diff --git a/flake/agenix-rekey.nix b/flake/agenix-rekey.nix
index c304257..ee6e08b 100644
--- a/flake/agenix-rekey.nix
+++ b/flake/agenix-rekey.nix
@@ -12,7 +12,7 @@
     # The identities that are used to rekey agenix secrets and to
     # decrypt all repository-wide secrets.
     secretsConfig = {
-      masterIdentities = [ "\"$PRJ_ROOT\"/secrets/yk1-nix-rage.pub" ];
+      masterIdentities = [ ../secrets/yk1-nix-rage.pub ];
       extraEncryptionPubkeys = [ ../secrets/backup.pub ];
     };
   };
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 8fd8aa2..626bf7f 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -52,11 +52,14 @@ in
 
   services.immich = {
     enable = true;
+    host = "0.0.0.0";
     # We use VectorChord from the beginning
     database.enableVectors = false;
     environment = {
       IMMICH_LOG_LEVEL = "verbose";
       IMMICH_TRUSTED_PROXIES = lib.concatStringsSep "," [
+        globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
+        globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
       ];
     };
     settings = {
@@ -269,9 +272,9 @@ in
           client_max_body_size 50G;
           proxy_buffering off;
           proxy_request_buffering off;
-          proxy_read_timeout 600s;
-          proxy_send_timeout 600s;
-          send_timeout       600s;
+          proxy_read_timeout 1200s;
+          proxy_send_timeout 1200s;
+          send_timeout       1200s;
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
           # Firezone traffic
diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix
index 8fe7962..867988e 100644
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@@ -105,6 +105,8 @@ in
       virtualHosts.${influxdbDomain} =
         let
           accessRules = ''
+            allow ${globals.net.home-lan.vlans.services.cidrv4};
+            allow ${globals.net.home-lan.vlans.services.cidrv6};
             allow ${globals.wireguard.proxy-home.cidrv4};
             allow ${globals.wireguard.proxy-home.cidrv6};
             deny all;
diff --git a/hosts/sire/secrets/immich/host.pub b/hosts/sire/secrets/immich/host.pub
index 9c7563b..18e86ac 100644
--- a/hosts/sire/secrets/immich/host.pub
+++ b/hosts/sire/secrets/immich/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAKUJTsBJfQTTVZMS2qTYYIBe2sM56XYRCrvlUm/UtF
diff --git a/modules/ente.nix b/modules/ente.nix
index 845932d..d36c1f9 100644
--- a/modules/ente.nix
+++ b/modules/ente.nix
@@ -48,6 +48,7 @@ in
       domains = {
         api = mkOption {
           type = types.str;
+          example = "api.ente.example.com";
           description = ''
             The domain under which the api is served. This will NOT serve the api itself,
             but is a required setting to host the frontends! This will automatically be set
@@ -57,21 +58,25 @@ in
 
         accounts = mkOption {
           type = types.str;
+          example = "accounts.ente.example.com";
           description = "The domain under which the accounts frontend will be served.";
         };
 
         cast = mkOption {
           type = types.str;
+          example = "cast.ente.example.com";
           description = "The domain under which the cast frontend will be served.";
         };
 
         albums = mkOption {
           type = types.str;
+          example = "albums.ente.example.com";
           description = "The domain under which the albums frontend will be served.";
         };
 
         photos = mkOption {
           type = types.str;
+          example = "photos.ente.example.com";
           description = "The domain under which the photos frontend will be served.";
         };
       };
@@ -85,17 +90,18 @@ in
       user = mkOption {
         type = types.str;
         default = defaultUser;
-        description = "User under which museum runs.";
+        description = "User under which museum runs. If you set this option you must make sure the user exists.";
       };
 
       group = mkOption {
         type = types.str;
         default = defaultGroup;
-        description = "Group under which museum runs.";
+        description = "Group under which museum runs. If you set this option you must make sure the group exists.";
       };
 
       domain = mkOption {
         type = types.str;
+        example = "api.ente.example.com";
         description = "The domain under which the api will be served.";
       };
 
@@ -182,6 +188,7 @@ in
 
       services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
       services.ente.api.settings = {
+        # This will cause logs to be written to stdout/err, which then end up in the journal
         log-file = mkDefault "";
         db = mkIf cfgApi.enableLocalDB {
           host = "/run/postgresql";
@@ -245,6 +252,7 @@ in
           BindReadOnlyPaths = [
             "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
             "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
+            "${cfgApi.package}/share/museum/web-templates:${dataDir}/web-templates"
           ];
 
           User = cfgApi.user;
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 8dca345..e594cad 100644
Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ
diff --git a/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age b/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
new file mode 100644
index 0000000..875d0b9
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ AZXVC7nTbtFBasccwllDvt3ic4NMeJu73tkzTooLORs
+2yGRtqkypbochm/I1CowFSJZZ8qNPulmApP4ABlKvsU
+-> 4`V#:p2-grease
+yhfMojghx2Ne+5JDobIA
+--- fH0ZmRzP4/lsJ9ykQVGDEPlyUohPuKJPgqXOlIilyL4
+êvïì7TÓ—“¸¾º^þ¡SÏN#œ…¬ÁN&u§‘ƒ_bx&êÃU¥9DJ
+ðL®{QÔ À½ÝF[G™&×B´
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
new file mode 100644
index 0000000..9b4df20
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ zg3qtzqOOj46luUhOUenMw3dfVz/PafKgVhj+7vljmY
+hKRXQOn+qJ2qe82pIqbFqU7dkNt5p0zq6lC9q8vI0ys
+-> E-grease 8#' Em.z$3-F
+qNx4gWPSptpfLup7uDupqbkB0MoCBsFn7ZJhAILgRnzgkLYlG8rTSbxT
+--- rEocn7eWbz8gSpaJOnC7YswKcci0Jmy87dxABXILzqg
+Ëç´cV>Òž~N¨Õ÷0Rá6n“/Z˜[m¦.3Gž'\$ÌõüCÕŒÍ£¶y‡Á¿c kÁ±°G¥è.åQlñÈ]äE/
+9
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
deleted file mode 100644
index 9166b12..0000000
Binary files a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age and /dev/null differ
diff --git a/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age
new file mode 100644
index 0000000..9dc03a7
Binary files /dev/null and b/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age differ
diff --git a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
deleted file mode 100644
index 4370cc8..0000000
--- a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 U8ytLQ veKTrJX4Srbh92lE3hPO4NTpeNzP/NuUmfZHWIAcTEU
-jW3uyW7qos8LSsAyQ56gZa5NBCJVUqZVu8KZHe0v0iE
--> sVVZ{H-grease ~J3,Ud i+P
-wb4kp+Ii
---- PJ20pWfjTwBwh2Dr+q6Gob16aGbH61ilptbCzQn0jEQ
-;˜VvK¬â_œs‚÷õ«qå“àP0=QbóX¤õö¬s.É.i]vüÒùAïŽè¦í->m©ŸF“ÉSxT|;{vUÇìµjfs
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
deleted file mode 100644
index de7fef8..0000000
--- a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 U8ytLQ kjGqE0PbVbxIqRS4RdHdmhNFr8Sv3jDfFPdjnnlVj0Q
-lz5h6PSyLBXMTUTdS4uzBiPi3yNXdhsxvYw5TT3i8Uc
--> ?~Rt$#-grease uWLiw,w> ZfFM;)
-guaxvIRwfg
---- UFQfXS855+dhnxARJ4M5W0qHdsgTjkfgRu0yjd/tBYU
-ÑxÆ( Z¸‰TVÛJ<K"?(Y?¯TWga.°Ä¼áÝ*ŸÙ÷d6 TQ™Ö<éŒ^ŒG,gÏƒŸÕB¾+ŽU¦-te¤
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
deleted file mode 100644
index 874f723..0000000
--- a/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 U8ytLQ 1x2w+U7iZ59hW1cymklltoWgBoo9Iao1YnsP0dYsJyE
-8Yax1Uq2UZCEPysMfcu/mvkO0cLdnTFJ+lLTglZEhD0
--> Mo>ig-grease
-gyxTtneFjCxPTo53gPgqBMm/dUTNqw7SSGXZ9wFTK3I
---- 2kvAlqhkxaAZcY0qewhgWahfiafgZSKZm7T3x8O5wxI
-û,ÂC¤¶c-œz#ð5#,¾úUVÀ¶­ev®;NŒó"¶¦Õ¢ÌÝÉ¬Èi±\(¥ê)[îÍÐR\Èò7@†¾véÜ²¯Æ¾NÏ¹ÎŽ­{©4
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..8572a1f
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ GOn8a+tEBtiwUxioNd2fk5PrWNkT+awF+XzbClQJ6Qg
+xltPAmFpS3qUO8sNKRuvsdSaf72RvDnZO+RijXg6Qg0
+-> 39!T/O'-grease ~v?U;y
+egK+Kho4rgecwrv9gmcK/C2dJnbd+SGF73FGl3XIzlJwfkRzRvamV978lA4uyrcF
+vw
+--- Nkp782AMG8OclXPvKR7fy334Umjsa/x1jXe6MA1q6CM
+Ü[ùÌ>@QR‡áMmïG`Ÿ*×ÑOT;xöö° !ûT?¹_,Ç„Ö¶{'ž€‰Õ¬Y&Gkf»M¡˜éH|UÎ  ì_áóbÕ
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
new file mode 100644
index 0000000..d267d71
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ CFoQPo0bwvS1VyUbOOq4fk/DHs6EZNoxf9patvaAyis
+2U2S/yiSKY7+eE28APeakHdTrVTp4BAb9T2T0G26wfU
+-> g8r-grease :K-IEEo5
+PQV599Ol7XmAsiS5r6E86w
+--- 6iGZ2tBk1eTu+zztYN2oLUXZr5vb8iYCQR92gqf50zo
+¸¯Áµ”gó0à‹ÐÅ[ŸBî´?§¼n'xÃÀo:ìÞæž¾	wÈú'AÓ¨Öa—<vXdÙâÄž˜D:bÎùñª¯™…­¡"ÖƒDß(—Æ˜>
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age b/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age
new file mode 100644
index 0000000..55ffa5b
Binary files /dev/null and b/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age differ
diff --git a/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age b/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
deleted file mode 100644
index 3ad636b..0000000
Binary files a/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age and /dev/null differ
diff --git a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
deleted file mode 100644
index f4cd5a8..0000000
--- a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 U8ytLQ QRKqBGrzPBO8uDJtAjIpOVcir6L5beNr0wS3iVXQFiY
-YjTxSInhMSU0yogxBupf2311z5OXeNrSSkQpU4d34OM
--> o3E-grease ~ E<I*AS 1> Y+:|pOC
-/8vpx1EmpwyfX3vwNpjAMMFCoRuoP3w1RLWAgqj5J1tIb48O0Wc
---- EIeRKimHpArrdLioRUJ2rEa6uBOiAolXK1J1Sej37WE
-9¥CõKÚ•OíÐù´uŽ¯1ŒGú1ï†Fü/0¹b=Lß0dsAèjSØ€¡Þ|^ö1EÍªËàÁCöõî(±9Sc:Ì
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
deleted file mode 100644
index cec4abb..0000000
--- a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 U8ytLQ odwIDreVyKb1UHckjz1/1PKET4rluHdxFVJ2naBOKhM
-PJyoiRA65kd2272oq3Irup5gBq9sWDMgkIbkPbIa+IU
--> HDe/yru:-grease ee~+
-g5uaAbBGEy/dJPeFuKdCqdvlIbcxeoVQMQ/y7hwgJQI68DOwpdAggi12cMYt+mlM
-yNE2Lb6p4xO8BRF0
---- Xl6hjCyuuxnKdBNe3/x6jqvDsoaHDBYIzO8nV0DRuVs
-í¥f¤ÚÛÿ01VázµçVsæitúÁ%áœ}HùÓìòåÛ=«ó¸èFá¾›:_Ùwy±)v²”ª0Plý"%-y¼ëbQì¤œK
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age
new file mode 100644
index 0000000..22ede35
Binary files /dev/null and b/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age differ