diff --git a/modules/nixos/homeserver/authentik.nix b/modules/nixos/homeserver/authentik.nix
index 4a0431d..5ac7606 100755
--- a/modules/nixos/homeserver/authentik.nix
+++ b/modules/nixos/homeserver/authentik.nix
@@ -7,6 +7,8 @@
     trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
   };
 
+  sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
+
   services.authentik = {
     enable = true;
     environmentFile = config.sops.secrets."authentik/secrets.env".path;
diff --git a/modules/nixos/homeserver/caddy.nix b/modules/nixos/homeserver/caddy.nix
index cb90934..73b9554 100755
--- a/modules/nixos/homeserver/caddy.nix
+++ b/modules/nixos/homeserver/caddy.nix
@@ -1,6 +1,21 @@
 { config, pkgs, ... }:
 
 {
+  sops.secrets = {
+    "caddy/secrets.env" = {};
+
+    "caddy/wo2wz.fyi.crt" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+    "caddy/wo2wz.fyi.key" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+  };
+
   services = {
     caddy = {
       enable = true;
diff --git a/modules/nixos/homeserver/cloudflared.nix b/modules/nixos/homeserver/cloudflared.nix
index 22db6ce..af09010 100755
--- a/modules/nixos/homeserver/cloudflared.nix
+++ b/modules/nixos/homeserver/cloudflared.nix
@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
+
   services.cloudflared = {
     enable = true;
     tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
diff --git a/modules/nixos/homeserver/nextcloud.nix b/modules/nixos/homeserver/nextcloud.nix
index c812846..064af03 100755
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@@ -1,6 +1,15 @@
 { config, pkgs, ... }:
 
 {  
+  sops.secrets = {
+    "nextcloud/adminpass" = {};
+
+    "onlyoffice/jwt" = {
+      owner = "onlyoffice";
+      group = "onlyoffice";
+    };
+  };
+
   services.nginx.enable = false; # disable to use caddy instead
   users.users.nginx = {
     group = "nginx";
@@ -27,7 +36,7 @@
       };
       settings = {
         trusted_domains = [ "nextcloud.wo2wz.fyi" ];
-        trusted_proxies = [ "127.0.0.1" ];
+        trusted_proxies = [ "127.0.0.1" "::1" ];
       };
 
       maxUploadSize = "200G";
diff --git a/modules/nixos/homeserver/restic.nix b/modules/nixos/homeserver/restic.nix
index 81e18ff..0073316 100644
--- a/modules/nixos/homeserver/restic.nix
+++ b/modules/nixos/homeserver/restic.nix
@@ -1,6 +1,11 @@
 { config, pkgs, ... }:
 
 {
+  sops.secrets = {
+    "restic/password" = {};
+    "restic/rclone/offsite" = {};
+  };
+
   # for use as rclone backend
   environment.systemPackages = [ pkgs.rclone ];
 
diff --git a/modules/nixos/homeserver/sops.nix b/modules/nixos/homeserver/sops.nix
index 3baccbd..4356676 100755
--- a/modules/nixos/homeserver/sops.nix
+++ b/modules/nixos/homeserver/sops.nix
@@ -9,38 +9,5 @@
     validateSopsFiles = false;
 
     age.keyFile = "/root/.config/sops/age/keys.txt";
-
-    secrets = {
-      "authentik/secrets.env".restartUnits = [ "authentik.service" ];
-
-      "caddy/secrets.env" = {};
-
-      "caddy/wo2wz.fyi.crt" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-      "caddy/wo2wz.fyi.key" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-
-      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
-
-      "nextcloud/adminpass" = {};
-
-      "onlyoffice/jwt" = {
-        owner = "onlyoffice";
-        group = "onlyoffice";
-      };
-
-      "restic/password" = {};
-      "restic/rclone/offsite" = {};
-
-      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
-
-      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
-    };
   };
 }
diff --git a/modules/nixos/homeserver/vaultwarden.nix b/modules/nixos/homeserver/vaultwarden.nix
index f1b28a1..e011e1d 100755
--- a/modules/nixos/homeserver/vaultwarden.nix
+++ b/modules/nixos/homeserver/vaultwarden.nix
@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+
   services.vaultwarden = {
     enable = true;
     backupDir = "/var/backups/vaultwarden";
diff --git a/modules/nixos/homeserver/zipline.nix b/modules/nixos/homeserver/zipline.nix
index 5547cd3..b7d704e 100755
--- a/modules/nixos/homeserver/zipline.nix
+++ b/modules/nixos/homeserver/zipline.nix
@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
+
   users.users.zipline = {
     group = "zipline";
     isSystemUser = true;