0w06EyGxFwj6Fv4ZLQ==,type:str]
-        mealie:
-            client_secret: ENC[AES256_GCM,data:VNEV8a1KZc6XVeRzyBWzuwldTmxEepPRUOEMEM3HKrDIkxcGHDuoLh5P7Ti+jS5rbmua+ET4GPcJTYXR+pO5/cMaxqFONj1D1w9541QPYZNBbTfPM/Zfu8OnzngVsCnnKEtu1bVwflUnmf7F5hHED8zJRe1F9PT/HYA6NCd4ajQ=,iv:58ysTItP8UNnQWwgWRS1dk/K/2dJv3P5wa5rGnz2P/I=,tag:vLGrFldzOey9ANW010GylA==,type:str]
-smtp2go:
-    username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str]
-    password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -81,8 +53,8 @@ sops:
             azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
             UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-15T15:37:53Z"
-    mac: ENC[AES256_GCM,data:tsoDYbuhxEH3PrxOPgfKczD8Hh1XGJRhGAtm2DWpPP9T99ub/l3KAV2pInvUi5Kn+1QvhJUAwFAP6A/435cqfsHxQI066N7ADUYO4qshcsAYKK7ofBVNnI431D3oD+kBujWKmvSqhlamdP+O7O1ICtbfI5PEM8SN5KWEvEtyp9A=,iv:pDiPy6EWLaZQbNydRFTktRlcf7M9Uf8OS+WPbQkUx9M=,tag:D+tMTFVbWE7TQIw/0MUZjw==,type:str]
+    lastmodified: "2024-12-01T13:22:41Z"
+    mac: ENC[AES256_GCM,data:6UqmxHJC4KWsiQttXFEEG1opPcrGntYj9nlD8m0iBqjc9g/SHxEogpaiYEnriGNXGw0HhRWjrd+JX29Ht4xVeiYqthYX+4rVuIuv+SI7p08hJeIBbIYrfonAJsebbSsynuy9YgyUkNZhoqjZTtuzFU/c4Dh5453RVnuQmu4PZNs=,iv:yA//mqJ0Ft63eRME8A1HBiZ/B0gcVYlS4MaP0LykooU=,tag:0NxU0lVi67N34eDhsT82kQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.9.1