diff --git a/hosts/servers/alexandria/default.nix b/hosts/servers/alexandria/default.nix
index 03c9a84..7930ab3 100644
--- a/hosts/servers/alexandria/default.nix
+++ b/hosts/servers/alexandria/default.nix
@@ -5,5 +5,6 @@
     ./hardware-configuration.nix
     ./hosted-services.nix
     ./security.nix
+    ./users.nix
   ];
 }
diff --git a/hosts/servers/alexandria/hosted-services.nix b/hosts/servers/alexandria/hosted-services.nix
index b178eaf..10d23ab 100644
--- a/hosts/servers/alexandria/hosted-services.nix
+++ b/hosts/servers/alexandria/hosted-services.nix
@@ -1,29 +1,29 @@
 { inputs, config, pkgs, libs, ... }:
 
-{
-  users.users.nginx.extraGroups = [ "acme" ];
+{  
+  age.secrets = {
+    paperless-pass.file = ../../../secrets/paperless-pass.age;
+  };
 
   services = {
     nginx = {
       enable = true;
+      group = "hosted";
       recommendedGzipSettings = true;
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
       virtualHosts = {
         "baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; root = inputs.homepage; };
-        "bitwarden.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; };
-        "detect.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8001"; };
         "cinny.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8002"; };
-        "jellyfin.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8003"; };
-        "librespeed.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8004"; };
-        "paperless.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8005"; };
-        "pyload.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8006"; };
-        "shiori.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8007"; };
-        "sync.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8008"; };
-        "whoogle.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8009"; };
+        "librespeed.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8003"; };
+        "pyload.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8005"; };
+        "shiori.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8006"; };
+        "sync.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8007"; };
+        "whoogle.baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8008"; };
       };
     };
+
     vaultwarden = {
       enable = true;
       config = {
@@ -33,6 +33,58 @@
         ROCKET_PORT = 8000;
       };
     };
+    nginx.virtualHosts."bitwarden.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+    };
+
+    changedetection-io = {
+      enable = true;
+      group = "hosted";
+      behindProxy = true;
+      datastorePath = "/data/changedetection";
+      port = 8001;
+      baseURL = "https://detect.baduhai.me";
+    };
+    nginx.virtualHosts."detect.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.changedetection-io.port}";
+    };
+
+    jellyfin = {
+      enable = true;
+      group = "hosted";
+      openFirewall = true;
+    };
+    nginx.virtualHosts."jellyfin.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:8096";
+    };
+    
+    paperless = {
+      enable = true;
+      dataDir = "/data/paperless/data";
+      mediaDir = "/data/paperless/media";
+      passwordFile = config.age.secrets.paperless-pass.path;
+      port = 8004;
+      consumptionDirIsPublic = true;
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = "eng+por+deu";
+      };
+    };
+    nginx.virtualHosts."paperless.baduhai.me" = { 
+      useACMEHost = "baduhai.me"; 
+      forceSSL = true; 
+      kTLS = true; 
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}"; 
+    };
+
     minecraft-server = {
       enable = true;
       eula = true;
@@ -53,24 +105,6 @@
     oci-containers = {
       backend = "docker";
       containers = {
-        "changedetection" = {
-          image = "lscr.io/linuxserver/changedetection.io:latest";
-          environment = {
-            PUID = "1000";
-            PGID = "100";
-            TZ = "Europe/Berlin";
-            BASE_URL = "detect.baduhai.me";
-          };
-          volumes = [
-            "/data/changedetection:/config"
-          ];
-          ports = [
-            "8001:5000"
-          ];
-          extraOptions = [
-            "--pull=always"
-          ];
-        };
         "cinny" = {
           image = "ghcr.io/cinnyapp/cinny:latest";
           ports = [
@@ -80,27 +114,6 @@
             "--pull=always"
           ];
         };
-        "jellyfin" = {
-          image = "lscr.io/linuxserver/jellyfin:10.8.4";
-          environment = {
-            PUID = "1000";
-            PGID = "100";
-            TZ = "Europe/Berlin";
-            DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel";
-          };
-          volumes = [
-            "/data/jellyfin/library:/config"
-            "/data/jellyfin/tvseries:/data/tvshows"
-            "/data/jellyfin/movies:/data/movies"
-          ];
-          ports = [
-            "8003:8096"
-          ];
-          extraOptions = [
-            "--pull=always"
-            "--device=/dev/dri:/dev/dri"
-          ];
-        };
         "librespeed" = {
           image = "lscr.io/linuxserver/librespeed:latest";
           environment = {
@@ -113,87 +126,87 @@
             "--pull=always"
           ];
         };
-        "paperless" = {
-          image = "lscr.io/linuxserver/paperless-ngx:latest";
-          environment = {
-            PUID = "1000";
-           PGID = "100";
-             TZ = "Europe/Berlin";
-            PAPERLESS_URL = "https://paperless.baduhai.me";
-            PAPERLESS_OCR_LANGUAGE = "eng+deu+por";
-            DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr";
-          OCRLANG = "eng,por,deu";
-          };
-          volumes = [
-            "/data/paperless-ngx/config:/config"
-            "/data/paperless-ngx/data:/data"
-          ];
-          ports = [
-            "8005:8000"
-          ];
-          extraOptions = [
-            "--pull=always"
-          ];
-        };
-        "pyload" = { # Download manager
-          image = "lscr.io/linuxserver/pyload-ng:latest";
-          environment = {
-            PUID = "1000";
-            PGID = "100";
-            TZ = "Europe/Berlin";
-          };
-          volumes = [
-            "/data/pyload/config:/config"
-            "/data/pyload/downloads:/downloads"
-          ];
-          ports = [
-            "8006:8000"
-            "9666:9666"
-          ];
-          extraOptions = [
-            "--pull=always"
-          ];
-        };
-        "shiori" = {
-          image = "docker.io/nicholaswilde/shiori:latest";
-          environment = {
-            TZ = "Europe/Berlin";
-            PUID = "1000";
-            PGID = "100";
-            SHIORI_DIR = "/data";
-          };
-          volumes = [
-            "/data/shiori:/data"
-          ];
-          ports = [
-            "8007:8080"
-          ];
-          extraOptions = [
-            "--pull=always"
-          ];
-        };
-        "syncthing" = {
-          image = "lscr.io/linuxserver/syncthing:1.20.4";
-          environment = {
-            PUID = "1000";
-            PGID = "100";
-            TZ = "Europe/Berlin";
-          };
-          volumes = [
-            "/data/syncthing/config:/config"
-            "/data/syncthing/data1:/data1"
-            "/data/syncthing/data2:/data2"
-            "/data/syncthing/notes:/sync/notes"
-          ];
-          ports = [
-            "8008:8384"
-            "22000:22000"
-            "21027:21027/udp"
-          ];
-          extraOptions = [
-            "--pull=always"
-          ];
-        };
+#         "paperless" = {
+#           image = "lscr.io/linuxserver/paperless-ngx:latest";
+#           environment = {
+#             PUID = "1000";
+#            PGID = "100";
+#              TZ = "Europe/Berlin";
+#             PAPERLESS_URL = "https://paperless.baduhai.me";
+#             PAPERLESS_OCR_LANGUAGE = "eng+deu+por";
+#             DOCKER_MODS = "linuxserver/mods:papermerge-multilangocr";
+#           OCRLANG = "eng,por,deu";
+#           };
+#           volumes = [
+#             "/data/paperless-ngx/config:/config"
+#             "/data/paperless-ngx/data:/data"
+#           ];
+#           ports = [
+#             "8005:8000"
+#           ];
+#           extraOptions = [
+#             "--pull=always"
+#           ];
+#         };
+#         "pyload" = { # Download manager
+#           image = "lscr.io/linuxserver/pyload-ng:latest";
+#           environment = {
+#             PUID = "1000";
+#             PGID = "100";
+#             TZ = "Europe/Berlin";
+#           };
+#           volumes = [
+#             "/data/pyload/config:/config"
+#             "/data/pyload/downloads:/downloads"
+#           ];
+#           ports = [
+#             "8005:8000"
+#             "9666:9666"
+#           ];
+#           extraOptions = [
+#             "--pull=always"
+#           ];
+#         };
+#         "shiori" = {
+#           image = "docker.io/nicholaswilde/shiori:latest";
+#           environment = {
+#             TZ = "Europe/Berlin";
+#             PUID = "1000";
+#             PGID = "100";
+#             SHIORI_DIR = "/data";
+#           };
+#           volumes = [
+#             "/data/shiori:/data"
+#           ];
+#           ports = [
+#             "8006:8080"
+#           ];
+#           extraOptions = [
+#             "--pull=always"
+#           ];
+#         };
+#         "syncthing" = {
+#           image = "lscr.io/linuxserver/syncthing:1.20.4";
+#           environment = {
+#             PUID = "1000";
+#             PGID = "100";
+#             TZ = "Europe/Berlin";
+#           };
+#           volumes = [
+#             "/data/syncthing/config:/config"
+#             "/data/syncthing/data1:/data1"
+#             "/data/syncthing/data2:/data2"
+#             "/data/syncthing/notes:/sync/notes"
+#           ];
+#           ports = [
+#             "8007:8384"
+#             "22000:22000"
+#             "21027:21027/udp"
+#           ];
+#           extraOptions = [
+#             "--pull=always"
+#           ];
+#         };
         "whoogle" = {
           image = "benbusby/whoogle-search:latest";
           environment = {
@@ -206,7 +219,7 @@
             WHOOGLE_CONFIG_GET_ONLY = "1";
           };
           ports = [
-            "8009:5000"
+            "8008:5000"
           ];
           extraOptions = [
             "--pull=always"
diff --git a/hosts/servers/alexandria/security.nix b/hosts/servers/alexandria/security.nix
index 10e742a..9235215 100644
--- a/hosts/servers/alexandria/security.nix
+++ b/hosts/servers/alexandria/security.nix
@@ -1,7 +1,11 @@
 { config, pkgs, libs, ... }:
 
 {
-  age.secrets.cloudflare-creds.file = ../../../secrets/cloudflare-creds.age;
+  age.secrets.cloudflare-creds = {
+    file = ../../../secrets/cloudflare-creds.age; 
+    owner = "nginx"; 
+    group = "hosted"; 
+  };
 
   security.acme = {
     acceptTerms = true;
diff --git a/hosts/servers/alexandria/users.nix b/hosts/servers/alexandria/users.nix
new file mode 100644
index 0000000..6b24665
--- /dev/null
+++ b/hosts/servers/alexandria/users.nix
@@ -0,0 +1,19 @@
+{ inputs, config, pkgs, libs, ... }:
+
+{
+  users = {
+    users.nginx.extraGroups = [ "acme" ];
+    groups = {
+      hosted = {
+        gid = 1005;
+        members = [
+          "user"
+          "nginx"
+          "vaultwarden"
+          "minecraft"
+          "paperless"
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets/cloudflare-creds.age b/secrets/cloudflare-creds.age
index 7fad4b2..bf0d75d 100644
--- a/secrets/cloudflare-creds.age
+++ b/secrets/cloudflare-creds.age
@@ -1,8 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 J6tVTA AuDRtyMiVAYNm82o7bMdXfrMzYG7MXfBmcazjdfeYCs
-YVzVfFWe5hQiYZDB446lce45XKm6WxtlvhKd8SHTKg0
--> b~-grease o;mGFs I5jK a3#fQ\!
-CuBo1T3OSiGVDhUcwIKTX3GRue/mGIRCsWcIobCvJR7Euh/fjA+4+4zd6KHunLIX
-1KO1t/MxbnGM+uGCI3sUNdeAehi+HVzJaP3T0AFsvClmAwAgOPI
---- RPJdhx/dUjePriOolSYaWdOIu9zFqJRJHGkzIGeiv8w
-B��M
or<p\���D�k-jF���
El� q3�)�O��iRh��� �<�95Q��z6Ճ_�Fb����;z�'UU�IV�"5����0�-��W%�C��oo�<b�8∌��1�ҷwg��t`���Y�D�M
\ No newline at end of file
+-> ssh-ed25519 SP9f6A 1SZWt0ytoYmaPSXzzgkKftLR4x5mFjVRXcQi6oXXdDI
+UAORHHJy71MSdnjzi5PN9ol2mGp8lzWh0w/q638owOg
+-> ssh-ed25519 J6tVTA IKmKiBSWG8IuTm8gYVsXhQHb88iQLWo+A/IJPGJEbXE
+9fPmLU9OvMl8YbojCu9/vTfpZEwtUlXFyEtC7v9g3zE
+-> F*^\/j-grease dL~(_L
+3Af37Vb6Bw9txd5o6z+Hh7SO17ZG7o2UNGBX72FIY+pvzgpduzlK4nCYCnElkN2c
+XU2sg0VqF0uFB1Fr
+--- sljT6+4hBVrvVkUyP0DDNu9y7D0TXGOEoXkISnPBbcs
+�$C3Œ�ij�����c���n_���!P�<J���w�\�_��&�v��֕�װ��]��s:X�45g���
+��O�^ծ� 8+���䌺󠫈�Ģ��n�IuzK�$�I��pf�5y��b�
+
A
\ No newline at end of file
diff --git a/secrets/paperless-pass.age b/secrets/paperless-pass.age
new file mode 100644
index 0000000..e3ef09c
Binary files /dev/null and b/secrets/paperless-pass.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 99ac3a5..5989535 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,7 +4,10 @@ let
   
   alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
   servers = [ alexandria ];
+  
+  all-hosts = desktops ++ servers;
 in
 {
-  "cloudflare-creds.age".publicKeys = [ alexandria ];
+  "cloudflare-creds.age".publicKeys = all-hosts;
+  "paperless-pass.age".publicKeys = all-hosts;
 }
diff --git a/users/common/home.nix b/users/common/home.nix
index bbda32d..4e86758 100644
--- a/users/common/home.nix
+++ b/users/common/home.nix
@@ -8,5 +8,8 @@
     sessionVariables = {
       EDITOR = "micro";
     };
+    activation.installMicroPlugins = ''
+      ${pkgs.micro}/bin/micro -plugin install filemanager
+    '';
   };
 }
diff --git a/users/desktops/common/programs.nix b/users/desktops/common/programs.nix
index 3486ec4..4a3354a 100644
--- a/users/desktops/common/programs.nix
+++ b/users/desktops/common/programs.nix
@@ -43,6 +43,8 @@
       enable = true;
       extraConfig = ''
         local wezterm = require 'wezterm'
+        local SOLID_LEFT_ARROW = utf8.char(0xe0b2)
+        local SOLID_RIGHT_ARROW = utf8.char(0xe0b0)
         return {
           font_size = 10,
           color_scheme = 'Twilight (base16)',
@@ -53,7 +55,6 @@
           }),
           initial_cols = 120,
           initial_rows = 34,
-          enable_scroll_bar=true,
         }
       '';
     };