diff --git a/.locksverify b/.locksverify
deleted file mode 100644
index e69de29..0000000
diff --git a/secrets/default.nix b/secrets/default.nix
index b2ffdcc..99356d8 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,46 +1,40 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib) mkIf;
-  inherit (config.niksos) server;
-
+{config, ...}: let
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
-  abstrServiceUser = x: config.services.${x}.user;
-  abstrServiceGroup = x: config.services.${x}.group;
 in {
   age.secrets = {
-    password.file = ./password.age;
-
-    # NOTE: server things
-    dcbot = mkIf server {
+    transferSh = {
+      file = ./transfer-sh.age;
+      owner = "jsw";
+    };
+    dcbot = {
       file = ./dcbot.age;
-      owner = serviceUser "dcbot"; #
+      owner =
+        if config.niksos.server
+        then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop.
+        else "root";
     };
-    bread-dcbot = mkIf server {
+    bread-dcbot = {
       file = ./bread-dcbot.age;
-      owner = "bread-dcbot";
+      owner =
+        if config.niksos.server
+        then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop.
+        else "root";
     };
-    matrix-registration = mkIf server {
+    password.file = ./password.age;
+    matrix-registration = {
       file = ./matrix-registration.age;
-      owner = abstrServiceUser "matrix-continuwuity";
+      owner =
+        if config.niksos.server
+        then config.services.matrix-continuwuity.user
+        else "root";
     };
-    mail-admin = mkIf server {
-      # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
+    cloudflare-acme.file = ./cloudflare-acme.age;
+    mail-admin = {
+      # owner = #FIXME: revert when stopped using docker for stalwart.
+      #   if config.niksos.server
+      #   then serviceUser "stalwart-mail"
+      #   else "root";
       file = ./mail-admin.age;
     };
-    zitadel-key = mkIf server {
-      file = ./zitadel-key.age;
-      owner = abstrServiceUser "zitadel";
-    };
-    forgejo-mailpass = mkIf server {
-      file = ./forgejo-mailpass.age;
-      owner = abstrServiceUser "forgejo";
-    };
-    immich-oidc = mkIf server {
-      file = ./immich-oidc.age;
-      owner = abstrServiceUser "immich";
-    };
   };
 }
diff --git a/secrets/forgejo-mailpass.age b/secrets/forgejo-mailpass.age
deleted file mode 100644
index eed7f49..0000000
--- a/secrets/forgejo-mailpass.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 GQzYWA j5yj1cq9FbYSW767zObF4RbJ7Jhx0818BryvWGWwnSw
-LelnyL/SIat9BKl4hsz0n6rl8xPgchk+nQmfb1xkXkU
--> ssh-ed25519 MfR7VA sVGSrPd10dOdnDNROMGW1gLuczlVwMLpymgx6+cCJRE
-8vf0ubRiRUWfc6Mgt0bNq99SgrY4pYJ0f4BHVRn+lYU
--> ssh-ed25519 +cvRTg VK4bHTmw+Oz7JLdP0zEbfKTjNUBtVxcbHX4zyZrQxx4
-1BjqL4TuNJO8VH9c2MT24ZlGz8ifniUZaK4AkK4VjM4
--> ssh-ed25519 WCPLrA lD5KmpPXdvmTGMXMhye/ivnkbb0+XRCpUA4i6JBsK2w
-0LKCxV8vSewkNOLJa+xEZp4w+qIRAVezv37g6hExpb0
--> ssh-ed25519 7/ziYw Yq6qqosp/yOekCO7NBpNTJQVv8NciaSLiDFNuLaOjyA
-8Joor9/H+ExdOQBavTMH13SI9MZgBKQQA2HPxKAF9uU
--> ssh-ed25519 VQy60Q /+R2djdRbYoWq1GzMFSj+gwXGf085axPJHOa0tIeFTs
-dBVQQ7yucfpbmeR82Fp6MR1/IiQun3bqNVCm9qegL2g
---- fHjHEH5JtSZnKnJFC/KDQELHDwVsExA5aeuKN7DvL1M
-ªóAHñæ¥?Û'‰ah·Ç’·¹âÂPñ>"/Þy†ûR¯Æ„!–I—=Æ¾G4äÙº^iXÄ}a:
\ No newline at end of file
diff --git a/secrets/immich-oidc.age b/secrets/immich-oidc.age
deleted file mode 100644
index 11c301f..0000000
--- a/secrets/immich-oidc.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw
-ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY
--> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo
-e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU
--> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY
-abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU
--> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU
-pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U
--> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM
-kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc
--> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U
-FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA
---- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA
-ØE%·ZD¹ Tsˆ˜,Ø5É³ùjLÀOë˜Ô¿z´§±Öï»¸T¤øüƒ¦÷´¬à‹_äûê¤H‰‰ŽnÛÅ*ÔxQ7$çÖûCv`WÈìõàqt%ôN6ò5
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index df90563..2db3699 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,8 +18,6 @@ in {
   "dcbot.age".publicKeys = keys;
   "bread-dcbot.age".publicKeys = keys;
   "matrix-registration.age".publicKeys = keys;
+  "cloudflare-acme.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
-  "zitadel-key.age".publicKeys = keys;
-  "forgejo-mailpass.age".publicKeys = keys;
-  "immich-oidc.age".publicKeys = keys;
 }
diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age
deleted file mode 100644
index f5751e4..0000000
--- a/secrets/zitadel-key.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8
-XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8
--> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30
-QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU
--> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE
-vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE
--> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY
-PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk
--> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c
-UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og
--> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM
-t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA
---- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8
-“JçëªÐqUÐ0¿]D_ÿ—’ÕÓáz=é´1Íž×¶S–!-.t‰="†„ç·¿¸eÂ<KÈáéïö[
\ No newline at end of file
diff --git a/system/server/default.nix b/system/server/default.nix
index c6ac1c8..001c25f 100644
--- a/system/server/default.nix
+++ b/system/server/default.nix
@@ -8,8 +8,8 @@
     ./index
     ./mail.nix
     ./matrix.nix
+    ./seafile.nix
     ./temp.nix
-    ./zitadel.nix
   ];
   options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }
diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix
index df2c29a..17086b6 100644
--- a/system/server/forgejo.nix
+++ b/system/server/forgejo.nix
@@ -26,32 +26,11 @@ in {
             ROOT_URL = "https://${DOMAIN}/";
             HTTP_PORT = 9004;
           };
-          service = {
-            ENABLE_INTERNAL_SIGNIN = false;
-            # DISABLE_REGISTRATION = true;
-            ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-          };
-          oauth2_client = {
-            ENABLE_AUTO_REGISTRATION = true;
-          };
-          "ui.meta" = {
-            AUTHOR = "JSW Git";
-            DESCRIPTION = "Personal GIT-Forgejo instance.";
-          };
+          service.DISABLE_REGISTRATION = true;
           actions = {
             ENABLED = true;
             DEFAULT_ACTIONS_URL = "github";
           };
-          mailer = {
-            ENABLED = true;
-            SUBJECT_PREFIX = "JSWGit";
-            PROTOCOL = "smtps";
-            SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
-            SMTP_PORT = 465;
-            FROM = "git@jsw.tf";
-            USER = "git";
-            PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
-          };
         };
       };
     };
diff --git a/system/server/immich.nix b/system/server/immich.nix
index 3554292..216b8d2 100644
--- a/system/server/immich.nix
+++ b/system/server/immich.nix
@@ -1,102 +1,61 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }: let
-  inherit (lib) mkIf mkForce mkDefault;
-
   cfg = config.niksos.server;
-  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
-  config-dir = "/run/immich-conf";
-  url = "photos.jsw.tf";
-  httpsUrl = "https://" + url;
 in {
-  config =
-    mkIf cfg
-    {
-      users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
-      services.caddy.virtualHosts.${url}.extraConfig = ''
-        reverse_proxy localhost:9002
-      '';
+  services.immich = {
+    enable = cfg;
 
-      services.immich = mkIf cfg {
-        enable = true;
+    port = 9002;
+    machine-learning.enable = false;
 
-        port = 9002;
-        machine-learning.enable = false;
-
-        accelerationDevices = mkDefault null;
-
-        #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
-        environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
-        settings = {
-          server.externalDomain = httpsUrl;
-          oauth = {
-            enabled = true;
-            autoLaunch = true;
-            autoRegister = true;
-            buttonText = "Login with JSWAuth";
-            clientId = "329735769805619570";
-            clientSecret = oidcSubstitute;
-            issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
-            mobileRedirectUri = "${httpsUrl}/api/oauth/mobile-redirect";
-            mobileOverrideEnabled = true;
-          };
-          passwordLogin.enabled = false;
-          ffmpeg = {
-            crf = 23;
-            threads = 0;
-            preset = "ultrafast";
-            targetVideoCodec = "h264";
-            acceptedVideoCodecs = [
-              "h264"
-            ];
-            targetAudioCodec = "aac";
-            acceptedAudioCodecs = [
-              "aac"
-              "mp3"
-              "libopus"
-              "pcm_s16le"
-            ];
-            acceptedContainers = [
-              "mov"
-              "ogg"
-              "webm"
-            ];
-            targetResolution = "720";
-            maxBitrate = "0";
-            bframes = -1;
-            refs = 0;
-            gopSize = 0;
-            temporalAQ = false;
-            cqMode = "auto";
-            twoPass = false;
-            preferredHwDevice = lib.mkDefault "auto";
-            transcode = "all";
-            tonemap = "hable";
-            accel = lib.mkDefault "vaapi";
-            accelDecode = true;
-          };
-        };
-      };
-
-      systemd = {
-        services.immich-server = {
-          preStart = let
-            refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings;
-            newConfig = "${config-dir}/immich.json";
-            replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-          in ''
-            umask 077
-            cp -f '${refConfig}' '${newConfig}'
-            chmod u+w '${newConfig}'
-            ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}'
-          '';
-        };
-        tmpfiles.rules = [
-          "d ${config-dir} 0700 immich immich"
+    settings = {
+      server.externalDomain = "https://photos.jsw.tf";
+      ffmpeg = {
+        crf = 23;
+        threads = 0;
+        preset = "ultrafast";
+        targetVideoCodec = "h264";
+        acceptedVideoCodecs = [
+          "h264"
         ];
+        targetAudioCodec = "aac";
+        acceptedAudioCodecs = [
+          "aac"
+          "mp3"
+          "libopus"
+          "pcm_s16le"
+        ];
+        acceptedContainers = [
+          "mov"
+          "ogg"
+          "webm"
+        ];
+        targetResolution = "720";
+        maxBitrate = "0";
+        bframes = -1;
+        refs = 0;
+        gopSize = 0;
+        temporalAQ = false;
+        cqMode = "auto";
+        twoPass = false;
+        preferredHwDevice = lib.mkDefault "auto";
+        transcode = "all";
+        tonemap = "hable";
+        accel = lib.mkDefault "vaapi";
+        accelDecode = true;
       };
     };
+
+    accelerationDevices = lib.mkDefault null;
+  };
+  users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled.
+
+  services.caddy.virtualHosts."photos.jsw.tf" = {
+    extraConfig = ''
+      reverse_proxy localhost:9002
+    '';
+  };
 }
diff --git a/system/server/seafile.nix b/system/server/seafile.nix
new file mode 100644
index 0000000..ac18412
--- /dev/null
+++ b/system/server/seafile.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  services.seafile = {
+    enable = config.niksos.server;
+    seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
+
+    adminEmail = "jurnwubben@gmail.com";
+    initialAdminPassword = "ChangeMeTheFuckNow!";
+
+    gc.enable = true;
+
+    ccnetSettings.General.SERVICE_URL = "https://files.jsw.tf";
+    seahubExtraConf = ''
+      ALLOWED_HOSTS = ['.files.jsw.tf']
+      CSRF_COOKIE_SECURE = True
+      CSRF_COOKIE_SAMESITE = 'Strict'
+      CSRF_TRUSTED_ORIGINS = ['https://files.jsw.tf', 'https://www.files.jsw.tf']
+
+      SITE_NAME = "JSW Cloud"
+      SITE_TITLE = "JSW Cloud"
+    '';
+    seafileSettings = {
+      quota.default = 30;
+      history.keep_days = 40;
+      library_trash.expire_days = 14;
+      fileserver = {
+        host = "unix:/run/seafile/server.sock";
+        web_token_expire_time = 14400; # 4 hours
+        max_download_dir_size = 100000; # 100gb max download size.
+      };
+    };
+  };
+
+  services.caddy.virtualHosts."files.jsw.tf" = {
+    # serverAliases = ["www.share.jsw.tf"];
+    extraConfig = ''
+           handle_path /seafhttp/* {
+      reverse_proxy * unix//run/seafile/server.sock
+           }
+           handle_path /* {
+      reverse_proxy * unix//run/seahub/gunicorn.sock
+           }
+    '';
+  };
+}
diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix
deleted file mode 100644
index 7bd32a7..0000000
--- a/system/server/zitadel.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  ExternalDomain = "z.jsw.tf";
-  Port = 9000;
-in {
-  config =
-    lib.mkIf config.niksos.server
-    {
-      services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
-        reverse_proxy localhost:${builtins.toString Port}
-      '';
-
-      # services.zitadel = {
-      #   enable = true;
-      #   masterKeyFile = config.age.secrets.zitadel-key.path;
-      #   settings = {
-      #     inherit Port ExternalDomain;
-      #     ExternalPort = 443;
-      #   };
-      #   extraSettingsPaths = [config.age.secrets.zitadel.path];
-      # };
-      systemd.services.zitadel = {
-        requires = ["postgresql.service"];
-        after = ["postgresql.service"];
-      };
-
-      services = {
-        zitadel = {
-          enable = true;
-          masterKeyFile = config.age.secrets.zitadel-key.path;
-          settings = {
-            inherit Port ExternalDomain;
-            ExternalPort = 443;
-            Database.postgres = {
-              Host = "/var/run/postgresql/";
-              Port = 5432;
-              Database = "zitadel";
-              User = {
-                Username = "zitadel";
-                SSL.Mode = "disable";
-              };
-              Admin = {
-                Username = "zitadel";
-                SSL.Mode = "disable";
-                ExistingDatabase = "zitadel";
-              };
-            };
-            ExternalSecure = true;
-          };
-          steps.FirstInstance = {
-            InstanceName = "jsw";
-            Org = {
-              Name = "jsw";
-              Human = {
-                UserName = "jsw@jsw.tf";
-                FirstName = "Jurn";
-                LastName = "Wubben";
-                Email.Verified = true;
-                Password = "Changeme1!";
-                PasswordChangeRequired = true;
-              };
-            };
-            LoginPolicy.AllowRegister = false;
-          };
-          openFirewall = true;
-        };
-
-        postgresql = {
-          enable = true;
-          enableJIT = true;
-          ensureDatabases = ["zitadel"];
-          ensureUsers = [
-            {
-              name = "zitadel";
-              ensureDBOwnership = true;
-              ensureClauses.login = true;
-              ensureClauses.superuser = true;
-            }
-          ];
-        };
-      };
-    };
-}