diff --git a/.sops.yaml b/.sops.yaml
index bc78ba5..8730ae2 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
   - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
   - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
+  - &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
 creation_rules:
   - path_regex: secrets/services/dns-knot.yaml
     key_groups:
@@ -65,3 +66,9 @@ creation_rules:
       - *emily
       age:
       - *florp
+  - path_regex: secrets/restic/zh3485s2.yaml
+    key_groups:
+    - pgp:
+      - *emily
+      age:
+      - *crime
diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix
index 6ed42ac..edbaa22 100644
--- a/config/hosts/crime/configuration.nix
+++ b/config/hosts/crime/configuration.nix
@@ -14,8 +14,15 @@
       "2a0f:be01:0:100::b00b:a/128"
     ];
   };
-
-  security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-
   kyouma.nginx.defaultForbidden = "fentanyl.trade";
+  kyouma.restic = {
+    enable = true;
+    remoteUser = "zh3485s2";
+    paths = [
+      "/var/lib/jellyfin"
+      "/var/lib/radarr"
+      "/var/lib/sonarr"
+      "/var/lib/private/prowlarr"
+    ];
+  };
 }
diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix
index fd06c11..4a9d3e1 100644
--- a/config/hosts/florp/configuration.nix
+++ b/config/hosts/florp/configuration.nix
@@ -11,8 +11,13 @@
     hostName = "florp";
     domain = lib.mkForce "social";
   };
-  kyouma.nginx.defaultForbidden = "florp.social";
+  systemd.network.networks."98-eth-default" = {
+    address = [
+      "2a0f:be01:0:100::171/128" 
+    ];
+  };
 
+  kyouma.nginx.defaultForbidden = "florp.social";
   kyouma.restic = let
     pgBackup = "/var/cache/postgresql.sql";
   in {
@@ -39,11 +44,6 @@
       rm -f -- ${pgBackup}
     '';
   };
-  systemd.network.networks."98-eth-default" = {
-    address = [
-      "2a0f:be01:0:100::171/128" 
-    ];
-  };
 
   services.postgresql.settings = {
     max_connections = 128;
diff --git a/config/services/arrs/default.nix b/config/services/arrs/default.nix
index ebfecb8..b6c36de 100644
--- a/config/services/arrs/default.nix
+++ b/config/services/arrs/default.nix
@@ -1,16 +1,12 @@
 { lib, pkgs, ... }: {
 
-  users.groups.crime = {};
-
   services = {
     prowlarr.enable = true;
   } // lib.genAttrs [ "sonarr" "radarr" ] (_: {
     enable = true;
-    group = "crime";
   });
   systemd.services = lib.genAttrs [ "radarr" "sonarr" ] (_: {
-    wants = [ "rclone-mezzomix.service" ];
-    serviceConfig.UMask = "0002";
+    wants = [ "mnt-mezzomix.mount" ];
   });
 
   systemd.mounts = lib.singleton {
@@ -37,9 +33,10 @@
   kyouma.nginx.virtualHosts = {
     "crime.kyouma.net" = {
       verifyClientCert = true;
+      disableHttp3 = true;
       locations = {
-        "/".root = ./landingPage.html;
-        "/sonarr/" = {
+#        "/".root = pkgs.writeTextDir "index.html" (builtins.readFile ./landingPage.html);
+        "/" = {
           proxyPass = "http://127.0.0.1:8989";
           recommendedProxySettings = true;
         };
diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix
index 5452cfe..51f2c3d 100644
--- a/config/services/jellyfin.nix
+++ b/config/services/jellyfin.nix
@@ -1,13 +1,6 @@
 { lib, ... }: {
 
-  users.groups.crime = {};
-
-  services.jellyfin = {
-    enable = true;
-    group = "crime";
-  };
-
-  systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0002";
+  services.jellyfin.enable = true;
 
   kyouma.nginx.virtualHosts = {
     "watch.kyouma.net".redirectTo = "fentanyl.trade";
diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix
index e861390..da605f9 100644
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@@ -19,11 +19,9 @@
     ) ''
       ssl_client_certificate ${./kyouma_Root_CA.pem};
       ssl_verify_client on;
-      ssl_verify_depth 1;
+      ssl_verify_depth 2;
     '';
     forceSSL = true;
-    http3 = true;
-    quic = true; 
   } //
   lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
     enableACME = true;
@@ -33,6 +31,10 @@
     useACMEHost = vhostCfg.redirectTo;
     globalRedirect = vhostCfg.redirectTo;
   } //
+  lib.optionalAttrs (!vhostCfg ? "disableHttp3") {
+    http3 = true;
+    quic = true; 
+  } //
   (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]);
 
 in {
diff --git a/secrets/restic/zh3485s2.yaml b/secrets/restic/zh3485s2.yaml
new file mode 100644
index 0000000..26236f6
--- /dev/null
+++ b/secrets/restic/zh3485s2.yaml
@@ -0,0 +1,35 @@
+restic:
+    zh3485s2:
+        password: ENC[AES256_GCM,data:GAesjt8CMFKuZk30vJTS7kH0cSg/p6NQCOU9udcVbVCurnUdqjKqZp97KnCcmA/A,iv:bf7trphHgzFzI3Pza8dDOgmKcHsBURsXEHtw0KpGQ7s=,tag:zE1WXaptcqBQMqgk+6SRqQ==,type:str]
+        id_ed25519: ENC[AES256_GCM,data:hRViIdnq9VNjjqD/X6tERHsCAuxF723bh+oES/Va5KVBJdsEK2LYXWxRQV6/dpYGnmSBNJ2q4eJS0iz2kjfNUTXg1DQZ0uuxSDbhOcKQ+ksE99VrU3Go7196gXQ+rsCuRht6vzgGzIoTcMVDlA+lvJ2EAB0o7EhK4qcKI0pRHziy4/i0JgLJKc2Xw7WwAZajyUToRrroi+oh3LRJiN0+L3B13RWNBDMxfVgSH5KERhPjU40VteKNyXg9YnZxiqRMTmDmpAu/fogXwIDgnfRuWBoDgPsHeSWVN/0IpfEegoXnmdYUGk9vKQmXNJ5z7vj6oIaz8Zuk9PfPaKZHrsUGkPZqBJydvfcUpH74+sn3idDJdQ92mYIn6rorabt6QtN9bbtULmtOU/R7wvZkRSn3SmvR6uo/xShs1pkwGa1oidn8atfoMMYnR973wvuGlDZwFGy0ZJD+Mc108U7o0U153/MervsxxZ3eIpzgmRol+TjoSJINQoPNPHsj6nx65MNfJd+AFw35h5jKUag4xKaPXS5ew/wDCqZ1PFYG,iv:P8VtAFoL0CcO7m7S60JardB95MUWYiABDOUZhLhXEzo=,tag:fLniekA0lMx6wW3u4NZPKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUnFUQlhzYTdyblNOWUt3
+            V0daclVOZ0hlSmlJTHlKRDd5eThVSzVOVWh3CkpiaGNJd0hCMlk3MVdsdnY0TVJM
+            MEtKUXFnSlAwQ0kzd1M0eVA1WG1Bb2sKLS0tIFAvVklzZldkOFpCNHV4YnQ2SDA3
+            OW5TcVlqV0p4RThBRGlyaHkreEFMY28KPdgR9WCByJaLZcNophcfW7+7NU9MuI3E
+            bfWEFgqZLTdAg8y7s/M6ZAyjciflclxVnY8mTIhnERD+ZHHi++z1XA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-13T12:51:05Z"
+    mac: ENC[AES256_GCM,data:t/gg9SqDfrU+eKU9yw2R7ahLQY6pTgsRVFNk7K+zxTBiqUG2Rx0wm0bclkrkSKeHAVSJkc8OOWJvvRCMxaE980mknPM6721xNDV90Pt0ZsJvFXdOYKIaPQHC29klJKO60lsMsuup3BiF94O8+wIavLvYuc3jKFcaA4b9xAPRveM=,iv:TJhR1NzPVYIysghFAbjWB5lBpMhhkvwJdszkWGSLDPI=,tag:TCnewzN2qwFyG4Xio2JatQ==,type:str]
+    pgp:
+        - created_at: "2024-11-13T12:49:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D1GtNSlou/HkSAQdArN4L/MZSZoKwk/RKgA56OQMyt7IhW15qa7+Utie4/TQw
+            0xKauGLJEMp7cnpmEvpBW8sy3hZRj1K4vLv2NKHzoXBuWGBer1Hf+CDZJ71ta6J9
+            0l4B9f4L9AIRHO3ncb4IPyVprr+sFyhVJJAI7bo9mbFUqH0yfM5EmFiXWg5d9zO6
+            NfXbbfpW4ISEXFa//SuVl3h/HHxwDd83qA13OnhrlCjjwPfdA32kKM3CS/81JHNd
+            =4L7O
+            -----END PGP MESSAGE-----
+          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1