diff --git a/config/users.nix b/config/users.nix
index 1f2da8f..5d161b3 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -43,8 +43,8 @@
       unifi = uidGid 968;
       plugdev.gid = 967;
       tss = uidGid 966;
-      # firefly-iii = uidGid 965;
-      # firefly-pico = uidGid 964;
+      immich = uidGid 965;
+      redis-immich = uidGid 964;
       avahi = uidGid 963;
       ente = uidGid 962;
       minio = uidGid 961;
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 9c494dc..8fd8aa2 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -40,6 +40,7 @@ in
     }
   ];
 
+  fileSystems."/storage".neededForBoot = true;
   environment.persistence."/storage".directories = [
     {
       directory = "/var/lib/immich";
diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age
index 6a398a1..6e4eb36 100644
Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ
diff --git a/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age b/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..caf87b4
--- /dev/null
+++ b/secrets/generated/sire-immich/promtail-loki-basic-auth-password.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 GihvqYu6GH0tQPjc6Z8hg1HBE5px+cLbFPOEYRmKy3M
+PRjaJ6a4xwME8lp3+tGRex9A6HNoL5fyQaea1EbfKC4
+-> piv-p256 xqSe8Q AvMY4hFxNd6R69b7k7PFC5Z3+gjSexzEq7vF4KygZ5eQ
+jZEEJBFiGc7JClhBx2ggBugYkAWRpJJrxddTd+HRxjo
+-> #/E-grease !4VzL *&VJ+ ?i! LUP>1_Z%
+7H63/iGgBLY12g9J4Es6AwwIqft1/iQXyVuErXdK7gEQEPsE59koX5f7/MeMhdsd
+RfkPAbZoSG4XT1Q0IPoefZHoR7WAFDAME+jM03cGxHofUfG6jLmBVLir
+--- vSwV44jSlbYEN7HlNsKNdHx2RwnRMh6fDjWfUmVsk5I
+_%²|‚'³ˆ6Ïþ¥
+CmâÝ¾í©¼ã°ÈiCw£ÍÀY3—~‘·»¹IoûDs9Û
+*r-ý!CwÚh€£š8f°ºb¨yšm
\ No newline at end of file
diff --git a/secrets/generated/sire-immich/telegraf-influxdb-token.age b/secrets/generated/sire-immich/telegraf-influxdb-token.age
new file mode 100644
index 0000000..fabea52
Binary files /dev/null and b/secrets/generated/sire-immich/telegraf-influxdb-token.age differ
diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age
new file mode 100644
index 0000000..f4d89fb
Binary files /dev/null and b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age differ
diff --git a/secrets/rekeyed/sentinel/71121bd84ddb3ceb1a41c368c6a99ecf-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/71121bd84ddb3ceb1a41c368c6a99ecf-loki-basic-auth-hashes.age
new file mode 100644
index 0000000..868e46b
Binary files /dev/null and b/secrets/rekeyed/sentinel/71121bd84ddb3ceb1a41c368c6a99ecf-loki-basic-auth-hashes.age differ
diff --git a/secrets/rekeyed/sentinel/754829daef824cd4d3b0deaad3d35a85-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/754829daef824cd4d3b0deaad3d35a85-loki-basic-auth-hashes.age
deleted file mode 100644
index dd613e3..0000000
Binary files a/secrets/rekeyed/sentinel/754829daef824cd4d3b0deaad3d35a85-loki-basic-auth-hashes.age and /dev/null differ
diff --git a/secrets/rekeyed/sentinel/be49300f44ca08eb81e3865253b4c4d7-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sentinel/be49300f44ca08eb81e3865253b4c4d7-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
new file mode 100644
index 0000000..82700e0
--- /dev/null
+++ b/secrets/rekeyed/sentinel/be49300f44ca08eb81e3865253b4c4d7-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA awWtS+CQB252be2XM3V0QwWkCeWgoa1dKFcz5sYoI04
+dIFlddOGC5BMvAu18Fu0+wZl7wt/ibrLUEbRuBG31Bw
+-> @-grease r<}]J8a _t@B b
+idF3TwJ6jb1/uUNWh66GWk7JrYz8j/KNHUMK/2GeDKluPQ6hSuCVhVuWc8pW2NVk
+s7ygyldLqL9kq4eGxWO7q3Q
+--- rqnX1+1i3keyPvwuVLoloC9GcGQuXkKVxa1giZiO/PY
+™DÄLŽFÇþÁT¹$ºÝ´öÒR‘%œ22ô­Š$è¶º:Ï¨ÑjñaÌ€µH†ÔY2YŽ¨ô-v›!N¾’ÿ2ÛÄuù'.
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
new file mode 100644
index 0000000..9166b12
Binary files /dev/null and b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age differ
diff --git a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
new file mode 100644
index 0000000..4370cc8
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ veKTrJX4Srbh92lE3hPO4NTpeNzP/NuUmfZHWIAcTEU
+jW3uyW7qos8LSsAyQ56gZa5NBCJVUqZVu8KZHe0v0iE
+-> sVVZ{H-grease ~J3,Ud i+P
+wb4kp+Ii
+--- PJ20pWfjTwBwh2Dr+q6Gob16aGbH61ilptbCzQn0jEQ
+;˜VvK¬â_œs‚÷õ«qå“àP0=QbóX¤õö¬s.É.i]vüÒùAïŽè¦í->m©ŸF“ÉSxT|;{vUÇìµjfs
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
new file mode 100644
index 0000000..de7fef8
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ kjGqE0PbVbxIqRS4RdHdmhNFr8Sv3jDfFPdjnnlVj0Q
+lz5h6PSyLBXMTUTdS4uzBiPi3yNXdhsxvYw5TT3i8Uc
+-> ?~Rt$#-grease uWLiw,w> ZfFM;)
+guaxvIRwfg
+--- UFQfXS855+dhnxARJ4M5W0qHdsgTjkfgRu0yjd/tBYU
+ÑxÆ( Z¸‰TVÛJ<K"?(Y?¯TWga.°Ä¼áÝ*ŸÙ÷d6 TQ™Ö<éŒ^ŒG,gÏƒŸÕB¾+ŽU¦-te¤
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..874f723
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ 1x2w+U7iZ59hW1cymklltoWgBoo9Iao1YnsP0dYsJyE
+8Yax1Uq2UZCEPysMfcu/mvkO0cLdnTFJ+lLTglZEhD0
+-> Mo>ig-grease
+gyxTtneFjCxPTo53gPgqBMm/dUTNqw7SSGXZ9wFTK3I
+--- 2kvAlqhkxaAZcY0qewhgWahfiafgZSKZm7T3x8O5wxI
+û,ÂC¤¶c-œz#ð5#,¾úUVÀ¶­ev®;NŒó"¶¦Õ¢ÌÝÉ¬Èi±\(¥ê)[îÍÐR\Èò7@†¾véÜ²¯Æ¾NÏ¹ÎŽ­{©4
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age b/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
new file mode 100644
index 0000000..3ad636b
Binary files /dev/null and b/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age differ
diff --git a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
new file mode 100644
index 0000000..f4cd5a8
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ QRKqBGrzPBO8uDJtAjIpOVcir6L5beNr0wS3iVXQFiY
+YjTxSInhMSU0yogxBupf2311z5OXeNrSSkQpU4d34OM
+-> o3E-grease ~ E<I*AS 1> Y+:|pOC
+/8vpx1EmpwyfX3vwNpjAMMFCoRuoP3w1RLWAgqj5J1tIb48O0Wc
+--- EIeRKimHpArrdLioRUJ2rEa6uBOiAolXK1J1Sej37WE
+9¥CõKÚ•OíÐù´uŽ¯1ŒGú1ï†Fü/0¹b=Lß0dsAèjSØ€¡Þ|^ö1EÍªËàÁCöõî(±9Sc:Ì
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
new file mode 100644
index 0000000..cec4abb
--- /dev/null
+++ b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 U8ytLQ odwIDreVyKb1UHckjz1/1PKET4rluHdxFVJ2naBOKhM
+PJyoiRA65kd2272oq3Irup5gBq9sWDMgkIbkPbIa+IU
+-> HDe/yru:-grease ee~+
+g5uaAbBGEy/dJPeFuKdCqdvlIbcxeoVQMQ/y7hwgJQI68DOwpdAggi12cMYt+mlM
+yNE2Lb6p4xO8BRF0
+--- Xl6hjCyuuxnKdBNe3/x6jqvDsoaHDBYIzO8nV0DRuVs
+í¥f¤ÚÛÿ01VázµçVsæitúÁ%áœ}HùÓìòåÛ=«ó¸èFá¾›:_Ùwy±)v²”ª0Plý"%-y¼ëbQì¤œK
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/8240389b1563e683b6c96d4ffe7ad8da-telegraf-influxdb-token-sire-immich.age b/secrets/rekeyed/sire-influxdb/8240389b1563e683b6c96d4ffe7ad8da-telegraf-influxdb-token-sire-immich.age
new file mode 100644
index 0000000..49c34c0
Binary files /dev/null and b/secrets/rekeyed/sire-influxdb/8240389b1563e683b6c96d4ffe7ad8da-telegraf-influxdb-token-sire-immich.age differ
diff --git a/secrets/rekeyed/ward-kanidm/1bb9825bc7a93032abae3d05ab1cb690-kanidm-oauth2-immich.age b/secrets/rekeyed/ward-kanidm/1bb9825bc7a93032abae3d05ab1cb690-kanidm-oauth2-immich.age
new file mode 100644
index 0000000..b783394
Binary files /dev/null and b/secrets/rekeyed/ward-kanidm/1bb9825bc7a93032abae3d05ab1cb690-kanidm-oauth2-immich.age differ
diff --git a/secrets/rekeyed/ward-web-proxy/06b01e2633342abd576d676cc0a97b4b-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/06b01e2633342abd576d676cc0a97b4b-loki-basic-auth-hashes.age
deleted file mode 100644
index 00099c6..0000000
Binary files a/secrets/rekeyed/ward-web-proxy/06b01e2633342abd576d676cc0a97b4b-loki-basic-auth-hashes.age and /dev/null differ
diff --git a/secrets/rekeyed/ward-web-proxy/dcbc020f24f2fde69473f02914693b42-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/dcbc020f24f2fde69473f02914693b42-loki-basic-auth-hashes.age
new file mode 100644
index 0000000..eed16d1
Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/dcbc020f24f2fde69473f02914693b42-loki-basic-auth-hashes.age differ
diff --git a/secrets/rekeyed/ward/bc09f082763a638b6e2dcb17e82d1b7c-wireguard-proxy-home-psks-sire-immich+ward.age b/secrets/rekeyed/ward/bc09f082763a638b6e2dcb17e82d1b7c-wireguard-proxy-home-psks-sire-immich+ward.age
new file mode 100644
index 0000000..c047fe2
--- /dev/null
+++ b/secrets/rekeyed/ward/bc09f082763a638b6e2dcb17e82d1b7c-wireguard-proxy-home-psks-sire-immich+ward.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg jC4JmDgyhutHIQg9kfoEn/C5R6l118w3RW3ppVOtRi4
+D1zkyvS8+IO3t/BggWam1mo2bvzQcMVopOUB3eFGrxM
+-> ;.:-grease HVQl{t+
+IP5NM/luB+vedA
+--- SugCM5n+hANuScBLJ2pZ0l5ik8a1ACYO0/SIliajeBA
+:…‰Ê¨Ÿ„Û!'—òN£®·"	7Åhn®bƒÑý¿ý¬öŒ¡$Úò
+
+ßµÃùí±R`Ò¯ŽÜÖçÏµõ=XÅ>ô]Æ>‡¯Ïk×ê
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/sire-immich.age b/secrets/wireguard/proxy-home/keys/sire-immich.age
new file mode 100644
index 0000000..fbff09a
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/sire-immich.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 EbAPkTomUvk7duJOZy0vtiep2ov7tPCOXBtCBGruY38
+xm6XG7L7+Na4nyjXEp/BlY4/Cf9yGomOAoaj75Y/zLg
+-> piv-p256 xqSe8Q A64s9mvyNfCm2XWhc+mI9lzBdyD5nhRHYaBu1G7TzqdN
+tjqdcSVvUQX0Hc0p1SCGoI6el6AWyWSvGYuTox3GslU
+-> Gy{L#JuN-grease qCkq, kA (+?`
+u7i5f5qLVdHPy21vzOIqQPiK5jQwbl4SQ8/jfqxs3D8nxoIqj7PQ4rpLarLo0smP
+UMUMff5pBRZpN6mVXWeJW5VxdXUMGx98G7us+Rgai+anVCyxYkKp
+--- 8/tlk+rcWrVD/vzQzcBGpHT5L7uo5Q+KIBI0YzppWfU
+z¾-ÔúJw»„ÂqGÖ÷r'íy!Í,Î"§W€1€¤ÅÈ–ÆqT>úô6èk
+m±oP_?FN’~^(ÏµÎŸ²Ãþ¥ÐíÉ
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/psks/sire-immich+ward.age b/secrets/wireguard/proxy-home/psks/sire-immich+ward.age
new file mode 100644
index 0000000..4d543ae
Binary files /dev/null and b/secrets/wireguard/proxy-home/psks/sire-immich+ward.age differ
diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-immich.age b/secrets/wireguard/proxy-sentinel/keys/sire-immich.age
new file mode 100644
index 0000000..2f6bcb2
Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/keys/sire-immich.age differ
diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age
new file mode 100644
index 0000000..7519a29
--- /dev/null
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-immich.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 +fa7tfimWvXNAa4vnShHvYwO7aseyO2IYtqi5DIwWCc
+jUyJfsqbVZG95WoCsq59GT4vS61JjJehG+TMzy1CEFA
+-> piv-p256 xqSe8Q Ag64pSfYYHPUmZyeL1Hur1mgX10z1Ci2JhcDusLxc6U9
+v+9PcZg2sV4CHACnaLnLNJlnMSq92bhl2KJFVhgnnsM
+-> R-grease
+94PUru0qH9kfqbanR3nvKVOSlweUc+VmHC/EO7MC4QRlxpfH1xKyg2TrWHRTBRNi
+y65fz17jxBKveuum2MjyHPl+/ixW0uoBLqMdNpKq
+--- aKTF1hJ+E+Oylec8BWeMa5mxBR6KtWeeivfUyv6kWH0
+úÃ¼rvrWÄ;åZJæ¾¼ §×ÖÍÃDÓKkŸM¹ô•pûŒÄ‘i®o[o%E¶>´¨sÊ1Ç<w¥°ŸPpyö
\ No newline at end of file