diff --git a/README.md b/README.md
index fc45502..7e6055c 100644
--- a/README.md
+++ b/README.md
@@ -46,12 +46,11 @@ I've included the major components in the lists below.
 
 | ~~~~~~~~~~~~ | Service | Source | Description
 ---|---|---|---
-💸 Budgeting | Firefly III \& Firefly Pico | [Link](./hosts/ward/guests/firefly.nix) | Budgeting application to track income and expenses
 🛡️ Adblock | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker
 🔒 SSO | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single-Sign-On on my hosted services, with provisioning.
 🐙 Git | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO
 🔑 Passwords | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager
-📷 Photos | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution
+📷 Photos | Ente | [Link](./hosts/sire/guests/ente.nix) | E2E encrypted photo and video backup solution
 📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive)
 🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization
 📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless
diff --git a/config/users.nix b/config/users.nix
index bf62d6d..b0c161f 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -43,8 +43,8 @@
       unifi = uidGid 968;
       plugdev.gid = 967;
       tss = uidGid 966;
-      firefly-iii = uidGid 965;
-      firefly-pico = uidGid 964;
+      # firefly-iii = uidGid 965;
+      # firefly-pico = uidGid 964;
       avahi = uidGid 963;
     };
 }
diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix
index 53a7361..2df3790 100644
--- a/hosts/kroma/default.nix
+++ b/hosts/kroma/default.nix
@@ -91,9 +91,6 @@
   programs.nix-ld.enable = true;
   topology.self.icon = "devices.desktop";
 
-  # Mainly for client-side formatting in websites like firefly-iii
-  i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" ];
-
   hardware.nvidia-container-toolkit.enable = true;
   virtualisation.containers.enable = true;
   virtualisation.podman = {
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index 674b72f..dceb1a8 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -12,8 +12,7 @@ let
   # FIXME: new entry here? make new firezone gateway on ward entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.firefly.domain
-    globals.services.firefly-pico.domain
+    globals.services.ente.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix
index 960c27e..277d7e1 100644
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@@ -150,7 +150,7 @@
       }
       // mkMicrovm "ai" { }
       // mkMicrovm "minecraft" { }
-      #// mkMicrovm "firefly" {}
+      // mkMicrovm "ente" { }
       #// mkMicrovm "fasten-health" {}
     );
 }
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index f69e832..b5207b7 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -13,8 +13,7 @@ let
   # FIXME: new entry here? make new firezone entry too.
   homeDomains = [
     globals.services.grafana.domain
-    globals.services.firefly.domain
-    globals.services.firefly-pico.domain
+    globals.services.ente.domain
     globals.services.immich.domain
     globals.services.influxdb.domain
     globals.services.loki.domain
@@ -135,7 +134,6 @@ in
     lib.mkIf (!minimal) (
       { }
       // mkMicrovm "adguardhome"
-      // mkMicrovm "firefly"
       // mkMicrovm "forgejo"
       // mkMicrovm "kanidm"
       // mkMicrovm "radicale"
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index fe00c8b..f7b6bbd 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -112,8 +112,7 @@ in
               # FIXME: new entry here? make new firezone entry too.
               # FIXME: new entry here? make new firezone gateway on ward entry too.
               globals.services.grafana.domain
-              globals.services.firefly.domain
-              globals.services.firefly-pico.domain
+              globals.services.ente.domain
               globals.services.immich.domain
               globals.services.influxdb.domain
               globals.services.loki.domain
diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix
deleted file mode 100644
index ab43289..0000000
--- a/hosts/ward/guests/firefly.nix
+++ /dev/null
@@ -1,166 +0,0 @@
-{
-  config,
-  globals,
-  nodes,
-  ...
-}:
-let
-  fireflyDomain = "firefly.${globals.domains.me}";
-  fireflyPicoDomain = "firefly-pico.${globals.domains.me}";
-  wardWebProxyCfg = nodes.ward-web-proxy.config;
-in
-{
-  wireguard.proxy-home = {
-    client.via = "ward";
-    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ 80 ];
-  };
-
-  globals.services.firefly.domain = fireflyDomain;
-  globals.services.firefly-pico.domain = fireflyPicoDomain;
-  globals.monitoring.http.firefly = {
-    url = "https://${fireflyDomain}";
-    expectedBodyRegex = "Firefly III";
-    network = "home-lan.vlans.services";
-  };
-  globals.monitoring.http.firefly-pico = {
-    url = "https://${fireflyPicoDomain}";
-    expectedBodyRegex = "Pico";
-    network = "home-lan.vlans.services";
-  };
-
-  age.secrets.firefly-iii-app-key = {
-    generator.script = _: ''
-      echo "base64:$(head -c 32 /dev/urandom | base64)"
-    '';
-    owner = "firefly-iii";
-  };
-
-  age.secrets.firefly-pico-app-key = {
-    generator.script = _: ''
-      echo "base64:$(head -c 32 /dev/urandom | base64)"
-    '';
-    owner = "firefly-pico";
-  };
-
-  environment.persistence."/persist".directories = [
-    {
-      directory = "/var/lib/firefly-iii";
-      user = "firefly-iii";
-    }
-    {
-      directory = "/var/lib/firefly-pico";
-      user = "firefly-pico";
-    }
-  ];
-
-  networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
-    globals.services.firefly.domain
-    globals.services.firefly-pico.domain
-  ];
-
-  i18n.supportedLocales = [ "all" ];
-  services.firefly-iii = {
-    enable = true;
-    enableNginx = true;
-    virtualHost = globals.services.firefly.domain;
-    settings = {
-      AUDIT_LOG_LEVEL = "emergency"; # disable audit logs
-      LOG_CHANNEL = "syslog";
-      APP_URL = "https://${globals.services.firefly.domain}";
-      TZ = "Europe/Berlin";
-      TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
-      SITE_OWNER = "admin@${globals.domains.me}";
-      APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path;
-    };
-  };
-
-  services.firefly-pico = {
-    enable = true;
-    enableNginx = true;
-    virtualHost = globals.services.firefly-pico.domain;
-    settings = {
-      LOG_CHANNEL = "syslog";
-      APP_URL = "https://${globals.services.firefly-pico.domain}";
-      TZ = "Europe/Berlin";
-      FIREFLY_URL = config.services.firefly-iii.settings.APP_URL;
-      TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
-      SITE_OWNER = "admin@${globals.domains.me}";
-      APP_KEY_FILE = config.age.secrets.firefly-pico-app-key.path;
-    };
-  };
-
-  services.nginx.commonHttpConfig = ''
-    log_format json_combined escape=json '{'
-      '"time": $msec,'
-      '"remote_addr":"$remote_addr",'
-      '"status":$status,'
-      '"method":"$request_method",'
-      '"host":"$host",'
-      '"uri":"$request_uri",'
-      '"request_size":$request_length,'
-      '"response_size":$body_bytes_sent,'
-      '"response_time":$request_time,'
-      '"referrer":"$http_referer",'
-      '"user_agent":"$http_user_agent"'
-    '}';
-    error_log syslog:server=unix:/dev/log,nohostname;
-    access_log syslog:server=unix:/dev/log,nohostname json_combined;
-    ssl_ecdh_curve secp384r1;
-  '';
-
-  nodes.ward-web-proxy = {
-    services.nginx = {
-      upstreams.firefly = {
-        servers."${config.wireguard.proxy-home.ipv4}:80" = { };
-        extraConfig = ''
-          zone firefly 64k;
-          keepalive 2;
-        '';
-        monitoring = {
-          enable = true;
-          expectedBodyRegex = "Firefly";
-        };
-      };
-      virtualHosts.${fireflyDomain} = {
-        forceSSL = true;
-        useACMEWildcardHost = true;
-        locations."/" = {
-          proxyPass = "http://firefly";
-          proxyWebsockets = true;
-        };
-        extraConfig = ''
-          # allow self-access
-          allow ${config.wireguard.proxy-home.ipv4};
-          allow ${config.wireguard.proxy-home.ipv6};
-          # allow home traffic
-          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.home.cidrv6};
-          # Firezone traffic
-          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
-          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
-          deny all;
-        '';
-      };
-      virtualHosts.${fireflyPicoDomain} = {
-        forceSSL = true;
-        useACMEWildcardHost = true;
-        locations."/" = {
-          proxyPass = "http://firefly";
-          proxyWebsockets = true;
-        };
-        extraConfig = ''
-          # allow self-access
-          allow ${config.wireguard.proxy-home.ipv4};
-          allow ${config.wireguard.proxy-home.ipv6};
-          # allow home traffic
-          allow ${globals.net.home-lan.vlans.home.cidrv4};
-          allow ${globals.net.home-lan.vlans.home.cidrv6};
-          # Firezone traffic
-          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
-          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
-          deny all;
-        '';
-      };
-    };
-  };
-}
diff --git a/hosts/ward/secrets/firefly/host.pub b/hosts/ward/secrets/firefly/host.pub
deleted file mode 100644
index 97cc759..0000000
--- a/hosts/ward/secrets/firefly/host.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9bxRVB7zpCZhwfIwr7oyuNy0Tfu1Ki3KWPNiFyQizH
diff --git a/modules/default.nix b/modules/default.nix
index fc7701e..fe00f12 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,7 +4,6 @@
     ./backups.nix
     ./deterministic-ids.nix
     ./distributed-config.nix
-    ./firefly-pico.nix
     ./globals.nix
     ./meta.nix
     ./nginx-upstream-monitoring.nix
diff --git a/modules/firefly-pico.nix b/modules/firefly-pico.nix
deleted file mode 100644
index e86c92c..0000000
--- a/modules/firefly-pico.nix
+++ /dev/null
@@ -1,410 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-
-let
-  cfg = config.services.firefly-pico;
-
-  inherit (cfg) user;
-  inherit (cfg) group;
-
-  defaultUser = "firefly-pico";
-  defaultGroup = "firefly-pico";
-
-  artisan = "${cfg.package}/share/php/firefly-pico/artisan";
-
-  env-file-values = lib.attrsets.mapAttrs' (
-    n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
-  ) (lib.attrsets.filterAttrs (n: _v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
-  env-nonfile-values = lib.attrsets.filterAttrs (
-    n: _v: !lib.strings.hasSuffix "_FILE" n
-  ) cfg.settings;
-
-  firefly-pico-maintenance = pkgs.writeShellScript "firefly-pico-maintenance.sh" ''
-    set -a
-    ${lib.strings.toShellVars env-nonfile-values}
-    ${lib.strings.concatLines (
-      lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
-    )}
-    set +a
-    ${lib.optionalString (
-      cfg.settings.DB_CONNECTION == "sqlite"
-    ) "touch ${cfg.dataDir}/storage/database/database.sqlite"}
-    ${artisan} migrate --isolated --force
-    ${artisan} config:clear
-    ${artisan} config:cache
-    ${artisan} cache:clear
-  '';
-
-  commonServiceConfig = {
-    Type = "oneshot";
-    User = user;
-    Group = group;
-    StateDirectory = "firefly-pico";
-    ReadWritePaths = [ cfg.dataDir ];
-    WorkingDirectory = cfg.package;
-    PrivateTmp = true;
-    PrivateDevices = true;
-    CapabilityBoundingSet = "";
-    AmbientCapabilities = "";
-    ProtectSystem = "strict";
-    ProtectKernelTunables = true;
-    ProtectKernelModules = true;
-    ProtectControlGroups = true;
-    ProtectClock = true;
-    ProtectHostname = true;
-    ProtectHome = "tmpfs";
-    ProtectKernelLogs = true;
-    ProtectProc = "invisible";
-    ProcSubset = "pid";
-    PrivateNetwork = false;
-    RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
-    SystemCallArchitectures = "native";
-    SystemCallFilter = [
-      "@system-service @resources"
-      "~@obsolete @privileged"
-    ];
-    RestrictSUIDSGID = true;
-    RemoveIPC = true;
-    NoNewPrivileges = true;
-    RestrictRealtime = true;
-    RestrictNamespaces = true;
-    LockPersonality = true;
-    PrivateUsers = true;
-  };
-
-in
-{
-
-  options.services.firefly-pico = {
-
-    enable = lib.mkEnableOption "Firefly-Pico: A delightful Firefly III companion web app for effortless transaction tracking";
-
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = defaultUser;
-      description = "User account under which firefly-pico runs.";
-    };
-
-    group = lib.mkOption {
-      type = lib.types.str;
-      default = if cfg.enableNginx then "nginx" else defaultGroup;
-      defaultText = "If `services.firefly-pico.enableNginx` is true then `nginx` else ${defaultGroup}";
-      description = ''
-        Group under which firefly-pico runs. It is best to set this to the group
-        of whatever webserver is being used as the frontend.
-      '';
-    };
-
-    dataDir = lib.mkOption {
-      type = lib.types.path;
-      default = "/var/lib/firefly-pico";
-      description = ''
-        The place where firefly-pico stores its state.
-      '';
-    };
-
-    package =
-      lib.mkPackageOption pkgs "firefly-pico" { }
-      // lib.mkOption {
-        apply =
-          firefly-pico:
-          firefly-pico.override {
-            inherit (cfg) dataDir;
-          };
-      };
-
-    enableNginx = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Whether to enable nginx or not. If enabled, an nginx virtual host will
-        be created for access to firefly-pico. If not enabled, then you may use
-        `''${config.services.firefly-pico.package}` as your document root in
-        whichever webserver you wish to setup.
-      '';
-    };
-
-    virtualHost = lib.mkOption {
-      type = lib.types.str;
-      default = "localhost";
-      description = ''
-        The hostname at which you wish firefly-pico to be served. If you have
-        enabled nginx using `services.firefly-pico.enableNginx` then this will
-        be used.
-      '';
-    };
-
-    poolConfig = lib.mkOption {
-      type = lib.types.attrsOf (
-        lib.types.oneOf [
-          lib.types.str
-          lib.types.int
-          lib.types.bool
-        ]
-      );
-      default = { };
-      defaultText = ''
-        {
-          "pm" = "dynamic";
-          "pm.max_children" = 32;
-          "pm.start_servers" = 2;
-          "pm.min_spare_servers" = 2;
-          "pm.max_spare_servers" = 4;
-          "pm.max_requests" = 500;
-        }
-      '';
-      description = ''
-        Options for the Firefly III PHP pool. See the documentation on <literal>php-fpm.conf</literal>
-        for details on configuration directives.
-      '';
-    };
-
-    settings = lib.mkOption {
-      default = { };
-      description = ''
-        Options for firefly-iii configuration. Refer to
-        <https://github.com/firefly-iii/firefly-iii/blob/main/.env.example> for
-        details on supported values. All <option>_FILE values supported by
-        upstream are supported here.
-
-        APP_URL will be the same as `services.firefly-iii.virtualHost` if the
-        former is unset in `services.firefly-iii.settings`.
-      '';
-      example = lib.literalExpression ''
-        {
-          APP_ENV = "production";
-          APP_KEY_FILE = "/var/secrets/firefly-pico-app-key.txt";
-          SITE_OWNER = "mail@example.com";
-          DB_CONNECTION = "mysql";
-          DB_HOST = "db";
-          DB_PORT = 3306;
-          DB_DATABASE = "firefly";
-          DB_USERNAME = "firefly";
-          DB_PASSWORD_FILE = "/var/secrets/firefly-pico-mysql-password.txt";
-        }
-      '';
-      type = lib.types.submodule {
-        freeformType = lib.types.attrsOf (
-          lib.types.oneOf [
-            lib.types.str
-            lib.types.int
-            lib.types.bool
-          ]
-        );
-        options = {
-          DB_CONNECTION = lib.mkOption {
-            type = lib.types.enum [
-              "sqlite"
-              "pgsql"
-              "mysql"
-            ];
-            default = "sqlite";
-            example = "pgsql";
-            description = ''
-              The type of database you wish to use. Can be one of "sqlite",
-              "mysql" or "pgsql".
-            '';
-          };
-          APP_ENV = lib.mkOption {
-            type = lib.types.enum [
-              "local"
-              "production"
-              "testing"
-            ];
-            default = "local";
-            example = "production";
-            description = ''
-              The app environment. It is recommended to keep this at "local".
-              Possible values are "local", "production" and "testing"
-            '';
-          };
-          DB_DATABASE = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default =
-              if cfg.settings.DB_CONNECTION == "pgsql" then
-                "firefly-pico"
-              else if cfg.settings.DB_CONNECTION == "mysql" then
-                "firefly-pico"
-              else
-                cfg.dataDir + "/storage/database/database.sqlite";
-            defaultText = ''
-              `cfg.dataDir + "/storage/database/database.sqlite` if DB_CONNECTION is "sqlite", `firefly-pico` if "mysql" or "pgsql"
-            '';
-            description = ''
-              The absolute path or name of your firefly-pico database.
-            '';
-          };
-          DB_PORT = lib.mkOption {
-            type = lib.types.nullOr lib.types.int;
-            default =
-              if cfg.settings.DB_CONNECTION == "pgsql" then
-                5432
-              else if cfg.settings.DB_CONNECTION == "mysql" then
-                3306
-              else
-                null;
-            defaultText = ''
-              `null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql"
-            '';
-            description = ''
-              The port your database is listening at. sqlite does not require
-              this value to be filled.
-            '';
-          };
-          DB_HOST = lib.mkOption {
-            type = lib.types.str;
-            default = if cfg.settings.DB_CONNECTION == "pgsql" then "/run/postgresql" else "localhost";
-            defaultText = ''
-              "localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql".
-            '';
-            description = ''
-              The machine which hosts your database. This is left at the
-              default value for "mysql" because we use the "DB_SOCKET" option
-              to connect to a unix socket instead. "pgsql" requires that the
-              unix socket location be specified here instead of at "DB_SOCKET".
-              This option does not affect "sqlite".
-            '';
-          };
-          APP_KEY_FILE = lib.mkOption {
-            type = lib.types.path;
-            description = ''
-              The path to your appkey. The file should contain a 32 character
-              random app key. This may be set using `echo "base64:$(head -c 32
-              /dev/urandom | base64)" > /path/to/key-file`.
-            '';
-          };
-          APP_URL = lib.mkOption {
-            type = lib.types.str;
-            default =
-              if cfg.virtualHost == "localhost" then
-                "http://${cfg.virtualHost}"
-              else
-                "https://${cfg.virtualHost}";
-            defaultText = ''
-              http(s)://''${config.services.firefly-pico.virtualHost}
-            '';
-            description = ''
-              The APP_URL used by firefly-pico internally. Please make sure this
-              URL matches the external URL of your Firefly pico installation.
-            '';
-          };
-          FIREFLY_URL = lib.mkOption {
-            type = lib.types.str;
-            example = ''
-              https://firefly.example
-            '';
-            description = '''';
-          };
-        };
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-
-    services.phpfpm.pools.firefly-pico = {
-      inherit user group;
-      inherit (cfg.package) phpPackage;
-      phpOptions = ''
-        log_errors = on
-      '';
-      settings = {
-        "listen.mode" = lib.mkDefault "0660";
-        "listen.owner" = lib.mkDefault user;
-        "listen.group" = lib.mkDefault group;
-        "pm" = lib.mkDefault "dynamic";
-        "pm.max_children" = lib.mkDefault 32;
-        "pm.start_servers" = lib.mkDefault 2;
-        "pm.min_spare_servers" = lib.mkDefault 2;
-        "pm.max_spare_servers" = lib.mkDefault 4;
-        "pm.max_requests" = lib.mkDefault 500;
-      } // cfg.poolConfig;
-    };
-
-    systemd.services.firefly-pico-setup = {
-      after = [
-        "postgresql.service"
-        "mysql.service"
-      ];
-      requiredBy = [ "phpfpm-firefly-pico.service" ];
-      before = [ "phpfpm-firefly-pico.service" ];
-      serviceConfig = {
-        ExecStart = firefly-pico-maintenance;
-        RemainAfterExit = true;
-      } // commonServiceConfig;
-      unitConfig.JoinsNamespaceOf = "phpfpm-firefly-pico.service";
-      restartTriggers = [ cfg.package ];
-      partOf = [ "phpfpm-firefly-pico.service" ];
-    };
-
-    services.nginx = lib.mkIf cfg.enableNginx {
-      enable = true;
-      recommendedTlsSettings = lib.mkDefault true;
-      recommendedOptimisation = lib.mkDefault true;
-      recommendedGzipSettings = lib.mkDefault true;
-      virtualHosts.${cfg.virtualHost} = {
-        root = "${cfg.package.frontend}/share/firefly-pico/public";
-        locations = {
-          "/api" = {
-            root = "${cfg.package}/share/php/firefly-pico/public";
-            tryFiles = "$uri $uri/ /index.php?$query_string";
-            index = "index.php";
-          };
-          "~ \\.php$" = {
-            root = "${cfg.package}/share/php/firefly-pico/public";
-            extraConfig = ''
-              include ${config.services.nginx.package}/conf/fastcgi_params ;
-              fastcgi_param SCRIPT_FILENAME $request_filename;
-              fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-              fastcgi_pass unix:${config.services.phpfpm.pools.firefly-pico.socket};
-            '';
-          };
-        };
-      };
-    };
-
-    systemd.tmpfiles.settings."10-firefly-pico" =
-      lib.attrsets.genAttrs
-        [
-          "${cfg.dataDir}/storage"
-          "${cfg.dataDir}/storage/app"
-          "${cfg.dataDir}/storage/database"
-          "${cfg.dataDir}/storage/framework"
-          "${cfg.dataDir}/storage/framework/cache"
-          "${cfg.dataDir}/storage/framework/sessions"
-          "${cfg.dataDir}/storage/framework/views"
-          "${cfg.dataDir}/storage/logs"
-          "${cfg.dataDir}/cache"
-        ]
-        (_n: {
-          d = {
-            inherit group;
-            mode = "0700";
-            inherit user;
-          };
-        })
-      // {
-        "${cfg.dataDir}".d = {
-          inherit group;
-          mode = "0710";
-          inherit user;
-        };
-      };
-
-    users = {
-      users = lib.mkIf (user == defaultUser) {
-        ${defaultUser} = {
-          description = "Firefly-pico service user";
-          inherit group;
-          isSystemUser = true;
-          home = cfg.dataDir;
-        };
-      };
-      groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; };
-    };
-  };
-}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 38bc9c1..df2d242 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -18,8 +18,6 @@ _inputs: [
     #   })
     # ];
 
-    firefly-pico = prev.callPackage ./firefly-pico.nix { };
-
     formats = prev.formats // {
       ron = import ./ron.nix { inherit (prev) lib pkgs; };
     };
diff --git a/pkgs/firefly-pico-frontend.nix b/pkgs/firefly-pico-frontend.nix
deleted file mode 100644
index 86ddcc0..0000000
--- a/pkgs/firefly-pico-frontend.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{
-  src,
-  version,
-  stdenvNoCC,
-  nodejs,
-  fetchNpmDeps,
-  buildPackages,
-  php84,
-  nixosTests,
-  nix-update-script,
-  meta,
-}:
-
-stdenvNoCC.mkDerivation (finalAttrs: {
-  pname = "firefly-pico-frontend";
-  inherit version src;
-
-  sourceRoot = "source/front";
-
-  nativeBuildInputs = [
-    nodejs
-    nodejs.python
-    buildPackages.npmHooks.npmConfigHook
-  ];
-
-  npmDeps = fetchNpmDeps {
-    inherit (finalAttrs) src;
-    sourceRoot = "source/front";
-    name = "${finalAttrs.pname}-npm-deps";
-    hash = "sha256-+YpWPp0ufPuuSkTn0WDD2E80S9bs5ZTQ8TzFFtgfTqU=";
-  };
-
-  passthru = {
-    phpPackage = php84;
-    tests = nixosTests.firefly-pico;
-    updateScript = nix-update-script { };
-  };
-  env.NUXT_TELEMETRY_DISABLED = 1;
-  buildPhase = ''
-    runHook preBuild
-    npm run generate
-    runHook postBuild
-  '';
-  postInstall = ''
-    mkdir -p $out/share/firefly-pico
-    cp -r .output/public $out/share/firefly-pico/
-  '';
-
-  inherit meta;
-})
diff --git a/pkgs/firefly-pico.nix b/pkgs/firefly-pico.nix
deleted file mode 100644
index 2c11cf7..0000000
--- a/pkgs/firefly-pico.nix
+++ /dev/null
@@ -1,73 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  stdenvNoCC,
-  nodejs,
-  callPackage,
-  php84,
-  nixosTests,
-  nix-update-script,
-  dataDir ? "/var/lib/firefly-pico",
-}:
-
-stdenvNoCC.mkDerivation (finalAttrs: {
-  pname = "firefly-pico";
-  version = "1.7.0";
-
-  src = fetchFromGitHub {
-    owner = "cioraneanu";
-    repo = "firefly-pico";
-    tag = "${finalAttrs.version}";
-    hash = "sha256-Ef64WZYAtViW5lCSCtTzjs6KJL7BxW9innqLSy0N2xQ=";
-  };
-  sourceRoot = "source/back";
-
-  buildInputs = [ php84 ];
-
-  nativeBuildInputs = [
-    nodejs
-    nodejs.python
-    php84.composerHooks2.composerInstallHook
-  ];
-
-  composerVendor = php84.mkComposerVendor {
-    inherit (finalAttrs) pname src version;
-    sourceRoot = "source/back";
-    composerNoDev = true;
-    composerNoPlugins = true;
-    composerNoScripts = true;
-    composerStrictValidation = true;
-    strictDeps = true;
-    vendorHash = "sha256-hwbmsvD91lX/vYa1Xk1WEo8pB6b+DTRDVd2DJ7TjocI=";
-  };
-
-  passthru = {
-    phpPackage = php84;
-    tests = nixosTests.firefly-pico;
-    updateScript = nix-update-script { };
-    frontend = callPackage ./firefly-pico-frontend.nix {
-      inherit (finalAttrs)
-        src
-        version
-        meta
-        ;
-    };
-  };
-  postInstall = ''
-    chmod +x $out/share/php/firefly-pico/artisan
-    rm -R $out/share/php/firefly-pico/{storage,bootstrap/cache}
-    ln -s ${dataDir}/storage $out/share/php/firefly-pico/storage
-    ln -s ${dataDir}/cache $out/share/php/firefly-pico/bootstrap/cache
-  '';
-
-  meta = {
-    changelog = "https://github.com/cioraneanu/firefly-pico/releases/tag/${finalAttrs.version}";
-    description = "Firefly III: a personal finances manager";
-    homepage = "https://github.com/cioraneanu/firefly-pico";
-    license = lib.licenses.agpl3Only;
-    maintainers = [
-      lib.maintainers.patrickdag
-    ];
-    hydraPlatforms = lib.platforms.linux; # build hangs on both Darwin platforms, needs investigation
-  };
-})
diff --git a/secrets/generated/ward-firefly/firefly-data-importer-app-key.age b/secrets/generated/ward-firefly/firefly-data-importer-app-key.age
deleted file mode 100644
index 701c1aa..0000000
Binary files a/secrets/generated/ward-firefly/firefly-data-importer-app-key.age and /dev/null differ
diff --git a/secrets/generated/ward-firefly/firefly-iii-app-key.age b/secrets/generated/ward-firefly/firefly-iii-app-key.age
deleted file mode 100644
index 8d380b4..0000000
--- a/secrets/generated/ward-firefly/firefly-iii-app-key.age
+++ /dev/null
@@ -1,12 +0,0 @@
-age-encryption.org/v1
--> X25519 K0iCGjPk+lIfakWRt19tUebknIoPk7CRKQgJxt6543c
-1TTIJMkKIBC4mkV22/+DL6MonwX5bSFnHrI/1UMBxOA
--> piv-p256 xqSe8Q A8TmdnrAPXoyy1s69kIJ4+UDB0ecn5BGj7AOgyT46x+A
-3IOxV7OkgkCq4OBN521ONImxkbZ7CA3rXcYixF1T0v0
--> IMt/c-grease
-3x3A2IBsky5I8QkGvxAv0Sf5+uuTdrLtRGVIQ7Kx7/PgZJdHrEVp7brTImvGHa7U
-7R3tyMLSVAUq0fje5TuY+qt5iovMFvN9Ju9tXq0TTrR8oMQ7AuRTPVQSZCa8Sj4i
-46w
---- xqksX/NXpJyr2omtpSxWZT17lzp0JsGVOAwVF3qmS88
-+Ty��W5*gP$��G@���R*��<�ne�"�p
-���#Nΰ����|���G�Op�A8x��)��������-&_�
\ No newline at end of file
diff --git a/secrets/generated/ward-firefly/firefly-pico-app-key.age b/secrets/generated/ward-firefly/firefly-pico-app-key.age
deleted file mode 100644
index 7713582..0000000
Binary files a/secrets/generated/ward-firefly/firefly-pico-app-key.age and /dev/null differ
diff --git a/secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age b/secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age
deleted file mode 100644
index 386e735..0000000
Binary files a/secrets/generated/ward-firefly/promtail-loki-basic-auth-password.age and /dev/null differ
diff --git a/secrets/generated/ward-firefly/telegraf-influxdb-token.age b/secrets/generated/ward-firefly/telegraf-influxdb-token.age
deleted file mode 100644
index 7b0eb97..0000000
--- a/secrets/generated/ward-firefly/telegraf-influxdb-token.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> X25519 HgSF2a9Q3nwcydHrTdp+3OCofuM0icQ17MA20aZd3Qs
-psZ9T9mQRBWDK/AEZSZaYaLX9hLaarWo3ih5TdF0KtY
--> piv-p256 xqSe8Q AlVUJIsg77JKUuLZkd3QFdVaJxZl5y7pQAvFu3hS7DBO
-3GySsYAQAuR5nYJOKQ49qLBhZy8H5ozQ78dyAZuqdDw
--> -?_-R-grease
-TBgbQcVKKpCzoOQ1IJhKN17FQj6sC6g/0ZWWilWPfJbhGRZBocynl1o4H492FE3k
-NUjMFQFOY28JlHX1N8yT8T9AMFYdpUS3hQ
---- dFzRUdI8Gc5FA+zFzaGpWNV4s2kQFy1neRt2cyTGiTs
-�y��zf�����_�T(�ݨ�{���	j�֭�!;D���u-�$�ֿ���8�������
-��g\XdIQ>��"��
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-influxdb/25afc8a55a3c3646f3d5b63f1626e324-telegraf-influxdb-token-ward-firefly.age b/secrets/rekeyed/sire-influxdb/25afc8a55a3c3646f3d5b63f1626e324-telegraf-influxdb-token-ward-firefly.age
deleted file mode 100644
index 1d8ba1e..0000000
--- a/secrets/rekeyed/sire-influxdb/25afc8a55a3c3646f3d5b63f1626e324-telegraf-influxdb-token-ward-firefly.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 1tdZKQ PhTEEKU3VbR4jKOq9yqGfCXI3LgBS9tuTniqQVs+qU0
-ZDzt7bQ03RT5W2hoxsZTrQI8PuBBrH8UiYHpVox4YU4
--> GCS:-grease
-H0Poh145lWvrCYnOXCFt1VJMpwGK/Ek
---- z76MlfKZZvOBXOhvmWY7Am5nnICI2rhS8fnNpXfj4dA
-1�����$���~[>�ػ�1>� u^�\�|K����^�cu�*�g�W�H������7{�����.�!:�)�s\�����x
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age b/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age
deleted file mode 100644
index 66960a3..0000000
--- a/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 YHfciQ OTxzJ803Chy1q2nC4XEJmOHZBxSsYel7zVI4nGXgfUY
-hJcjU/zS7vR8p1FvS7PPSIcPIDTyglxu/F2/za4s3L8
--> -4-grease A{W40{E T6yR<jP- h:Fc
-H2VZUOUBsHsujyI
---- o9+YE4wWtvRYfwOEiQjZgU3a/RBrMRBg2MZGc5JO+4I
-{lKGE�ⒽӅ,7��,�rCt���Ʒ:ߨ�C��)h��\��*���{j, �|=����9ϲ+k !fT�/~9
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/206d313b87995351cd0b97e804d37886-wireguard-proxy-home-psks-ward+ward-firefly.age b/secrets/rekeyed/ward-firefly/206d313b87995351cd0b97e804d37886-wireguard-proxy-home-psks-ward+ward-firefly.age
deleted file mode 100644
index 10a706b..0000000
--- a/secrets/rekeyed/ward-firefly/206d313b87995351cd0b97e804d37886-wireguard-proxy-home-psks-ward+ward-firefly.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 YHfciQ /JDeiZuydrg08gCBvPUMBRIOzciGvV+o+eCS/lmrtRo
-X62u9gSTkkhIJhOLv+Oxu0aTCw9K4oxtsFUEQTrEC78
--> %u]tzM-grease |kp`D O*d_7kP=
-vNzBWFKkxN/7oxjXuNSBsNh+BCTR
---- HMqjg2W7E1jaamxsKFWGHsUkVFuCgFKXCcPdjAN22SI
- `��o���ۈ�o�ZOo*WU�bA[��h{>�y��p[�6��������7�9�!�����
-ՅX��?t��t)Uy��
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age b/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age
deleted file mode 100644
index adf708c..0000000
Binary files a/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age and /dev/null differ
diff --git a/secrets/rekeyed/ward-firefly/42e563c91200775d10a651a63413f5e0-telegraf-influxdb-token.age b/secrets/rekeyed/ward-firefly/42e563c91200775d10a651a63413f5e0-telegraf-influxdb-token.age
deleted file mode 100644
index 36d3ff5..0000000
--- a/secrets/rekeyed/ward-firefly/42e563c91200775d10a651a63413f5e0-telegraf-influxdb-token.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 YHfciQ C6rdXtEgSnmvZGadg4t2P8g7ZP9Cizgni/+QsOPWp0w
-eeSuBSk5+SnJr6YtO67wn7a263ummSELG4SXrkUXp/Y
--> +(A@\ZO@-grease 8Yt9 f B7!c
-g2QVWUbgF3QyPIUMX+7x4iS5xmEPaKtGtZwQJpRPBw7cgS5xNp6DTgF/bRyazsuD
-+XIrHrVRZww0FobvAZWQVHz2SrzIqWi0SHRSnkV7cTKKNdAZHje/2CYpQ421C6hI
-WA
---- wqySXNN6CxW4Sje0GKTfM0xmyXl8fRs/GTALuk0c7+0
-�T������c�|��u��4��Y��OjF�~�o$�d	�S��P����W�xc.8��'�-[�4{�-�mV�vA�픴
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age b/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age
deleted file mode 100644
index 0fe750c..0000000
--- a/secrets/rekeyed/ward-firefly/bf62c2abb03665ad857f821820811918-firefly-data-importer-app-key.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 YHfciQ Ta83gRa74Qw3CSktDEV58orXyTabF1iyMe9o0EftLAk
-JedF0o7cg0cyr7NTlDUQGQTrqTsOUyqr2qGgeb04F98
--> c7X&&-grease M (u|w5r1t Bu&{
-KgBrgDovK7GWxFLq7kkwA5UNWr5QqlzeWbU13cTt8DXC4TCdSS9A+Wjzl+qDykzW
-5oZ6tFgvWFFF2E/3Ym1YjTTl3cOvxG0RG6Bj/GXNVjo8PeTJ5Ny9h+yOJ/YuAcY
---- cqhrBzqNMukHeBPQe1mlHpVZfVWgUAepvPV8JGbAUVA
-�R<,V�H��Y�Z�#�}�*Ϫ�!���[�r�����kȾ�܍�ʓo�jc�>92�/db�=s��E{1~"���&��j$8H
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/c17f6d023aa2f3bf37bc286b3766fef1-promtail-loki-basic-auth-password.age b/secrets/rekeyed/ward-firefly/c17f6d023aa2f3bf37bc286b3766fef1-promtail-loki-basic-auth-password.age
deleted file mode 100644
index f8484e7..0000000
Binary files a/secrets/rekeyed/ward-firefly/c17f6d023aa2f3bf37bc286b3766fef1-promtail-loki-basic-auth-password.age and /dev/null differ
diff --git a/secrets/rekeyed/ward-firefly/cc7db31943caeff66244b3aa934b7297-wireguard-proxy-home-priv-ward-firefly.age b/secrets/rekeyed/ward-firefly/cc7db31943caeff66244b3aa934b7297-wireguard-proxy-home-priv-ward-firefly.age
deleted file mode 100644
index b898dfb..0000000
Binary files a/secrets/rekeyed/ward-firefly/cc7db31943caeff66244b3aa934b7297-wireguard-proxy-home-priv-ward-firefly.age and /dev/null differ
diff --git a/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age b/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age
deleted file mode 100644
index b0d5adc..0000000
--- a/secrets/rekeyed/ward/ca883e2bce6ceff39bb8dc133d3a092e-wireguard-proxy-home-psks-ward+ward-firefly.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 iNceIg wdAnVbYVU+fgSIb4ZiNqfbV5e+Gyt7l2Pr+gqoTzt30
-iV0QOUfzJLu061EjjY+hD8SnT4Mx5udoO7tUogRPeA4
--> rv!OK-grease 3@%B3|g
-JUDryA
---- mADEX6kUWctEoYX8d/eTbYFdB+kcILfyhbUjiDMNGx0
-���ƕ���^��$aHn����GLY���U�bR���Afu�ժd���5�>r�c�풪��&���0ׇ�F:�j�
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/ward-firefly.age b/secrets/wireguard/proxy-home/keys/ward-firefly.age
deleted file mode 100644
index ec57bf5..0000000
--- a/secrets/wireguard/proxy-home/keys/ward-firefly.age
+++ /dev/null
@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> X25519 uvlRP7EwYe9edPcApANRaV0Eqwx/CY6ElDJ8zPS6NTc
-SGcubLfhsAQxjjxUfoczcKT7acC+o9YLDjAbaZxIXj8
--> piv-p256 xqSe8Q A7hFGedcJqbSCtfnBTi52Vm3lwCojBBJg2KZoHBHzFeb
-9UPcvDAwU1Kl6nRE3eakB4dPyyjeKlSVK0/MeUzMVvs
--> id2?G-grease J=PF j
-3PdNbIHnMNBtH6OPbMXyMtpt2HVSW+D0BCg3qg3V3p3DDd7FEQzr7lEfsjooZwG8
-fC2jno79z1r7t7lg5VgP5s1yA2WO6sfaMvZ25iQLlg
---- V6na3Vl3HiCI97qZbIwhvJnrN9St1VaU4wLxvVaJY8k
-a-�����X���=�	���U����[�mHkt~�F�J1�W)l����(�΂s�/�O���<v�q�YzN��?�
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/ward-firefly.pub b/secrets/wireguard/proxy-home/keys/ward-firefly.pub
deleted file mode 100644
index 45426da..0000000
--- a/secrets/wireguard/proxy-home/keys/ward-firefly.pub
+++ /dev/null
@@ -1 +0,0 @@
-MRJ0x/6qO8xo5rJus+L99qmSZu6gB/KBxvwqk0T2EyE=
diff --git a/secrets/wireguard/proxy-home/psks/ward+ward-firefly.age b/secrets/wireguard/proxy-home/psks/ward+ward-firefly.age
deleted file mode 100644
index 405c5e7..0000000
--- a/secrets/wireguard/proxy-home/psks/ward+ward-firefly.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> X25519 u+GOb4it1FIuM2xQLit+Qj8FnHxog7mrgqzYB2cAF1Q
-MiVwE4nNwJo7aIg+H8/1vCPsHbKIRw58xPprat9E7xk
--> piv-p256 xqSe8Q AqY1gjvBbu3vDCrksaKE9BExREcAp00pMIVyAZxvr/aw
-CubJmGfOCZyLXxWgoZ+fnQu7BCs1arzt5iKZjdSIVM0
--> ??~tD-grease i2nkSM_{ iogOoT}>
-wWFu3rir4mB4RUy9
---- K1zBn3duHmWgsphLbNn1ujFQ/X08tpW4dkmKB7S8eM4
-�������ۂJ����/"m��=���f�s$��@�f~�a73�4�ފ}�����k"������!W1�U��6q
\ No newline at end of file