diff --git a/modules/holocron/copyparty/default.nix b/modules/holocron/copyparty/default.nix
index ea998a4..fc24c78 100644
--- a/modules/holocron/copyparty/default.nix
+++ b/modules/holocron/copyparty/default.nix
@@ -63,25 +63,45 @@ in {
     # enable the ${service} service
     services.${service} = {
       enable = true;
-      #      settings = {
-      #      };
-      #      accounts = {
-      #      };
-      #      groups = {
-      #      };
-      #      volumes = {
-      #        flags = {
-      #        };
-      #      };
+      user = service;
+      group = service;
+      settings = {
+        i = "0.0.0.0";
+        p = [7902];
+      };
+      accounts = {
+        blake = {
+          passwordFile = sec."copyparty_passwd".path;
+        };
+      };
+      groups = {
+        media = ["blake"];
+      };
+      volumes = {
+        "/archives" = {
+          path = "/holocron/archives";
+          access = {
+            r = "*";
+            A = "blake";
+          };
+        };
+        "/media" = {
+          path = "/holocron/media";
+          access = {
+            r = "*";
+            w = "@media";
+            A = "blake";
+          };
+        };
+        "/users/blake" = {
+          path = "/holocron/users/blake";
+          access = {
+            A = "blake";
+          };
+        };
+      };
     };
 
-    #    # override umask to make permissions work out
-    #    systemd.services.${service}.serviceConfig = {
-    #      UMask = lib.mkForce "0007";
-    #      #      User = service;
-    #      #      Group = service;
-    #    };
-
     # open firewall
     networking.firewall.allowedTCPPorts = [cfg.port];
 
@@ -104,13 +124,13 @@ in {
         icon = "di:${service}";
       }
     ];
-    #
-    #    sops.secrets = {
-    #      "${service}_" = {
-    #        owner = ;
-    #        group = ;
-    #      };
-    #    };
+
+    sops.secrets = {
+      "${service}_passwd" = {
+        owner = service;
+        group = service;
+      };
+    };
 
     # add to backups
     system.backups.baks = {
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index b5a15ba..e883fe4 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -20,6 +20,8 @@ minecraft_recpro_db_passwd: ENC[AES256_GCM,data:dPAkdEX0hBigo/lND2r3ShxnS4Jc5wTI
 #ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment]
 mosquitto_hashed_passwd: ENC[AES256_GCM,data:k1Lnr8ZTDpzXMoRmRH61X41boX/D8Rm1KPh7x3/IHFo+XKIOUQns53iA+7e7Ohp8uWSthDlOk4SlRvTXdUNiEz7Zmw9LYwy7BHbwpNo2pFApAye1ORPrMrhMUkUfgBgc8oqPPyRXmmrOAFp6GBbRhg==,iv:D8wQL9iF0rqOte5X24kDTVjYUJXbZSLz0Ykbp0HqmYo=,tag:RUCgO1uKPIdumSo563cg1Q==,type:str]
 mosquitto_passwd.yaml: ENC[AES256_GCM,data:9xwHiUaQ6zG/4rkRemXtbRJ/KEV4yajqyYlcXRR1eAQ2XijYOzitPjt53h3FPqp5rxl6dJerXNH5CiZZK3t1l339NxNseJFGVmIHitWJxNmGJMlG3M8r8Q==,iv:C6WWZuVkYaasB2pol3uf4Mc3d/lDEgt2pKX+dHl/Cr4=,tag:jYTC6RKF2TzDSwSUh6D8zQ==,type:str]
+#ENC[AES256_GCM,data:3oMbbBSrbjrqsdiON1ENB8JeKW0=,iv:+/eL/51OA+VHbkWWSNzQId5BlxnMm+5NBA0uKw010Tk=,tag:vBJpCYmvFivBYIKatDWgHw==,type:comment]
+copyparty_passwd: ENC[AES256_GCM,data:I3UYy4nJ0B6RnIp661O0VVqEmxloxxcroBKmNFcgoQ==,iv:sWkPfKqomrNaYFZbn+BeQEugRMlaqi1qJhELqfsGCik=,tag:Sgz56ZW9EY49zfwFDN7whg==,type:str]
 #ENC[AES256_GCM,data:3ATkokBKeOp97uORzaePROrKKfG94ic=,iv:MNJRh6Vrso1heqNUJc0M4xGNcMLGwcF9IzoiQ5+SS+g=,tag:xj8Actwkirvq4GE+Ly1M9w==,type:comment]
 vpncon_mex_config: ENC[AES256_GCM,data:4i356X97sBoRliskmh5ewcEwZHkpo37IhPcemKVdWJgWFWtA+AhTeEo4KQ3dRA1H/n8VjVX7CKZKPDxpmHfcUlnTLT0agtOjjyjf60kWoL8noJqcbDB4wGiYT910rPToVnYMFk0H2lerYp+/n2bhg8BHxn++VlPOOZsgla4El+FNXUqhScpAawySPSF36ocdRJ3r3DuflIhnTBXxSZukMf9Ux1uaFldSG7KasCQlStKy9O2Odd2AvAuGXOHch5KecRPT3WnonQ8oDJpuxbeaosLmtJKHL9oeXHPId2Unc1GNoOpnDC3Y/xGnrPb9WFXWYOSQ/1A3mNKwnVq0FEhluVbqodES4PVIlCS0koiQJq15P15G2z0jO+OhAQrRI5vn3Fki5A==,iv:tQvTpzhl7F7niigAXl61FMHbg6QqI2R7yGD/C2lwOR4=,tag:c+CVLd6lGrAfm38pFXOXTw==,type:str]
 #ENC[AES256_GCM,data:ep/Z5O6RNFwTd0I5hvtk5DP9,iv:M7sclKcTR+IfCEsvz0lZaoZBRZlQsN/FhwuzFNXgVew=,tag:Ddo3Qf8tMBX9Amt7C9m5FA==,type:comment]
@@ -39,7 +41,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-12T00:27:54Z"
-    mac: ENC[AES256_GCM,data:10/OeCnswKYlpPGOxAYwwZRza8Iow6g4RRI9kESFEdnG+VNPuAblDLQ/5YRlf29/cWCWczxfeoCIrUYSjh7zeQgRQ5KSsCTVovJnY0svSnKCN84Mwe6wfOYIaCCbVqB4T8lqaaAHlA2aQEJ/M3aw0lyyYY3b/HCgHWY/5jQzyGE=,iv:xxW2nXBT3uMEKOffqsIVBP5NXAaiv2me2wcaXSn6wxU=,tag:y97BkXOj6rSkki5l0DpIeQ==,type:str]
+    lastmodified: "2025-10-14T19:45:38Z"
+    mac: ENC[AES256_GCM,data:bxMEJTiMZQo4eXmTzamCQALYSdAj7buciSra1kozyahbeD0xkDco5Pgr6AuvnITKcxvINBfS7qJ0GJCwkQ4DNtPqt/b2T9P8QvtYq7iKMbDou81Vni4C24IlHrh/oSl+gF/8G8KVKjeCc2g94xaMrHZfpdSyceNKkr/vSoOkyrk=,iv:Mn46bU1fFxztgFjYSNkGIz4Izi4CiDRlonizfuxNU50=,tag:SlYtnP2bdbwogeQ8h1rHEQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0