diff --git a/secrets/bind_pw b/secrets/bind_pw
index 125388f..0024892 100644
Binary files a/secrets/bind_pw and b/secrets/bind_pw differ
diff --git a/secrets/hidden_service/akkoma b/secrets/hidden_service/akkoma
index ce1fd1a..dcc0c39 100644
Binary files a/secrets/hidden_service/akkoma and b/secrets/hidden_service/akkoma differ
diff --git a/secrets/hidden_service/forgejo b/secrets/hidden_service/forgejo
index 40fa20f..5a5c22a 100644
--- a/secrets/hidden_service/forgejo
+++ b/secrets/hidden_service/forgejo
@@ -1,7 +1,13 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw EI6x+qUDXzqxQSlCYUbP+7QPZMnjXpltYZtqKGTC0mA
-CRKukPnjX7UkoUhvbRqp9R7okrCXSdFOKQ6NqOJOQPM
--> ssh-ed25519 aO1l/A yYtKmIaqYqE1GtbpZ57LSOvIk3ShAKRxwLhF28+kX04
-G3LaXN/I2MQsibGKQFhaN9fozZc3WTDfduVNpSs8c6c
---- l669kOCRaI4AYjSfEnh3ipLsLClXVtsZ7XeCVtYe76A
-S'`–G¡Õhã6mÕ­×ÜÃÝ8Ý&‡Õë#rŠÔå%‡ì@ïòwŽ`oÉ"ƒBÑXeœ¸gN fŒÞPÉd!ÉÞÝ¥©‚Cý½È@Ç<YpžCó˜Úðˆ3›ýAû/sê"§²¯RÓ¢êwP±ÉJgÔewÇ7®T'# Mÿ`
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyAyck1y
+VVB6NkJCRm03TEFlZDJlejVXUC8wM1JEVktrNVZweXllV1J3bVZFCjdGZmdaYTNu
+QjYyM2F6Y1NuVVpEM0dEYnhzQlpPNUtUeXNJMThiUXIyRTAKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIGxTT1E1czg5MUNHWDBZSVFlOXJhbUllaWJBcXBRbDdBN2paSzls
+aFpmUVkKTFRWOHBKQ1oyaGhBcUJMb0hoY0E0QzVJWnhyMDU1N0JVbngvdzhsaVRn
+SQotPiB7LWdyZWFzZQpJZmFVS3RuRnVoaytGNTJ6WEhyY3F4R2xzUldzY2RwcitY
+NE5CSlM3Tjl1bk9Zek81UE5QN1U0dWcyYXE5elZJCndnCi0tLSBpZjdqVE9md25y
+NU8wbWthSGF3WW1zUitUS1lHV3R6S1M0endKVGVFMmFNClu7vY4vYnmMwdE8G8mj
+oWlGFTWrbKCDb+FWCdcRn8rcMlBiXSoxQ1bV6vqBl4dBnyNxxgnwxqP+axCzFSTf
+9K3tFVMIfIck1/j4GDe6V81bATCT4ZEfTgAiEppXA9jCzR2MULdNmqnZTUV9M/d6
+4lyHd3PEzKimsIMgOWJ9Ds7c
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hidden_service/lldap b/secrets/hidden_service/lldap
index 260333f..556cdd7 100644
--- a/secrets/hidden_service/lldap
+++ b/secrets/hidden_service/lldap
@@ -1,7 +1,14 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw uTCw+F+4qeg9cwzmqutlo73TKh+3gHLlKiNnGtH0pBg
-/z43V3RLple7a9DQryhGlIuyr4zEkb1VeiP5a/Wj1uE
--> ssh-ed25519 aO1l/A 6taX73uwY+2dvd4urZsYuzdz+nCeT1esrgwVK061/Hc
-hijoJqXSWN2yWwm8wJAzn0rxYFVKboov6auJMWJiQoE
---- on7Z0/l1J9q8zvDBrcLV4vDvfuSpEIuuAAOaMCywwF8
-k×hÔÇ‡‚8rs°¸1â/}9gîÁSÎ-ˆ€ûîë™—ºÐzUÿ/é$àõlH¢¬Ytq¤•ª`C25Ÿ‘U‘Í ØtK	>dq¥qp‹ëÒn¼åyxí"4§DÝ~"ÚƒeLAãq¬ÍzW°¤	%V}âkâŸS.™ê²ô
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBJempn
+ZG8rcUt1Q3JlTm5qV2RheHpkL25LdTFCZkVkaWlwRjRPbzhjMHpnCmMwSVBMeXls
+Rlh1cnorUHdQaCtMUXlGQlovZ3FYWWV4T1JEcEo5bHVzaWcKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIDcxL1dQampPaytxZU1SZ2JBNXE3VVZ1QXhvVTZaZW5jK25hOGcv
+MTJHQmsKd2ozSVVnVzBZVVphNjRFdVRkVHlzSDYreUFUWS9mWWsxak1weEo3QzlQ
+QQotPiB2b3R0dH05XC1ncmVhc2UgXnA7USByIyxWCm1LcGZyNnlVNW5IRE1iZHds
+RUpsNytsWHo3dDZ4TnA3b2pWS29ITHJBdzBJNFdGSS9obzFzNEJWRm93NXo5eEUK
+Wm5reUZBMG5YdnJDYSswMWpZelpGTjVRUllIbU5QMzZPZW1EZmhVcXQ5YXgKLS0t
+IFpaOWIxdFcwTVcwSGhQeHAyLzZjRUlNSm9yTkVYY0RNaWxWdXdVakhPQzAKM0rz
+5LPzYYJWhkfR5swizeoTsgQ2RFztCCQjbehBAdjjy8a3FS7YNSNXDbl4vHPscM1D
++XyoKyAZFoSVF0bda9FPpSVUH6+rxddh42mZPW45DiPO/ukMyx415dJjAtQipwxk
+RnZ2pT2GLTQ+HVPDGEefWTzjUxH5dOt3awRJEto=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hidden_service/microbin b/secrets/hidden_service/microbin
index 026272e..9a5efec 100644
--- a/secrets/hidden_service/microbin
+++ b/secrets/hidden_service/microbin
@@ -1,7 +1,13 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw iecDZG4hirn38+rgldEWI2+8/8rq71uWNT+SHlfAiDY
-qx6clYF4hxRBJYYu0KKB7hRfPZwCbHcQpjLL941Z83c
--> ssh-ed25519 aO1l/A l5cKreKOle24HArdayk83bPWXfXsRJ+Ra+hQJ/wIbxg
-so31JolmVJl3EFNBMY0+iFnt68e8IE21hPgywlgKEIA
---- hde73O1LCWGqO/2nrIg8SefxAzPp8ZY1lJFzEOCkNEs
-9Q•›Ú~=÷—{XCÏ§q†ŽÅÎÇÅ²$4ü§N¢lkhë˜Ë	©õáÆïŒÜö‡5W³…5bäQk†”jŠÛº2„q¬‘½/}õB%Ô+uwçŽ6È-èõ0_;ÂÞ3Êãn¼£ÛdŠ\l—ØÑÄ÷÷> Ñ‡ÉC*¥
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBRclQ5
+QXg1NlNOUEkvZkFFd1BCNHZ4M3B2bmtiNEVpNkgwM3B3WU13SEVJClFpR0E3Ty90
+VjRTbTB2V2dxT1lPN0diREVBcXVGOWh4azdBNGpmNlpVZFkKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIE1yYkFuSFV0L3U3elJ6cEhFRWJlYUNRUkk3bGUvRlNKdG54alJr
+bDRXV1kKa0JmN3pJVys4TElvNHdvM1I4S2FaRDNiRStnbnhFQURIS3BDNzd6ZWRT
+MAotPiBSbC1ncmVhc2UgVD13UW4KOG1COUJ5UTA2bnpaOFpQWnJQNFNKVktLN3V2
+Y3ljaFVRNGwrakswcWhjdDZQUXBSdjA1NTBvZzhrV2dVZ0YvcApOMmU5Ci0tLSBv
+Y1gxSGRyU0JhNEV6RUpxTUJyZjRibEwrSjRzQ3BTYUU1OGpwa2RHQm8wCmL6Q80l
+OQmbq0bY2VRYSg8pPhonpz5YWk0LtUwJEvjBeBvCC6wGEV9S66m/cqjzgQo82fbf
+Ig72HM0gukgAbTRlchamCMm6TGPG8idpNFH82xj4o4t/9zGaMd0IEGJkVofEwJ+K
+SvDbd1f3MBdAJdeOmNl4XEWgKo3SNfVqIxtm
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hidden_service/nextcloud b/secrets/hidden_service/nextcloud
index 8da8eff..9ac6be7 100644
Binary files a/secrets/hidden_service/nextcloud and b/secrets/hidden_service/nextcloud differ
diff --git a/secrets/hidden_service/site b/secrets/hidden_service/site
index 3128e86..0c68a0d 100644
Binary files a/secrets/hidden_service/site and b/secrets/hidden_service/site differ
diff --git a/secrets/hidden_service/vaultwarden b/secrets/hidden_service/vaultwarden
index 1118341..a68dac4 100644
--- a/secrets/hidden_service/vaultwarden
+++ b/secrets/hidden_service/vaultwarden
@@ -1,7 +1,13 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw yYJgjjH8GaBc+bDIPHIyyG5tBqDjIe7P/9gNhnNcCGw
-SomRbtpu4TqEa16yGBImEXWKNIUGNs5RIw1AT2YrEQg
--> ssh-ed25519 aO1l/A 1qypu4ZiyZTqEEVEo9Rj8BO3SlPgoPHzn5gMA8SaajU
-zPPbrM6mWhhtAuU/3h8/ess31XjHf4kct9HRslv/pwM
---- rF+OjMZvtrB5BSHs89xn8i+UitXqqmmDf+UFliwOxgI
-ô)ÝBZ×«JÐB1dÏ†CÀF¯ÖI'¸º ü„&nb`éöiùêï…¢^)@Q¤uÍŠ0þ‹'°–´¸f‡àò8¨gé¶ý0ÏgIAÈ¸Ø°4Ë›£÷å}Ë uíþYÕ›ÙÔv,}jC§5ÂÔ®‹
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyArMUcr
+U0U5Qk81RFBxNElGZFp0Z2hmZkZXY0w4bEM1dkhhdmhBNElYWVdnCkRudm5ONm9E
+c3lxSXhteHZwUGc0aFNvR2NrV2pWdFZLcmV1dVYrSEJqWjAKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIEpPWURndjBRSUYrQjlqVWR1eTlQcG9ldXlQY0NITi9iVktSMVlE
+SmxlQmcKbjUrUTcxNzJnL3ducjJmWlNrQzAvdW9RVWtVNGxTWHhSQWFRdS9xZ1NY
+MAotPiAvcmheLWdyZWFzZSBYQUF4XUFuSgplNmRGclRWZFpZT0h5aE0rcGdZam0v
+dnl1VXZvZHJBNTJETWVxVEQ1Z2trTmIwN2krMDJRMFRmMk1DYjViOE4xCjBESE1N
+OExzTGxWc0lCaGw4Nk1xCi0tLSArdWx6c1QzTjdsbmF4Z2k5N2dTVGl3QXZneTZn
+R0NYQUxsSXpRL042ZmRVCuA+WqySyT1dVc48In1Lb8U9CKs91CR1Sg5kr6uy9lY/
+ZbcElyNb+1OKtFxvibUkr0ATRhvtszTMUBy7pQnZxSAk2R2T276t3rTMZnou62+g
+9wIKULSqCqSTFiibOUYkVWKSp6fZkO8aQZaPLe/tbZXuJnS8XmRL9IRhrkalfzlw
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/nextcloud-admin-pass b/secrets/nextcloud-admin-pass
index 8332c19..9418c3e 100644
--- a/secrets/nextcloud-admin-pass
+++ b/secrets/nextcloud-admin-pass
@@ -1,7 +1,11 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw j1t4iDbd4Vi+cbtcpysshdhjZkXxw3z9Pt3qsfdxeVE
-TfYpAStRQENusrVFzX2K1W5SlAKFum7izz6OuZ8BNw0
--> ssh-ed25519 aO1l/A Gzmig1OCbFrgMB/lBGnlt6ja+9RQGvr7Fvx0dunuhjY
-XnlgWGq/5x8GXlpc5E0vg/SahlQ1xQHkGs6T5XNtPhQ
---- sVqR0QBMPSv3pfDQa9xbrWy0+wgvOB/AOVPdPC6fdmI
-íË•dNUf¥€š ò–¤±¼I/z )Ôèœ˜{±ð†¥Ïq
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBldVpP
+c3dtRkp0SHdYdklIeFVBY25TSXJNZEUrTDFTa2g5eXFIRDF2YTNjCmo3RVYzTFVo
+REFVQUVNNWVFc2x1eFR3QXNEMkhBa3lLY0E0Z2VHUkIrTmMKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIE1aQ3pIVHFhR01nNjFlRlltbmRlSjluVGt2YlQ1NjFoWndNN2Mz
+a2V1QU0KakVBNEJmR0tnUytZcks0Z2hNcjE5Q3JhdnhnQ3N2Z2ZSZWxxem9wc3JX
+SQotPiBvOnskLDNjLWdyZWFzZSA5JEc4VE4gOkwqayJ8LyA8cW8gLDgvCm4zSS82
+ZHpNV1Y3aWtLaHNFQQotLS0gUXBBL1I2TU9sdlY0T1prL0tVSjVmblNSZEJZRlA0
+anhGd1k2UnRSZzVyRQqBRICQ8Gh1EN2BTOjAQpWcgLeUOzkAr/hIDnOQVxxsJUCi
+UzA=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/prosody.env b/secrets/prosody.env
new file mode 100644
index 0000000..343006b
--- /dev/null
+++ b/secrets/prosody.env
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBoVmdv
+cUd4cTkzd2l3ZldNYUEvd2szMHB1OWc2Ri9iZ1ZBYmdrMUNvY0VFCldiWXlQR3or
+SkxGUkpJV3hVa3dQQ3Y4aHVZNnFvMUc2WDF3TTI0ZlBvNE0KLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIFpNNXZFL3BGUktpcFNuK1ZncFFzVU5TOGxBVGFCREhuV254NDJl
+UStFWFkKV0pYUCs5a1cwZ0lFVnQwYWxuSWRUOTdkbFVXRVJFS2EyV0lNcWpUTFBH
+dwotPiA/YVg7US1ncmVhc2UgMyA0cSkwMT9eCnhraGV1TGpvSUt3cmlpa2hQK0Fr
+c0tJaHNUSU8yZGcrZkFGSGkxZitWdXNFcHltcVNyTldhS2cKLS0tIFhUV0VTVVdv
+RThrbEtoa2hhclZUR2RtdE9zZlNuTWhvUS84eWZvMk91M0kK1H/r33EJ/8dbaEnA
+QEX1qV/QUfMNhyvMB77UV99qs7REvL7bwM/wryqa7F3gk6Iw+qQFtSLSnWSzW2l2
+7HNj5goQ
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4b0adfa..d263d88 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,6 +9,7 @@ let
 in {
   "bind_pw".publicKeys = all;
   "nextcloud-admin-pass".publicKeys = all;
+  "prosody.env".publicKeys = all;
   "vaultwarden.env".publicKeys = all;
 
   "hidden_service/akkoma".publicKeys = all;
diff --git a/secrets/vaultwarden.env b/secrets/vaultwarden.env
index df5e539..bb00787 100644
--- a/secrets/vaultwarden.env
+++ b/secrets/vaultwarden.env
@@ -1,7 +1,11 @@
-age-encryption.org/v1
--> ssh-ed25519 OPPxWw 61YZPCkKWrN9HtuXp3Pp8FPn5ZHSMS+Uwj11jAo08lI
-Jf5ZST19jmOEo03+9n+5TWdoY9zP7p82/a/7uYWLl5s
--> ssh-ed25519 aO1l/A RoOPm2ZU1FnqdSMXN7u6DCFmdm0uBrvC5iD448oJOW0
-TRSOf1Rb267GKvcpri3UVxk1dfDTT3uscvrG5kUOKy8
---- u6D/Na2naOy7BiTcW1P9U01cb1O0QMWruExMpCevxG8
-§]ì çÕd­Pî—Ÿ×;ùŸ’°@»þ”’pÁßí˜‚vÑìÃìç1çm©y¥íYñ—ÑS\	´**ÝàCÎ†êg®ïÉýìçýbÊÒ’ûñ	teª’ýk¾#õÊÆßÄ§'(Üæ˜öñ	
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBSb2kr
+QkY5NkJmOTczWFJReDZYYUhTNG1ZdWsvYXhhcDBzcVphZ2V3d24wClFWZVl0NjA2
+QXBRSDljZEFEOFZ4RDRaRi80RVh3VmZWQko1cXJjdDhZbnMKLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIHFEeVlCaGxjWHQ4UkpHUlcrMEc1dmRLNXB2cDVYWFp4dWNpdnFa
+UjloM00KVUlhc0VYVFpLTlFvQVpBZ2VtdlozeGVKM2RTMmdiaTdmUTdiQ1A2KzYw
+TQotPiBwIV0tZ3JlYXNlIDozRiA1KnxSdwplQQotLS0geW9sOHBiVlQ2ck50R3lQ
+T1U0M3k0K0lJVnJMWkYzcWROUDhvVUEvQWk4awr9RgWpAJ3q1gB4FmrukNJ1XTRG
+q1Dpa6WxaY8lhOmXg0JIVxcp59zHTTZmSL5bisx5F0OtGDxnXcB3ssNbcvIqSx2c
+/pZzFkrTk/HQjmK0kzC/QoxOEwMTCD3hdimyWJUxXq868WrigoSRWerQ
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 50bdc09..1fbc383 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,4 +1,6 @@
 {config, ...}: {
+  age.secrets."bind_pw".file = ../secrets/bind_pw;
+
   mailserver = {
     stateVersion = 3;
     enable = true;
diff --git a/services/prosody.nix b/services/prosody.nix
index 5981dad..cc671eb 100644
--- a/services/prosody.nix
+++ b/services/prosody.nix
@@ -3,7 +3,7 @@
   config,
   ...
 }: {
-  age.secrets."bind_pw".file = ../secrets/bind_pw;
+  age.secrets."prosody.env".file = ../secrets/prosody.env;
 
   services = {
     prosody = {
@@ -30,7 +30,7 @@
         ldap_base = "ou=people,dc=distrust,dc=network"
         ldap_server = "localhost:3890"
         ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
-        ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
+        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
       '';
     };
     caddy.virtualHosts."distrust.network".extraConfig = ''
@@ -72,9 +72,6 @@
   networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
 
   systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"];
-  systemd.services.prosody = {
-    #  requires = [ "acme-order-renew-chat.distrust.network.service" ];
-    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
-    serviceConfig.SupplementaryGroups = ["acme"];
-  };
+  systemd.services.prosody.serviceConfig.SupplementaryGroups = ["acme"];
+  systemd.services.prosody.serviceConfig.EnvironmentFile = config.age.secrets."prosody.env".path;
 }
diff --git a/system/configuration.nix b/system/configuration.nix
index 27a89c7..f8f758c 100644
--- a/system/configuration.nix
+++ b/system/configuration.nix
@@ -1,7 +1,7 @@
 {pkgs, ...}: let
   updateScript = pkgs.writeShellScriptBin "rebuild" ''
     #!/bin/sh
-    nixos-rebuild switch --flake /etc/nixos#distrust --impure
+    nixos-rebuild switch --flake git+https://git.distrust.network/root/flake#distrust
   '';
   tor-hostname = import ../helpers/tor-hostname.nix {inherit pkgs;};
 in {