diff --git a/flake.lock b/flake.lock
index 4e79fef..69e16bd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1185,14 +1185,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "treefmt-nix": "treefmt-nix_3"
       },
       "locked": {
-        "lastModified": 1743855359,
-        "narHash": "sha256-h8eshPR5JNZJRoOZAh1L0fvXdojfCn9m4TtdP2VvwYY=",
+        "lastModified": 1744136669,
+        "narHash": "sha256-033f44gmj3aTN4as/dX8O0qMnhA497eM1OABprp9fcM=",
         "owner": "oddlama",
         "repo": "home-manager",
-        "rev": "eaa4471a98f764bb5e93f5a29c37d534c5b63135",
+        "rev": "c1f5072d3fad49b96894182ea43115ea73873668",
         "type": "github"
       },
       "original": {
@@ -1210,7 +1211,7 @@
           "nixpkgs"
         ],
         "pre-commit-hooks": "pre-commit-hooks_3",
-        "treefmt-nix": "treefmt-nix_3"
+        "treefmt-nix": "treefmt-nix_4"
       },
       "locked": {
         "lastModified": 1740386689,
@@ -1710,7 +1711,7 @@
           "stylix",
           "nixpkgs"
         ],
-        "treefmt-nix": "treefmt-nix_4"
+        "treefmt-nix": "treefmt-nix_5"
       },
       "locked": {
         "lastModified": 1741693509,
@@ -2092,7 +2093,7 @@
         "nixvim": "nixvim",
         "pre-commit-hooks": "pre-commit-hooks_6",
         "stylix": "stylix",
-        "treefmt-nix": "treefmt-nix_5",
+        "treefmt-nix": "treefmt-nix_6",
         "whisper-overlay": "whisper-overlay",
         "wired-notify": "wired-notify"
       }
@@ -2535,6 +2536,27 @@
       }
     },
     "treefmt-nix_3": {
+      "inputs": {
+        "nixpkgs": [
+          "home-manager",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743748085,
+        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_4": {
       "inputs": {
         "nixpkgs": [
           "idmail",
@@ -2555,7 +2577,7 @@
         "type": "github"
       }
     },
-    "treefmt-nix_4": {
+    "treefmt-nix_5": {
       "inputs": {
         "nixpkgs": [
           "stylix",
@@ -2577,7 +2599,7 @@
         "type": "github"
       }
     },
-    "treefmt-nix_5": {
+    "treefmt-nix_6": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index 41cce45..f55cdf7 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -12,6 +12,7 @@ let
   # FIXME: new entry here? make new firezone gateway on ward entry too.
   homeDomains = [
     globals.services.grafana.domain
+    globals.services.actual.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/sire/guests/actual.nix b/hosts/sire/guests/actual.nix
index 40e56a1..a136f23 100644
--- a/hosts/sire/guests/actual.nix
+++ b/hosts/sire/guests/actual.nix
@@ -8,12 +8,12 @@
 }:
 let
   actualDomain = "finance.${globals.domains.me}";
-  client_id = "actual";
+  # client_id = "actual";
 in
 {
-  wireguard.proxy-sentinel = {
-    client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.actual.settings.port ];
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.actual.settings.port ];
   };
 
   # Mirror the original oauth2 secret
@@ -30,7 +30,7 @@ in
 
   services.actual = {
     enable = true;
-    settings.trustedProxies = [ nodes.sentinel.config.wireguard.proxy-sentinel.ipv4 ];
+    settings.trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
   };
 
   # NOTE: state: to enable openid, we need to call their enable-openid script once
@@ -46,27 +46,30 @@ in
     serviceConfig.LoadCredential = [
       "oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}"
     ];
-    environment = {
-      ACTUAL_OPENID_ENFORCE = "true";
-      ACTUAL_TOKEN_EXPIRATION = "openid-provider";
-
-      ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
-      ACTUAL_OPENID_CLIENT_ID = client_id;
-      ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
-    };
+    # NOTE: openid is disabled for now. too experimental, many rough edges.
+    # only admins can use sync, every admin can open anyones finances. not good enough yet.
+    # environment = {
+    #   ACTUAL_OPENID_ENFORCE = "true";
+    #   ACTUAL_TOKEN_EXPIRATION = "openid-provider";
+    #
+    #   ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+    #   ACTUAL_OPENID_CLIENT_ID = client_id;
+    #   ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
+    # };
   };
 
   globals.services.actual.domain = actualDomain;
-  globals.monitoring.http.actual = {
-    url = "https://${actualDomain}/";
-    expectedBodyRegex = "Actual";
-    network = "internet";
-  };
+  # FIXME: monitor from internal network
+  # globals.monitoring.http.actual = {
+  #   url = "https://${actualDomain}/";
+  #   expectedBodyRegex = "Actual";
+  #   network = "local-${config.node.name}";
+  # };
 
-  nodes.sentinel = {
+  nodes.ward-web-proxy = {
     services.nginx = {
       upstreams.actual = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" =
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.actual.settings.port}" =
           { };
         extraConfig = ''
           zone actual 64k;
@@ -80,11 +83,6 @@ in
       virtualHosts.${actualDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
-        # oauth2 = {
-        #   enable = true;
-        #   allowedGroups = ["access_openwebui"];
-        #   X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
-        # };
         extraConfig = ''
           client_max_body_size 256M;
         '';
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index d7caa7d..8c66fa4 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -107,7 +107,7 @@ let
 
   processedConfigFile = "/run/agenix/immich.config.json";
 
-  version = "v1.121.0";
+  version = "v1.131.3";
   environment = {
     DB_DATABASE_NAME = "immich";
     DB_HOSTNAME = ipImmichPostgres;
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 9cb16cb..a10e27c 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -27,6 +27,7 @@ in
   };
 
   globals.services.paperless.domain = paperlessDomain;
+  # FIXME: also monitor from internal network
   globals.monitoring.http.paperless = {
     url = "https://${paperlessDomain}";
     expectedBodyRegex = "Paperless-ngx";
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 1a14726..a56b215 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -13,6 +13,7 @@ let
   # FIXME: new entry here? make new firezone entry too.
   homeDomains = [
     globals.services.grafana.domain
+    globals.services.actual.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index d5f99ed..8952bbf 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -112,6 +112,7 @@ in
               # FIXME: new entry here? make new firezone entry too.
               # FIXME: new entry here? make new firezone gateway on ward entry too.
               globals.services.grafana.domain
+              globals.services.actual.domain
               globals.services.immich.domain
               globals.services.influxdb.domain
               globals.services.loki.domain
diff --git a/pkgs/mdns-repeater.nix b/pkgs/mdns-repeater.nix
index 77d7bde..05d159e 100644
--- a/pkgs/mdns-repeater.nix
+++ b/pkgs/mdns-repeater.nix
@@ -14,7 +14,7 @@ rustPlatform.buildRustPackage {
     hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0=";
   };
 
-  cargoHash = "sha256-ZKY1UVxeMSQaPZecBCIleZSFMRAPP6Vv0uRcnSNUOY0=";
+  cargoHash = "sha256-lGeOwszMkVGJZT7V8b3COPgKNFo+jW/zDf4D3OoF5uY=";
 
   meta = {
     description = "mDNS packet relayer";
diff --git a/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
deleted file mode 100644
index 8bbae3e..0000000
--- a/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yV7lcA IFccz3iClZKyPf7EdDWd2MzhrVBKhag9IDWc7XUI5Hc
-uatqP7QQJnA5mQP9tsHQFaKEHeoDGLgY2kWJpnal674
--> 7jdci-grease c[y2 alscP1
-H2uNfINe/FUPjgudAkD33U2rIb5+L1KoQ0A5lr5iGYfPPCdscexXunFJY48qSn03
-WpMBYikmzds
---- uugJJPzxMZwJCWH97I/MTlu9WzD4ZQPYDAMXwE989OY
-Œ4ïfI€@ÉºxöØû½-³mç©|Q,×ûë·ÓjA*q¶úü2÷Îo®6o9Gj¥a‡'}yªç×aþwç 1kÎœù7K
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
deleted file mode 100644
index ea548d6..0000000
--- a/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 11F4Ig gNdfKSW0SI5OHV3WV8Z2gMaIyvpEpKtgEynkBPXO2SU
-Atd1AyDvRmX1106aMzZhx9GJEd17nYu9pJiM5/kI3Do
--> ;-grease j+0
-cIGZ9KVirP5q/dCKsUjPBzkUXTw+Yo+i8UJ69ndD49smdN2BxmzouELydH5Bva9i
-anw8o8lTvqVvso3PDBrgZy7iFcgTJWto
---- jilcU1phIjP8JI2AUkhQbc5Smot9XoJ8t9mGsGtznx0
-›é–Äë¨.¼@·åhÃ8MÈE]Æ¯ª+Ïñ™1mûÙ<³æ­§”rq`¾à`sêÓ±W{@ðQ
-þßß±H`}¿)QK°fêÓàÀt_
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-actual/269c5081394861c88bef1d54d93aec1b-wireguard-proxy-home-psks-sire-actual+ward.age b/secrets/rekeyed/sire-actual/269c5081394861c88bef1d54d93aec1b-wireguard-proxy-home-psks-sire-actual+ward.age
new file mode 100644
index 0000000..b81f0b9
Binary files /dev/null and b/secrets/rekeyed/sire-actual/269c5081394861c88bef1d54d93aec1b-wireguard-proxy-home-psks-sire-actual+ward.age differ
diff --git a/secrets/rekeyed/sire-actual/2c8bd09c2adbea96ed80b2506b5ad41b-wireguard-proxy-home-priv-sire-actual.age b/secrets/rekeyed/sire-actual/2c8bd09c2adbea96ed80b2506b5ad41b-wireguard-proxy-home-priv-sire-actual.age
new file mode 100644
index 0000000..2468d7f
Binary files /dev/null and b/secrets/rekeyed/sire-actual/2c8bd09c2adbea96ed80b2506b5ad41b-wireguard-proxy-home-priv-sire-actual.age differ
diff --git a/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age b/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age
deleted file mode 100644
index f4a3a62..0000000
--- a/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 11F4Ig xNoQ1/f/e3Jv57Npi3I58y7Z/RvK6l3V7Vo5H81d4FA
-3/Fb14I4nNObYCbPUNZZdWfa6/+ZaSTAB24NTjLPy8U
--> %>-grease
-itFTJfCmI/7Rt9rvPeKLsrbDUR64w390pprq98A2y8gM
---- AbhEcUA9Qn1KwfouM6bRE9xHWaUKesHHrLc5L3bgS0U
-éöAQó?-{1o£yM–î«ßôŠ(zÛþIÔÄ(Ü?ýlÐ`œøìGG˜Ó‡K9Ú8‡¶mwwìJv§òÆ§¨ü;øJ_G6G¢Û
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age b/secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age
new file mode 100644
index 0000000..d9f5b07
Binary files /dev/null and b/secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age differ
diff --git a/secrets/wireguard/proxy-home/keys/sire-actual.age b/secrets/wireguard/proxy-home/keys/sire-actual.age
new file mode 100644
index 0000000..06f0130
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-actual.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 m/lJB1n45szFplLVtd7CizaSs3m4xr1NGQTxGNYBXX8
+sp56h1uLUCDgyOUz/Ba6Edwe71vfpsiqBQvWsM8yI3E
+-> piv-p256 xqSe8Q A3Q6Y91CnrW68eandaYeDBpnK33TTOPJOlHyI6wqGxM0
+yOZWxa//Eh/tUxHg9+iMOqh7GOuvxRl57cu/Nva17GE
+-> @Y(s^-grease N<4U+cLN *td}fYU
+koZVXtJoC5E1pg4Biu/JXA
+--- 2hY0WinieNwxX7Dq+oXZsvvZCw/h5iXYD5yZyAjg5H0
+!¬/‘¹GÔDs3Ö#šöá›Iö»2-ÝEV¢Ô~5ú8Ô“â½œ¸ç?ÏññÒ>'èQ±ÀºX9”.fÍ;ER&BÁL<þ1P"F
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-actual.pub b/secrets/wireguard/proxy-home/keys/sire-actual.pub
new file mode 100644
index 0000000..0e0e30d
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-actual.pub
@@ -0,0 +1 @@
+9YnBjTSiag6gR5sRKZFJF+/0c4I66tFkPpDIaIR/O1w=
diff --git a/secrets/wireguard/proxy-home/psks/sire-actual+ward.age b/secrets/wireguard/proxy-home/psks/sire-actual+ward.age
new file mode 100644
index 0000000..f65254d
--- /dev/null
+++ b/secrets/wireguard/proxy-home/psks/sire-actual+ward.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 Kh+mCGnB5K1NSQ2AlTw91USyZWH1Gxb0zUQ3eGMF9GQ
+wguTpicJa0QM8Ftjwdxwz6pWRIKwqE8Va7K/K9b5KGk
+-> piv-p256 xqSe8Q AiRTipj4vdFFX4bd73UqnWMK7/ksXVhXX9OGOGJ7MDB8
+d4Wh+KdH4vwCmRDIA+RIIplqjOCPB2F/vY607lDQTO8
+-> `#f-grease fRA|\bQ `!=
+1jGPsD2U0TjNwpTnMR3HxDKQvcXhE4Zw4EkYWu8KTIYuDfEAhtkUpkTAqFhbrf59
+aleNrJsH7U8Ct5jNFhu9urYIVnG2oOORNz6FDyZEDF6XqHmNeNqi1ygGCkdqDY3Q
+
+--- sMGofu1JYEzirvzT4SuRQjXqOwXxRlmSmzBa3okchAg
+ËüO©Zƒ¼Fhª¶bWkur RÖ€¹¦\ÜŠ:"{Øk£àS7»‚ÃÀVe/pîÃjÇ7ža)âsê|Oê{6j­d´S3vÌ,¨]Ub
\ No newline at end of file