diff --git a/hosts/sire/guests/common.nix b/hosts/sire/guests/common.nix
index c301f6b..81bc212 100644
--- a/hosts/sire/guests/common.nix
+++ b/hosts/sire/guests/common.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
   meta.promtail = {
     enable = true;
@@ -12,7 +13,12 @@ in {
   };
 
   # Connect safely via wireguard to skip http authentication
-  networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  networking.hosts.${
+    if config.wireguard ? proxy-home
+    then wardWebProxyCfg.wireguard.proxy-home.ipv4
+    else sentinelCfg.wireguard.proxy-sentinel.ipv4
+  } = [sentinelCfg.networking.providedDomains.influxdb];
+
   meta.telegraf = lib.mkIf (!config.boot.isContainer) {
     enable = true;
     scrapeSensors = false;
diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index a6c2f48..ffbf9d2 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -4,6 +4,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
   grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
 in {
   wireguard.proxy-sentinel = {
@@ -116,6 +117,11 @@ in {
     }
   ];
 
+  networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
+    sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)...
+    sentinelCfg.networking.providedDomains.loki
+  ];
+
   services.grafana = {
     enable = true;
     settings = {
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 05fec63..4dbce30 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
   immichDomain = "immich.${config.repo.secrets.global.domains.me}";
 
   ipImmichMachineLearning = "10.89.0.10";
@@ -169,10 +170,15 @@ in {
     client.via = "sentinel";
     firewallRuleForNode.sentinel.allowedTCPPorts = [2283];
   };
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [2283];
+  };
   networking.nftables.chains.forward.into-immich-container = {
     after = ["conntrack"];
     rules = [
       "iifname proxy-sentinel ip saddr ${sentinelCfg.wireguard.proxy-sentinel.ipv4} tcp dport 3001 accept"
+      "iifname proxy-home ip saddr ${wardWebProxyCfg.wireguard.proxy-home.ipv4} tcp dport 3001 accept"
       "iifname podman1 oifname lan accept"
     ];
   };
@@ -202,6 +208,31 @@ in {
     };
   };
 
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.immich = {
+        servers."${config.wireguard.proxy-home.ipv4}:2283" = {};
+        extraConfig = ''
+          zone immich 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${immichDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://immich";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          client_max_body_size 10G;
+          allow 192.168.1.0/24;
+          deny all;
+        '';
+      };
+    };
+  };
+
   systemd.tmpfiles.settings = {
     "10-immich" = {
       ${upload_folder}.d = {
diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix
index cc68e6e..e5465ef 100644
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@@ -6,6 +6,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardCfg = nodes.ward.config;
   influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
   influxdbPort = 8086;
 in {
@@ -14,6 +15,11 @@ in {
     firewallRuleForNode.sentinel.allowedTCPPorts = [influxdbPort];
   };
 
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [influxdbPort];
+  };
+
   nodes.sentinel = {
     networking.providedDomains.influxdb = influxdbDomain;
 
@@ -50,6 +56,40 @@ in {
     };
   };
 
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.influxdb = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = {};
+        extraConfig = ''
+          zone influxdb 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${influxdbDomain} = let
+        accessRules = ''
+          ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+          deny all;
+        '';
+      in {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://influxdb";
+          proxyWebsockets = true;
+          extraConfig = accessRules;
+        };
+        locations."/api/v2/write" = {
+          proxyPass = "http://influxdb/api/v2/write";
+          proxyWebsockets = true;
+          extraConfig = ''
+            ${accessRules}
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
   age.secrets.influxdb-admin-password = {
     generator.script = "alnum";
     mode = "440";
diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix
index 2b9cabe..6f8b517 100644
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@@ -1,9 +1,12 @@
 {
   config,
+  lib,
   nodes,
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
+  wardCfg = nodes.ward.config;
   lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
 in {
   wireguard.proxy-sentinel = {
@@ -11,6 +14,11 @@ in {
     firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
   };
 
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
+  };
+
   nodes.sentinel = {
     networking.providedDomains.loki = lokiDomain;
 
@@ -28,6 +36,51 @@ in {
           keepalive 2;
         '';
       };
+      virtualHosts.${lokiDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://loki";
+          proxyWebsockets = true;
+          extraConfig = ''
+            auth_basic "Authentication required";
+            auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path};
+
+            proxy_read_timeout 1800s;
+            proxy_connect_timeout 1600s;
+
+            ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
+            deny all;
+
+            access_log off;
+          '';
+        };
+        locations."= /ready" = {
+          proxyPass = "http://loki";
+          extraConfig = ''
+            auth_basic off;
+            access_log off;
+          '';
+        };
+      };
+    };
+  };
+
+  nodes.ward-web-proxy = {
+    age.secrets.loki-basic-auth-hashes = {
+      inherit (nodes.sentinel.config.age.secrets.loki-basic-auth-hashes) rekeyFile;
+      mode = "440";
+      group = "nginx";
+    };
+
+    services.nginx = {
+      upstreams.loki = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
+        extraConfig = ''
+          zone loki 64k;
+          keepalive 2;
+        '';
+      };
       virtualHosts.${lokiDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 1aec3d1..3265062 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -6,12 +6,23 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
   paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
   paperlessBackupDir = "/var/cache/paperless-backup";
 in {
   microvm.mem = 1024 * 9;
   microvm.vcpu = 8;
 
+  wireguard.proxy-sentinel = {
+    client.via = "sentinel";
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port];
+  };
+
   nodes.sentinel = {
     networking.providedDomains.paperless = paperlessDomain;
 
@@ -38,9 +49,30 @@ in {
     };
   };
 
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port];
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.paperless = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = {};
+        extraConfig = ''
+          zone paperless 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${paperlessDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+          allow 192.168.1.0/24;
+          deny all;
+        '';
+        locations."/" = {
+          proxyPass = "http://paperless";
+          proxyWebsockets = true;
+          X-Frame-Options = "SAMEORIGIN";
+        };
+      };
+    };
   };
 
   age.secrets.paperless-admin-password = {
@@ -75,7 +107,10 @@ in {
       PAPERLESS_URL = "https://${paperlessDomain}";
       PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
       PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
-      PAPERLESS_TRUSTED_PROXIES = sentinelCfg.wireguard.proxy-sentinel.ipv4;
+      PAPERLESS_TRUSTED_PROXIES = lib.concatStringSep "," [
+        sentinelCfg.wireguard.proxy-sentinel.ipv4
+        wardWebProxyCfg.wireguard.proxy-home.ipv4
+      ];
 
       # Authentication via kanidm
       PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index a3ce9fe..711c552 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -74,23 +74,26 @@ in {
         ];
         dhcp.enabled = false;
       };
-      filtering.rewrites = [
-        # Undo the /etc/hosts entry so we don't answer with the internal
-        # wireguard address for influxdb
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.influxdb;
-          answer = config.repo.secrets.global.domains.me;
-        }
+      filtering.rewrites =
+        [
+          # Undo the /etc/hosts entry so we don't answer with the internal
+          # wireguard address for influxdb
+          {
+            domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+            answer = config.repo.secrets.global.domains.me;
+          }
+        ]
         # Use the local mirror-proxy for some services (not necessary, just for speed)
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.grafana;
-          answer = "192.168.1.4"; # web-proxy
-        }
-        {
-          domain = nodes.sentinel.config.networking.providedDomains.immich;
-          answer = "192.168.1.4"; # web-proxy
-        }
-      ];
+        ++ map (domain: {
+          inherit domain;
+          answer = "192.168.1.4";
+        }) [
+          nodes.sentinel.config.networking.providedDomains.grafana
+          nodes.sentinel.config.networking.providedDomains.immich
+          nodes.sentinel.config.networking.providedDomains.influxdb
+          nodes.sentinel.config.networking.providedDomains.loki
+          nodes.sentinel.config.networking.providedDomains.paperless
+        ];
       filters = [
         {
           name = "AdGuard DNS filter";
diff --git a/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age
new file mode 100644
index 0000000..6a97cdd
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/48210b29550be1724e0e6a5603af581a-wireguard-proxy-home-priv-sire-immich.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ ZDczMuStTpVUMGlObtJB5uA07U/OsrOXaocAGJQ5SUQ
+D4Lg2MwHZVFHhTBlCDB3ZAnigTCVnNOFII5Hs9FxoL0
+-> oV-grease Y>Wk^oz
+lG4J8UNTiqKwws8XmfgOZBtLBf83/OciQN+bWAFbbVd5JSl1SSUDuyu94bp34Udq
+MyziULMJLT/tgjRM8H/TmBbuuIhWImHegnSA0WAZ
+--- lSARhYuFG3dOCOJmNhgEhToUWyUxwBDQaYTrJ4KJQM0
+*¿ù}Œ˜ãêR@íŸï§]F… ÕÞ\ª‰ŒH€Gl}Õûœ¸4¥™¿'J‘‚g³<å%	‚ä1>€µï=Rë03Iˆª\Jñ
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age
new file mode 100644
index 0000000..90cbe43
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/489ba5990cd27a548ef61bf66d994759-wireguard-proxy-home-psks-sire-immich+ward.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ Q49jP/1k8wgMHasJRs3j4qw4kDjmYMxzx190cqJpD34
+97gvdGUGDqP2LMdxuIM6u0FdNgKbUuKZl6p5irO+BeM
+-> 4FcwR4h*-grease Yn]g)b %taX> 066d`Ecg
+6cpXlQaMcTQU7dHNzQgZMeExv0KnJxzAov0BPBpFeiVfQPJqoDc+qgU
+--- 94bvmt9LqBAL3sqQRhc1k9vYo91+Fa7/r8nDpqnyXZ4
+ËLp#VÎP%7º†…çdÖH~Æ}c¬“|ž/UvF{[¶Èö›sD¼ªÂC©y>š®Z°®õ³V@0Ã•–éáÙ^}1Þ¤ý$(
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age b/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age
new file mode 100644
index 0000000..3822fc0
Binary files /dev/null and b/secrets/rekeyed/sire-influxdb/861b8ef09e38949cccff27c22ee55340-wireguard-proxy-home-psks-sire-influxdb+ward.age differ
diff --git a/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age b/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age
new file mode 100644
index 0000000..251ea47
Binary files /dev/null and b/secrets/rekeyed/sire-influxdb/dc32381081efcf32fe844db1932a1ef4-wireguard-proxy-home-priv-sire-influxdb.age differ
diff --git a/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age b/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age
new file mode 100644
index 0000000..9274337
Binary files /dev/null and b/secrets/rekeyed/sire-loki/158c4b0ca6a0f395e7398e0f9ddea00c-wireguard-proxy-home-priv-sire-loki.age differ
diff --git a/secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age b/secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age
new file mode 100644
index 0000000..d0a24e2
--- /dev/null
+++ b/secrets/rekeyed/sire-loki/d381aba6054f5103c1ba555f0e7911cf-wireguard-proxy-home-psks-sire-loki+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 Dbt6cA 3F3ffVdjqoNE4nNpgk03uASXUQqblxHp7fRRd6fyQWY
+e2zBfUZrG+9ABnB0FJ5nk30akz1It0w2tCz/KJVSpjg
+-> HR^-grease
+4p8h4NkKY88xZf5Xk63KxigmHQP8WUDMQPD0Vyfe8qCZ5YbhSgVcDHaTuUj858yw
+5xUPwfAjlWsonle5KdBtc0ym7AstzWTTrA10oM6chm/mUvRYDJDQslp5Cw
+--- fp/its46uEjme2IwXthKFS8GhsIwXqmDDKnLgAFxRAQ
+ó
+.å•öKÝ¬âX‚$^®•w˜	ÕbËTŸª[Ë9_¾U\lòØ¹šC¹ïJQÅ¯)âß¦ÑÄÀrÍÚ7æ…?y¯Ê°
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age b/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age
new file mode 100644
index 0000000..1050ee4
Binary files /dev/null and b/secrets/rekeyed/sire-paperless/716cd0e8de5551b6bb6a87f8421141f3-wireguard-proxy-home-psks-sire-paperless+ward.age differ
diff --git a/secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age b/secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age
new file mode 100644
index 0000000..4d0a049
--- /dev/null
+++ b/secrets/rekeyed/sire-paperless/78eac1248b5d98935bfdc3703e175cb3-wireguard-proxy-home-priv-sire-paperless.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 vqFVQw cCoX+F+7E65ZyrMstKoMuXiml6Cto+mbEXlZj42EgFM
+wuV8ZDpI3ARBI7/JLGQd9lbtXEIYBPeIwnmAl7m9uBQ
+-> :d>Hp-grease tCr`4 p4^OM^c r _s0m
+fiVaHu4f3uYpHnJIoUZQXvF7eNMbsRvLPGdJ2/7jDno9oieC9RpISOLmiFpfagwR
+QcW/E5mYFqqxTSBj5qsdln8pr6Ngq7UCNyP9LTIinQo
+--- xmil/cv39XF68x2ukoH0bIHwxgcFVE3L/pczAcJ4dHI
+éˆ·WtOoK9ì,+F—~Í@Á?JçJòŒÄ`‚wÃ|íû
+x7Õ–[õÕ^%ïŸíAuÞ•5Î]ì¾¹ŒPl®ƒ¡ðŠÑ?
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age
new file mode 100644
index 0000000..ecf5aa9
Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age differ
diff --git a/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age b/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age
new file mode 100644
index 0000000..5cbb288
Binary files /dev/null and b/secrets/rekeyed/ward/7a86bc5ecb46f75a01bf1b27ae49cf76-wireguard-proxy-home-psks-sire-influxdb+ward.age differ
diff --git a/secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age b/secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age
new file mode 100644
index 0000000..767043d
--- /dev/null
+++ b/secrets/rekeyed/ward/d8a468ed875aef4509e9c0af53e44831-wireguard-proxy-home-psks-sire-paperless+ward.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg A1acm4APgJopInZlGV0zzs5kRZpTJuftDRsU6CIuBVs
+XkY/QRvKvaKJjLQ9wlGp+emQ+uamn+K62Beqsru61r8
+-> iuB-grease /U =s~<Mo
+Qt03xgKv
+--- DaTakn+mx7c6rJk97gDfUvKwSRRjwOxvRHbyogd3Zx8
+ê6{ûšÊÑ0—|O%Qœl´%dÃ³yƒ±š¶BhÕÌtQd›úuòxåìd¦xÄøÞtßc€6!»—Ÿ“•Ò8’UÆ…ï‘†=í.Ù1.
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age b/secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age
new file mode 100644
index 0000000..27f6d44
--- /dev/null
+++ b/secrets/rekeyed/ward/f6b12ebdf2efc6a7892f2e5458d95cf6-wireguard-proxy-home-psks-sire-loki+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg sXXiTAH7s2O/UyUZHmuMHnQMRAvOVIXxEc65AXqewXI
+Smfsb4y9aHWTX9KJKCRkiDCfOkSTNsci4kzFKHQ73WM
+-> CKelskGG-grease i[ 7 +}sM
+NlSd4X9OnX5luuy7kGXpJeOoeQg6Nbb4TK+/CyrmkMyRU+3swH+KOfKlcqr90pNV
+S+2cOg
+--- 727nBW/4ALXLr7W79wMIPyqhJbPzxCI3+W14kbRHx84
+ÙI£šåÃ‰O0V^ …N ÓL8jÇ#gÞvÄÊû Š£ìü
+ð@Záè¦ùÕ€"œ*;ØmGÊ&KÙHj68×g#e#_Mì-È
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age
new file mode 100644
index 0000000..5f1e5af
--- /dev/null
+++ b/secrets/rekeyed/ward/fb12194e159c81499ee0ad944efd427d-wireguard-proxy-home-psks-sire-immich+ward.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg JvzQt+2ZkDJMDm1KlZQdDml8H4ycJ6AokJPSoZP5cU4
+wpodFTm/MHvNUgNMfKsRkBcqixtW01beo6sAiEdClcM
+-> ]s%j-grease F80K
++qNWHTRpraF9RkyWQgtAKTyx6zHnRE186qaTSMkEA6aRCsT6Gg
+--- eVGyjUp6M/kxFZahyFU1yzoLJSYuGduGZHf6tqkblCI
+(=qÕ“±›É<š$S±BãY©³a9jû~´Ý|Az®±·./€Å~JMÀw˜_¨%ò•9ÿbqg(Y>*3V^­ÝèÇ&•ù»+Ja
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-immich.age b/secrets/wireguard/proxy-home/keys/sire-immich.age
new file mode 100644
index 0000000..7823230
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-immich.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 uJ3uiXX1C9PpMhT3kcYvUf8mIGxD8KTB6gGKdPGJnCs
+ei8KR51jD/rWUp494k6M20oTrwDTiGpdkbOOmW4lOXo
+-> piv-p256 xqSe8Q A92Qea9NZuHlV2xGjSo53jlPVnKjwBTbMPF23PeXXDrq
+IfzttqGs1jW3RlOKGm08vKtJIIkzwRT1fUoMwkbMbuU
+-> (-grease ;&ILFt\Z \H g&6+q2Xa Z
+ZribRa/ctUpGLy4veZe+BF+3YnF6tku94bsH72Exo2WulHZS
+--- Std/62CowuRVpxSYuzhJLHy5jNWMpnl6ILk4U7oW54s
+÷÷È:Äˆrês[á	­½¹oÞýïlâø£;Þl]m3ÌŽnmËÐ5:Rk§§”Ù4ÇxN°E#Å$®éd£/ÒünY2r
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-immich.pub b/secrets/wireguard/proxy-home/keys/sire-immich.pub
new file mode 100644
index 0000000..2aa18d4
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-immich.pub
@@ -0,0 +1 @@
+7Vu1OqBCLq6WNvah8QFBjnwNZUfZqzToFyQH2g/RJR4=
diff --git a/secrets/wireguard/proxy-home/keys/sire-influxdb.age b/secrets/wireguard/proxy-home/keys/sire-influxdb.age
new file mode 100644
index 0000000..a1ed48f
Binary files /dev/null and b/secrets/wireguard/proxy-home/keys/sire-influxdb.age differ
diff --git a/secrets/wireguard/proxy-home/keys/sire-influxdb.pub b/secrets/wireguard/proxy-home/keys/sire-influxdb.pub
new file mode 100644
index 0000000..2e80a03
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-influxdb.pub
@@ -0,0 +1 @@
+X2gXwt3IDGXOsg8Vy/yEhEQKCUS6ziLu5Kl8POMa1Sc=
diff --git a/secrets/wireguard/proxy-home/keys/sire-loki.age b/secrets/wireguard/proxy-home/keys/sire-loki.age
new file mode 100644
index 0000000..60453a7
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-loki.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 srRVmbOIPGk6sUIAARd6RLzzpKBVwIn+9RyuAPJ7aFI
+fxqhR+q4BDsscusJKTZTjKxeMPfLMnp/yZpIbvv6+SE
+-> piv-p256 xqSe8Q A/GX9EkFhcY/IjNQju+YdWMPyKVUj4YWuOoWxmszc1ws
+rGgn/7HdLObcwxYw8GthJxgiR6XTE3C0kY6UFMlMhfo
+-> ?-#-grease s<AE@O? nco.4{
+dWT6UI5KRbFdDQCI8WTikEjBNQ
+--- ot7MrclD1E66EW1DGzR9g1wHDWZ3wr1/dzCR8SmwBXI
+D´z¨±uQ…bD¼©ÿ[›­û¥PŠ¢:SäŸQ&œv4Ž˜¡¾ÔÎ®„håUæ’•2¢=RYãZµå©Â²Žz&ï²{‚
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-loki.pub b/secrets/wireguard/proxy-home/keys/sire-loki.pub
new file mode 100644
index 0000000..b8a2ea5
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-loki.pub
@@ -0,0 +1 @@
+ZCoXjgt4eb4uEkxXDluY8t7aM5EKeHeUpqvVFhFcHFA=
diff --git a/secrets/wireguard/proxy-home/keys/sire-paperless.age b/secrets/wireguard/proxy-home/keys/sire-paperless.age
new file mode 100644
index 0000000..df21a2f
Binary files /dev/null and b/secrets/wireguard/proxy-home/keys/sire-paperless.age differ
diff --git a/secrets/wireguard/proxy-home/keys/sire-paperless.pub b/secrets/wireguard/proxy-home/keys/sire-paperless.pub
new file mode 100644
index 0000000..90b6f38
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-paperless.pub
@@ -0,0 +1 @@
+BuccuL6/E5B1xnuhaLQf/pOll+TPeeFEGU1ZPd8PpjA=
diff --git a/secrets/wireguard/proxy-home/psks/sire-immich+ward.age b/secrets/wireguard/proxy-home/psks/sire-immich+ward.age
new file mode 100644
index 0000000..1466cad
--- /dev/null
+++ b/secrets/wireguard/proxy-home/psks/sire-immich+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 ocNApTQlwFHphPMWeXS60TWO8RY4kXv1/G7mpvCRfno
+q4tgumwcZKxNrObdkxLpU9tPttrDe5oZzOZYu+boNCE
+-> piv-p256 xqSe8Q A8FzxSYN5kOVb8VG57H105SMUC8P+IRBz5oCN4QX7F6D
+7YesnMqNXTyR5Ojtli9R8atxm5dqi9cjEvnnuyT6I1g
+-> %5P"-grease ,Wf aH@;2_dA ~4s:8[
+opJOhAN4Evvp4x7ndCEfALKDUMvvpqlbwUTSplehbPI
+--- oMT/RknMnLIf0ujr+Q/xOCxN8qDOVkNYCVEjoJ3AscA
+¥vŒúYv](Õ¬–¥*þ™nÛ‡Eö1›x”Í˜]¯Œ:;ÿi' -µÑ«Klú=úñúPÎô·nv}i|5QÝ £’s
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age b/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age
new file mode 100644
index 0000000..4a1a7c0
--- /dev/null
+++ b/secrets/wireguard/proxy-home/psks/sire-influxdb+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 n0ZRfnfbYjTn81ODTPvPNmKsBXDGwV6Jwgn4ZMgF/Us
+SrmR4Z6rteUSVrji5cbRlj5tSQAcBoWHKvsombOI9O4
+-> piv-p256 xqSe8Q A1lLYmIImnShNJs/w0ZVFj6s3RDNvo/nGq9KeqK9Ig7b
+6GRcS3PVrcL6zhW/1XpMup1fcCPgelPuXmdt3t+J08s
+-> EG"Ke-grease N
+37HKhYODIAQxbHJI
+--- ub+9rWPOnVMWpczIB/ForaQp96zRfOVV7bMuTij/1oQ
+.hý®ÿ6õÄ{JÎ©†¨—Åš×Î!˜,õ¤½X2™ºÿŽPLçF{GXœ¹B†ÈÉõm&ŠÃcÿuZoÜ£B0Gì’ÍŽa×ßöç
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/psks/sire-loki+ward.age b/secrets/wireguard/proxy-home/psks/sire-loki+ward.age
new file mode 100644
index 0000000..d1008ba
--- /dev/null
+++ b/secrets/wireguard/proxy-home/psks/sire-loki+ward.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 8SGiO7KFBiQdJk1Jo4E+56tO0pLmMYm+bPKR6g1DIhI
+Cw0mWE+UCF3FWQ2FIdgK4kzRSZFfwgWdByHv4z0Abis
+-> piv-p256 xqSe8Q AxtYXQlcKaqNDVzSMhqnznLAbkoeK2H0AP077+zm2prm
+dWzLjMjdV5ymJ2BNcHB7PbIBFHJffmRr3/gX+U8XCpM
+-> `-grease " &J
+U2DWpgjq1+nj62O9GDB0BNRgrqHy5fb53tYKHmmK9Q
+--- Y1GEP2kbfAqpVO4qWxnvkP3hloEyAAwIzy4PllrnTQc
+faˆ©U¦’yGòYP©hï"pnxÍ’ìV*ÚÅóíGÁÖK=‡÷ß‡ÛYît5?QuaÞµKBQ…y>²
+ûÏ<h&ÕtnÌý2ëyœç
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/psks/sire-paperless+ward.age b/secrets/wireguard/proxy-home/psks/sire-paperless+ward.age
new file mode 100644
index 0000000..854b7ac
Binary files /dev/null and b/secrets/wireguard/proxy-home/psks/sire-paperless+ward.age differ