diff --git a/README.md b/README.md
index 13e3736..24ecfaf 100644
--- a/README.md
+++ b/README.md
@@ -66,8 +66,9 @@
 * [ ] transgui config
 * [x] secrets - nix-sops ?
   * [x] flexget
+  * [ ] microbin
   * [ ] transmission
-  * [ ] transmission remote gui
+  * [ ] transmission remote gui (requires sops in home-manager)
   * [x] domeneshop
   * [ ] webdav
   * [ ] code-remote
diff --git a/hosts/noximilien/default.nix b/hosts/noximilien/default.nix
index 44fcdaa..23e753d 100644
--- a/hosts/noximilien/default.nix
+++ b/hosts/noximilien/default.nix
@@ -53,7 +53,7 @@
     #../../profiles/web/services/cryptpad.nix
     #../../profiles/web/services/galene.nix
     #../../profiles/web/services/graphana.nix
-    #../../profiles/web/services/hedgedoc.nix
+    ../../profiles/web/services/hedgedoc.nix
     #../../profiles/web/services/home-assistant.nix
     #../../profiles/web/services/jitsi-meet.nix
     #../../profiles/web/services/kukkee
diff --git a/profiles/web/services/flexget.nix b/profiles/web/services/flexget.nix
index ff46c57..ee6f729 100644
--- a/profiles/web/services/flexget.nix
+++ b/profiles/web/services/flexget.nix
@@ -9,6 +9,7 @@ in
 
   sops.secrets.flexget.owner = "flexget";
   sops.secrets.flexget.group = "flexget";
+  sops.secrets.flexget.restartUnits = [ "flexget.service" ];
 
   services.flexget = {
 	  enable = true;
diff --git a/profiles/web/services/hedgedoc.nix b/profiles/web/services/hedgedoc.nix
index 9ed01f6..9586aff 100644
--- a/profiles/web/services/hedgedoc.nix
+++ b/profiles/web/services/hedgedoc.nix
@@ -3,19 +3,42 @@
     # hedgedoc
     # Realtime collaborative markdown notes on all platforms
 
+    sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
+    sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
+    sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];
+
     services.hedgedoc = {
-      #enable = true; # FIXME: make it load
-      settings.host = "127.0.0.1";
+      enable = true; # FIXME: make it load
+      environmentFile = config.sops.secrets."hedgedoc/env-file".path;
+
+      settings.host = "localhost";
       settings.port = 44776;
-      settings.db.dialect = "sqlite";
-      settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
+
+      # reverse proxy
       settings.domain = mkDomain "hedgedoc";
-      settings.allowAnonymous = true;
+      settings.hsts.enale = true;
+      settings.useSSL = false; # we terminate ssl with nginx
+      settings.protocolUseSSL = true; # https:// prefix
+      settings.urlAddPort = false;
+
+      settings.db.dialect = "sqlite";
+      settings.db.storage = "${config.services.hedgedoc.workDir}/db.sqlite";
+
+      settings.email = false; #  email sign-in
+      settings.allowFreeURL = true; #  allow note creation by accessing a nonexistent note URL.
+      #settings.allowAnonymous = false; # default is true
       settings.allowEmailRegister = false; # default is true
       settings.allowAnonymousEdits = false; # default is false
-      settings.protocolUseSSL = true; # https prefix
-      settings.useSSL = false; # nginx terminates ssl
-      #settings.csp = {TODO}; # content security policy
+      #settings.uploadsPath
+
+      # content security policy
+      #settings.csp = {
+      #  enable = true;
+      #  addDefaults = true;
+      #  upgradeInsecureRequest = "auto";
+      #  #directives.scriptSrc = "trustworthy.scripts.example.com";
+      #};
+
       #settings.useCDN = true;
       #settings.debug = true;
       # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
@@ -25,10 +48,24 @@
       forceSSL = true; # addSSL = true;
       enableACME = true; #useACMEHost = acmeDomain;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
+        proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
         proxyWebsockets = true;
         # TODO: proxy headers:
         # https://docs.hedgedoc.org/guides/reverse-proxy/
+        extraConfig = ''
+          auth_basic           "Ke 'e e u vill?!?";
+          auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};
+
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+        '';
       };
+      extraConfig= ''
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy strict-origin-when-cross-origin;
+      '';
     };
 }
diff --git a/profiles/web/services/microbin.nix b/profiles/web/services/microbin.nix
index 0adce51..bf6d0fb 100644
--- a/profiles/web/services/microbin.nix
+++ b/profiles/web/services/microbin.nix
@@ -34,7 +34,7 @@ in
       ];
 
       # https://github.com/szabodanika/microbin/issues/106
-      #EnvironmentFile = "/var/lib/secrets/microbin.env"; # TODO: sops
+      #EnvironmentFile = "/run/secrets/microbin-env"; # TODO: sops
       #Environment.MICROBIN_AUTH_USERNAME="foo";
       #Environment.MICROBIN_AUTH_PASSWORD="bar";
 
diff --git a/secrets/noximilien.yaml b/secrets/noximilien.yaml
index 58d7b41..5c7e697 100644
--- a/secrets/noximilien.yaml
+++ b/secrets/noximilien.yaml
@@ -1,4 +1,7 @@
 flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
+hedgedoc:
+    env-file: ENC[AES256_GCM,data:evTDjmO3oBTBVUPArwlfZiDCsU7QMTFWw+LzpFedROBgGhElY/vhSM6qHXWjfyMopg9eFYgcPsXgxti0ZmpdTkoItNFzo/MpbI8msgclI20AxogfsT/jkMJaEPB7W3X4PyMqm6D/zRVwWGh3Vtqm3Ze1yf4=,iv:0XoqGvS/Y5O0n4zZ7mGBBJU6JZRm5g92McLwRnIXx/U=,tag:uqIwBAEFWVk4pFkZcCiEoQ==,type:str]
+    htpasswd: ENC[AES256_GCM,data:qc1DDiJydPxxjPZQy2Rdh860ylZBrpbk1yj8BRd71yjPWpnxCY1869qZp4HFv4ptdyL4BRoYvJUikpb7RGVc6CbOb7l7I5ov8NA8hEEa3HB6lGjvVV4=,iv:NnXlJZ/LLhMmrAFA/efk6LHjm/1aexWFsAsA4GUgxsI=,tag:jL5ymk5CsZ3TPCfL39CDwQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +35,8 @@ sops:
             SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
             jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-14T23:43:49Z"
-    mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str]
+    lastmodified: "2023-10-15T20:59:15Z"
+    mac: ENC[AES256_GCM,data:2AFjhWJ7JriF9Mmj1cbHlVCOdyrLvWcEyspH79xWB7CauvI8sWafZd9yO4nq5ZxwOFIZxulbWADNc8oW7y5EhLDZapTwbxEl9GDhOm8O2z4HUrbXtXoQVRcjJFCE+17TLXBwsbLu15ji0xMLgfmVBoUgHntIFcSPID3L8FYSdLU=,iv:bWSLlTsdlIAE5Rujq22cLc8xWGrU8jkNtd2NahdOzl8=,tag:nxgUbd/A4gxPeBpCmSfzzw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3