diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
index 0dd19d6..95b2f40 100644
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -21,7 +21,6 @@
       inherit (lib.my) networkdAssignment;
 
       vwData = "/var/lib/vaultwarden";
-      vwSecrets = "vaultwarden.env";
     in
     {
       config = mkMerge [
@@ -31,12 +30,12 @@
             server.enable = true;
 
             secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILakffcjRp6h6lxSOADOsTK5h2MCkt8hKDv0cvchM7iw";
-              files."${vwSecrets}" = {};
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP2mF50ENpnJnr+VTnG9P+JFPjgwvoIxCLyJPzXRpVy";
+              files."vaultwarden.env" = {};
             };
 
             firewall = {
-              tcp.allowed = [ 80 3012 ];
+              tcp.allowed = with config.services.vaultwarden.config; [ ROCKET_PORT WEBSOCKET_PORT ];
             };
 
             tmproot.persistence.config.directories = [
@@ -57,14 +56,30 @@
             vaultwarden = {
               enable = true;
               config = {
-                dataFolder = vwData;
-                webVaultEnabled = true;
+                DATA_FOLDER = vwData;
 
-                rocketPort = 80;
-                websocketEnabled = true;
-                websocketPort = 3012;
+                WEB_VAULT_ENABLED = true;
+
+                WEBSOCKET_ENABLED = true;
+                WEBSOCKET_ADDRESS = "::";
+                WEBSOCKET_PORT = 3012;
+
+                SIGNUPS_ALLOWED = false;
+
+                DOMAIN = "https://pass.${lib.my.pubDomain}";
+
+                ROCKET_ADDRESS = "::";
+                ROCKET_PORT = 80;
+
+                SMTP_HOST = "mail.nul.ie";
+                SMTP_FROM = "pass@nul.ie";
+                SMTP_FROM_NAME = "Vaultwarden";
+                SMTP_SECURITY = "starttls";
+                SMTP_PORT = 587;
+                SMTP_USERNAME = "pass@nul.ie";
+                SMTP_TIMEOUT = 15;
               };
-              environmentFile = config.age.secrets."${vwSecrets}".path;
+              environmentFile = config.age.secrets."vaultwarden.env".path;
             };
           };
         }
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
index 7e40522..e1af127 100644
Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ
diff --git a/secrets/estuary/netdata/powerdns.conf.age b/secrets/estuary/netdata/powerdns.conf.age
index 4e829be..2ac2ea6 100644
Binary files a/secrets/estuary/netdata/powerdns.conf.age and b/secrets/estuary/netdata/powerdns.conf.age differ
diff --git a/secrets/estuary/netdata/powerdns_recursor.conf.age b/secrets/estuary/netdata/powerdns_recursor.conf.age
index 31c2249..27dacbf 100644
--- a/secrets/estuary/netdata/powerdns_recursor.conf.age
+++ b/secrets/estuary/netdata/powerdns_recursor.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw z/wgsbTnvMwnFg5jjtMDHkQ7wPz2SY8oCdNFIFEuuBo
-DM1P19QwM8TmG0fBw52BjUPfCkimf7dvMMu86KZg2Eo
--> X25519 xdsqtPpZaQJN3yvgulASl0OdIy+HH5BzXkRGrK0Sakg
-KR4gj4pafDrInLyz1WhV/AAuEbDWLrOKP9O7dzBnsQg
--> y.-grease G5C+_ u7nR &.w1r}G 8tS
-VUr+ZkK8wWhZwwhRGFVRXjnjiW1c5BIArlNylTrK8OwCNQ
---- fIl+/aQf4mqtRC0gTbQQkRLtFCIB9UiP4BxxTyYG4y4
-��@��0AQ��A�8lh;%�􁄣��T� *D��s�B�u>ۼ�l�z݁F�U
-�r�ߙ	�޲V=���[�-s9�SG�ߚ�ǝ������s�'�pu�!�"��ה�Y{�<~����Qu#e����J�����g�%�N
\ No newline at end of file
+-> ssh-ed25519 n8CpUw +a8D5DCZQCK5Yv/U+ApOAP8TxcA7cjAXG2aulHdQG2I
+9WDr8i1YxZ29daFIeT0yDwhHPNvx87JmBp/Rg5cFOJI
+-> X25519 tDJjrmPEM9C5JmjhCkXo2a15u0pGubRRuae1xxaFPD8
+tGH3wzDZJzK4BbozX2z9T2yXabriR2fdg4ZVO3KZk/g
+-> SQa:-&-grease g ~"{ :m <Jo\5dz
+o9KTHn70+oFLRHA
+--- i/1z+jWIvlhCTq08UYqceDpaRe6CJJr8remSB6LVAH0
+L����e�S�C���ނ��[��ȡcѴ��C@ټjvvy��ל1����a�c�z�n7Ya=~"�J'���H��RZ��,����{���F�1[�KI^����|��%Yh`�Gx��$�5�RC�z0�t�0�u���Ɠ5^���
\ No newline at end of file
diff --git a/secrets/estuary/pdns/auth.conf.age b/secrets/estuary/pdns/auth.conf.age
index 5e27ccf..43f4fac 100644
--- a/secrets/estuary/pdns/auth.conf.age
+++ b/secrets/estuary/pdns/auth.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw vrmqoaNTgD3vR/JjMEzDtFtuJdOgOG1cAF/K4wVxpAA
-ICuTWokXdt8vKHwFO/HsAOSR4mdjP1XtG2dRpwReQe4
--> X25519 O3v69z65PU313Q9V9OFwpIVfgffCn3AEbIRZemogMVo
-3UqbO6tA+e0kWGxgR1NyomaA9asEkUbDUvTCdHcvJ1c
--> N-grease Y3 a[
-PBZW+W7X/tuOu1IF8spvn59M1kNAGUP7+DTbLUjlqndzGMaBJ84CJw+CAPC+Md1I
-1iqulKt6UAAFkpY
---- DQ8K63M3As26s09GVGc/nEUm/qstY0AN5yiCQ1PXKaM
-��������pf����5.�-y��i������a�1�ʕ�J�O��"�K��Bȋ-�EJ	_\_�y�={]YQ"��
\ No newline at end of file
+-> ssh-ed25519 n8CpUw DOBT0UVIyRCCL6hLk/F1El4MbtNYskMz+IMjD4UuOns
+NT0PRGlEpQ3YcxHEUdw/90QhD8xGar6id17maVwUdb0
+-> X25519 c/SwQBGz826ezLHbZfOPNr0uhqFK6RTvxEA8HDb7+xY
+rZa2TqG0icjqMLFE79ouCFqsInQHe7a4FsaY8sPiDl8
+-> 0A*gt-grease F:X-O^
+
+--- 6nJnd0CERDygNJnpVCIrKQhpmUQJisAV/HgX1RYyf9Q
+���<�*��IR�
iq��D��O��k�O�s���:-����]�@ch.�׊�O�	UMEW%kV�C[�r�
\ No newline at end of file
diff --git a/secrets/estuary/pdns/recursor.conf.age b/secrets/estuary/pdns/recursor.conf.age
index b5ac83d..97f501d 100644
--- a/secrets/estuary/pdns/recursor.conf.age
+++ b/secrets/estuary/pdns/recursor.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw p36/Gp3jTdXE3AGFhHm9J2p0KuPRKq372go8Rplee34
-VV7OAGrst1gVp4oiFBMHRQzRrPYKQVOiTKJY/uxGPSQ
--> X25519 zVxW9hWqbNkZwkxbmr+84vx/ePe6SMob8Nn3lQ5NXFY
-YwbLgoNYDYmtHfeFyBR7YwpqHrYN2AV2w7zACz4px0U
--> R;D)YDog-grease l 5Im2tR&`
-/dg2cnvcyLH/LvhFQTukBOgqLv+nYrzyDJimzS9SqY2scN7q0V9lDrx/KYKVeeWi
-jUnKsIt9bq2gXAXKnT2GqnHWBbixMUrqLxax/nSTVOT4g0fjrBkWPg
---- bkRusUuDjD0EzR2YvikUhjbFQ86HeGUluxSuf/kfbH0
-v�!��SL�����[�^}�ya+�ɓ�a�I'��(��+�zu�e�#��e�q`�:�n���
\ No newline at end of file
+-> ssh-ed25519 n8CpUw WXvPv4yho+cwBrLItO/C+ilUzV2OW9ok+JOZJFPXnCs
+hJWK6VyAs3BWeLelIfYSmncY9DNqfyxFg8zn3iFsnNY
+-> X25519 oJvXbZqzokFmN+5WpH/G0KMQvY2UFkZ7SEQEXzpNeAY
+F7GBoHwPKSfioaR4YLsH7WTBeopUVXH8FYAzIy1C8Sg
+-> Vvm6>F-grease y =5;b4O4 (%y Pp&
+ULDWg4Kh5gcCpSSsi9vXqXSYkPEtyrvfoTxSaY59gA
+--- 95OJTatGi3+dxqaTpHfqZc4987YDyi3TNGTNEwjQe+Y
+�*S����C/�O�!�S^:B*K[F��A��q;�昸�WT�&s7�X��M��τ�Ԉ�p;��|�0SJ�
\ No newline at end of file
diff --git a/secrets/jackflix-wg-privkey.txt.age b/secrets/jackflix-wg-privkey.txt.age
index 752e508..c443dc1 100644
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 vf+WVg KhusLFATFrmnujHs1WV+VR+MPktHASs+Wj82s35pfig
-IXeX1fHQ/0CbC2D22aQLY9TnaPnW0u6iMPr0aimAxvs
--> X25519 4hQH9z/z4JF7chKf7P3L+eorQHojuEf51YukjyKaf2Q
-Ce623tTN1jGwbKnHPbnDpJMGG3KdZCd3kM1fBzC+mqI
--> :(-grease mxbrVm>
-rZKeB2I+ThUqHOB43Icv91gDI6J+1yYknWHul0/Uv0LDSgSKBpIhYv4Gkd/mOnPS
-Ow
---- bEHjGQBQ60BLD9cnDjg+oR0W3HOwLgADCqX3yqrwjHk
-�����y�M��㤁�X�Ϛ�&u(���Hq�f�dzR�x(G�t�{���r� �v?��3�ɷ����Ղ�
Yː+�
\ No newline at end of file
+-> ssh-ed25519 vf+WVg 46AUsv9pdxNRa3OqRbBhNCZ4mtmeoQ2/DPBTSiEiZTQ
+Ib4PHWRKr1x9hcxjY+DQMpahA3dpTyFzYRZ9JFzcLNc
+-> X25519 lm03ugY8fnUPThuqOA1zkDjLgF7swWURECXYD+lXZlY
+dW9tb6Bv+7ofIhZHV0E5Hq4jhtHMDC0wgQ+trMaPLUE
+-> @-grease {3]QG.2I OR(T <FkdN$|=
+3ktwWgIO8kgJ1GPY
+--- aOCS82AO1gSIkgDRP4ISFP9Q/XVzyjzl9ShgpxPoWLk
+%��0��_K�A���p��9l�i��ޱ�D=3�ڝ�Ƽ�?/��%�]5Y��r�}�S�a����|�1J���F��
\ No newline at end of file
diff --git a/secrets/middleman/cloudflare-credentials.conf.age b/secrets/middleman/cloudflare-credentials.conf.age
index 7afdd58..5c23cd3 100644
Binary files a/secrets/middleman/cloudflare-credentials.conf.age and b/secrets/middleman/cloudflare-credentials.conf.age differ
diff --git a/secrets/middleman/nginx-sso.yaml.age b/secrets/middleman/nginx-sso.yaml.age
index e7c079e..8988c25 100644
Binary files a/secrets/middleman/nginx-sso.yaml.age and b/secrets/middleman/nginx-sso.yaml.age differ
diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age
index 7957dbb..f0f95e3 100644
Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ
diff --git a/secrets/synapse.yaml.age b/secrets/synapse.yaml.age
index d936c7b..524c5bf 100644
Binary files a/secrets/synapse.yaml.age and b/secrets/synapse.yaml.age differ
diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age
index 22d0bd0..19c9517 100644
Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ
diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age
index 9ba340d..97bcf4c 100644
Binary files a/secrets/vaultwarden.env.age and b/secrets/vaultwarden.env.age differ