diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
index d3b99ab..d5c60fa 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -30,7 +30,7 @@
             server.enable = true;
 
             secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQM9U1e/XcUCyMJITrpAHjAGahpqkZCmtX6pJkYzuks";
               files = {
                 "dhparams.pem" = {
                   owner = "acme";
@@ -41,11 +41,11 @@
                   owner = "acme";
                   group = "acme";
                 };
-                "cloudflare-credentials.conf" = {
+                "middleman/cloudflare-credentials.conf" = {
                   owner = "acme";
                   group = "acme";
                 };
-                "nginx-sso.yaml" = {
+                "middleman/nginx-sso.yaml" = {
                   owner = "nginx-sso";
                   group = "nginx-sso";
                 };
@@ -58,7 +58,7 @@
 
             nginx-sso = {
               enable = true;
-              extraConfigFile = config.age.secrets."nginx-sso.yaml".path;
+              extraConfigFile = config.age.secrets."middleman/nginx-sso.yaml".path;
               configuration = {
                 listen = {
                   addr = "[::]";
@@ -122,7 +122,8 @@
               acceptTerms = true;
               defaults = {
                 email = "dev@nul.ie";
-                server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+                #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+                server = "https://acme-v02.api.letsencrypt.org/directory";
                 reloadServices = [ "nginx" ];
                 dnsResolver = "8.8.8.8";
               };
@@ -163,7 +164,7 @@
                     "*.${lib.my.pubDomain}"
                   ];
                   dnsProvider = "cloudflare";
-                  credentialsFile = config.age.secrets."cloudflare-credentials.conf".path;
+                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
                 };
               };
             };
diff --git a/secrets/cloudflare-credentials.conf.age b/secrets/cloudflare-credentials.conf.age
deleted file mode 100644
index 74f6909..0000000
--- a/secrets/cloudflare-credentials.conf.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 H162lQ poUW3oUJVxTNyJxJwWAbFDCOK7Gnhk2KxPDzZs3unE4
-8veh+9Z1kVb1Y9h/rFOzRfeGkewtwVQUUB5oOPZKvqQ
--> X25519 PlDX52lXXShwQgi2sXSZM6Tu2v5g6dNVLVovyCEahAo
-p7pNdl9U5iZ9uOICs4xejtTgJ8eagkDgSUkLTBhUAB4
--> 3M-grease
-3VLKIT/v0a6RIllt791XnIBEOHvvcARqSd5UkLdR6+V3Bw4BNRV6eFUTtzxWpm9n
-O2JMeVRr9dL2MRG1+3LHqnAT1ujZyFYhn6JLTA
---- U9nB05pNnOLwbjJi2aPk87glMy0VTotDgqb/2b0zkdg
-?ÎÝò¼÷gbpÔÃ§œhÂöÑœ¦]ŒµSçì[âf²3Ù8¼3ºãñ½š3ßj‰àkdP¬eŒøaÞ/ÆÀ^âSˆT¡Åj×7K¶Ìý¸Ö_áàGc’0’RŒDòìb`hGøT‡‡
-yy¶‘³¶ÿÃ~&Ú‚xËÛµOL	÷»g)©›”÷XÞLº‚
\ No newline at end of file
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
index bca8048..7e40522 100644
Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ
diff --git a/secrets/estuary/netdata/powerdns.conf.age b/secrets/estuary/netdata/powerdns.conf.age
index 7ace098..4e829be 100644
--- a/secrets/estuary/netdata/powerdns.conf.age
+++ b/secrets/estuary/netdata/powerdns.conf.age
@@ -1,10 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw gt7Z7JlRQIZctb7k44hR7rR4NwashQuA7bY580YCa10
-On55Kp+DDtZPCFJlyzcew8b/uPckX4tCPESBAFwSeAY
--> X25519 5AS2hdGqkkpoL1JiFKOnstoGh7hEKbYE3HNynP2L2U0
-flPM0IHmnwZz0tGr887MZQxg40QPrjCpnXeaTe0qqEI
--> bg7}Id-grease
-YjyZlOsYKt8kimLGg94RjHZFkxRXpFElqs7IZmmndJpFBI53ENy4J61oef/Choy/
-c6h4be2Txus+EM4QneFbnseq2Mdc
---- zKpMXNIeDiPLrb7venPzFcQwlAEU3vSJlJs8kRX8xBg
-eêHÝO0ø3FQÔÇý,<Ø4y+«ü/¦ö­•W)GLõŒFóKGfòãƒõ9r—‘QT8æ›HÉØ‰DÂo5Ò>NÿÖXƒ—4ƒàn5$ß-Ó;C– 8éÂÏ&÷‹‹8€tnª¸bs[Q³éèbÙ›2Æ)!ƒh½ÙÄ]å%h
\ No newline at end of file
+-> ssh-ed25519 n8CpUw Oay8MPg2cdVe+Tu8lESM1FqbURj5EUEt81Q88yWErxU
+qHw6Rty0B88SFpUf15KdGtkiWfm1xp3M5rQHEhgX7FQ
+-> X25519 /aUWmwPgQxpo2Qj3B5OnKhw91t54YhkpcRcWMdAlzlA
+lqQxuIlYtDzHC9NDz3AjMAtc19F6iWLHWmvKdmKgLcM
+-> mo|25i-grease
+nRPNuLLS6yL2L9xW8DSzFktZ7Tdc1QeQmzOmlZ0QTzyMjAOoNSlJc38ApMtlykw+
+zbQA5xEIaNdgDR8etWEgv/QRqvmo
+--- E88sZZTGA332BWi/Fi2mYeTfSlcMM5VQvQOkwyijDNs
+#’“Ú@¬;«
+;–ÕNÎ‹'u¦¾é<MôÞëz¡/Æ)Ëç,úòÛ¯k{lƒ±÷™e´ñOË²5xÐš]ØIQú–ÓT®ãÓ
+šèæŒ	IRÕ¡˜aÝõi{~}óT.Þ¾<ê–ÛšØ<SúÚ!ƒXT5ÚEÉw&õ.Á˜¶H)ä¯òôL}Á†P[M=W£A
\ No newline at end of file
diff --git a/secrets/estuary/netdata/powerdns_recursor.conf.age b/secrets/estuary/netdata/powerdns_recursor.conf.age
index 6e54b83..31c2249 100644
Binary files a/secrets/estuary/netdata/powerdns_recursor.conf.age and b/secrets/estuary/netdata/powerdns_recursor.conf.age differ
diff --git a/secrets/estuary/pdns/auth.conf.age b/secrets/estuary/pdns/auth.conf.age
index b8a9294..5e27ccf 100644
--- a/secrets/estuary/pdns/auth.conf.age
+++ b/secrets/estuary/pdns/auth.conf.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw fAg/7pxnqWhx4ia0NpxoZp41PXFDwNZisoadPqkWwW0
-a3yh3GSFrZIH0gxIdDKGhqdK5GV/Jw8e3k8dzCuBflA
--> X25519 C71qeEdBawNVucX5cDdwfU/3qRXO7X0CJmfb4wsjFlQ
-UJUKezoEGMt/yrUJ+ATzMi9gfKCsiyKS6mlKZhOE1Bo
--> QgpA-grease `^0T- ;[p G 4
-qfaNiUNdNFDGEJMOLoE+uVqXeoh78UH0os9DG1aPghWo3MQJ+/KGW+a/q+UHu7d1
-9V1ank9kIBWRcvtUaQ
---- BKpfFbC56c+pGNtKcyMXErMEWhu0VQHbJgTRp0BaKhM
-žVPÉ­ËcI•ÿŸ¤©Ç?öÀÙ¿Nîôè(p dånfMW1áÀ	É—)áî¨Ûß…8íÕˆN¯ÂÎù)g†üîîÃK€£qÕ
\ No newline at end of file
+-> ssh-ed25519 n8CpUw vrmqoaNTgD3vR/JjMEzDtFtuJdOgOG1cAF/K4wVxpAA
+ICuTWokXdt8vKHwFO/HsAOSR4mdjP1XtG2dRpwReQe4
+-> X25519 O3v69z65PU313Q9V9OFwpIVfgffCn3AEbIRZemogMVo
+3UqbO6tA+e0kWGxgR1NyomaA9asEkUbDUvTCdHcvJ1c
+-> N-grease Y3 a[
+PBZW+W7X/tuOu1IF8spvn59M1kNAGUP7+DTbLUjlqndzGMaBJ84CJw+CAPC+Md1I
+1iqulKt6UAAFkpY
+--- DQ8K63M3As26s09GVGc/nEUm/qstY0AN5yiCQ1PXKaM
+ä„û†ª÷ø‘Èpf¨ó²ü¥5.×-yàÓiö¶ªúå¼ßa“1¼Ê•ÊJÖO†Ç"±KÍéBÈ‹-ÚEJ	_\_²y‚={]YQ"ì²â
\ No newline at end of file
diff --git a/secrets/estuary/pdns/recursor.conf.age b/secrets/estuary/pdns/recursor.conf.age
index 1b8af36..b5ac83d 100644
--- a/secrets/estuary/pdns/recursor.conf.age
+++ b/secrets/estuary/pdns/recursor.conf.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw W+QHTbMuGCIzX5wYTMmacaDUForQckDDA/GvfUhuxxk
-P9ZXfNYVdy9ypkevlvhMHtRG7/ka/Qq0Lk/gn1GFzVU
--> X25519 TU7g0shh1jjS3vsmfYAhjfEjGCtiF1UufVnG0VTDJW0
-O4U/SRtHXw09+0AmQBNmq4X+oSiXGnM269o8fOIF19Y
--> jze-grease C,Vm1
-12L/JV+x+e41PsvoEtljoF1e
---- DNTspjhDmKO0vcOUGniMAKTZ//ysWETjz18VgBTJ9yc
-Ú=óÁ5©[v0³ê\Ä‹°c;¡úÕ?_=4éR>T~kjáAæ48/ôwkû³ø~ûÖ*±!©ÿ’òÂ2Ô5|3zF%üÐÛA
\ No newline at end of file
+-> ssh-ed25519 n8CpUw p36/Gp3jTdXE3AGFhHm9J2p0KuPRKq372go8Rplee34
+VV7OAGrst1gVp4oiFBMHRQzRrPYKQVOiTKJY/uxGPSQ
+-> X25519 zVxW9hWqbNkZwkxbmr+84vx/ePe6SMob8Nn3lQ5NXFY
+YwbLgoNYDYmtHfeFyBR7YwpqHrYN2AV2w7zACz4px0U
+-> R;D)YDog-grease l 5Im2tR&`
+/dg2cnvcyLH/LvhFQTukBOgqLv+nYrzyDJimzS9SqY2scN7q0V9lDrx/KYKVeeWi
+jUnKsIt9bq2gXAXKnT2GqnHWBbixMUrqLxax/nSTVOT4g0fjrBkWPg
+--- bkRusUuDjD0EzR2YvikUhjbFQ86HeGUluxSuf/kfbH0
+vý!ô€ªSLôœÀ÷ë[²^}›ya+‰É“‘a”I'Ýþ(‡Ò+îzu³e­#‚úeÜq`Ë:Õn’èŒâ
\ No newline at end of file
diff --git a/secrets/jackflix-wg-privkey.txt.age b/secrets/jackflix-wg-privkey.txt.age
index d187808..752e508 100644
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 vf+WVg 49MlmUh4nCOHTalKhJ07Ta+BpM4jnINkSLL/imNCJEs
-g1vq+VEqTnu3cnA3c6osXyrcE0rJjaCYtyIdmHgPK2U
--> X25519 jwUC9PB+fD/Wtvyi8ngEAamyScllZZqM+vS+yVQ7fS0
-A+ZplDCAxdQpWCjEg7OxEl22a79BiBPjJNW+bB8EprY
--> E21RFxX-grease s
-l/K1CHcO1eTXcvUV61UGM7279M5xaU5jFwirI7Kc1Eb7b6LD7u8968fiQXKJy+bS
-D7A2x2SPrNXFbjI5kdIGZ2gLLBE
---- sl8/38fMzipYZL6p6yJ8LUazLDl6dVrR3Cd5ZApgy6M
-ò_)”I‡©©Y÷kÂ=ùÌ’êfz_"#Á˜«.È?×IF:7Å)òV±K’èÍýDÈ&æoõÊí]“=£°Êåû«Èù²Wú^ì»ô
\ No newline at end of file
+-> ssh-ed25519 vf+WVg KhusLFATFrmnujHs1WV+VR+MPktHASs+Wj82s35pfig
+IXeX1fHQ/0CbC2D22aQLY9TnaPnW0u6iMPr0aimAxvs
+-> X25519 4hQH9z/z4JF7chKf7P3L+eorQHojuEf51YukjyKaf2Q
+Ce623tTN1jGwbKnHPbnDpJMGG3KdZCd3kM1fBzC+mqI
+-> :(-grease mxbrVm>
+rZKeB2I+ThUqHOB43Icv91gDI6J+1yYknWHul0/Uv0LDSgSKBpIhYv4Gkd/mOnPS
+Ow
+--- bEHjGQBQ60BLD9cnDjg+oR0W3HOwLgADCqX3yqrwjHk
+š¸¾¯y‚M£Ëã¤ÌX«Ïš¼&u(“‘áHqˆfŽdzR¾x(G©t·{¢ô r§ Àv?–Þ3üÉ·¹½¯ÞÕ‚–YË+­
\ No newline at end of file
diff --git a/secrets/middleman/cloudflare-credentials.conf.age b/secrets/middleman/cloudflare-credentials.conf.age
new file mode 100644
index 0000000..7afdd58
Binary files /dev/null and b/secrets/middleman/cloudflare-credentials.conf.age differ
diff --git a/secrets/middleman/nginx-sso.yaml.age b/secrets/middleman/nginx-sso.yaml.age
new file mode 100644
index 0000000..e7c079e
Binary files /dev/null and b/secrets/middleman/nginx-sso.yaml.age differ
diff --git a/secrets/nginx-sso.yaml.age b/secrets/nginx-sso.yaml.age
deleted file mode 100644
index 6a0a750..0000000
Binary files a/secrets/nginx-sso.yaml.age and /dev/null differ
diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age
index eac7964..7957dbb 100644
Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ
diff --git a/secrets/synapse.yaml.age b/secrets/synapse.yaml.age
index 914b8da..d936c7b 100644
Binary files a/secrets/synapse.yaml.age and b/secrets/synapse.yaml.age differ
diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age
index b129eb0..22d0bd0 100644
Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ
diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age
index a81265c..9ba340d 100644
Binary files a/secrets/vaultwarden.env.age and b/secrets/vaultwarden.env.age differ