diff --git a/flake.lock b/flake.lock
index 7d7e63b..30e6333 100644
--- a/flake.lock
+++ b/flake.lock
@@ -127,11 +127,11 @@
     "complement": {
       "flake": false,
       "locked": {
-        "lastModified": 1722323564,
-        "narHash": "sha256-6w6/N8walz4Ayc9zu7iySqJRmGFukhkaICLn4dweAcA=",
+        "lastModified": 1720637557,
+        "narHash": "sha256-oZz6nCmFmdJZpC+K1iOG2KkzTI6rlAmndxANPDVU7X0=",
         "owner": "matrix-org",
         "repo": "complement",
-        "rev": "6e4426a9e63233f9821a4d2382bfed145244183f",
+        "rev": "0d14432e010482ea9e13a6f7c47c1533c0c9d62f",
         "type": "github"
       },
       "original": {
@@ -595,11 +595,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1719091691,
-        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
+        "lastModified": 1724489415,
+        "narHash": "sha256-ey8vhwY/6XCKoh7fyTn3aIQs7WeYSYtLbYEG87VCzX4=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
+        "rev": "c7f5b394397398c023000cf843986ee2571a1fd7",
         "type": "github"
       },
       "original": {
@@ -929,11 +929,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1722221733,
-        "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
+        "lastModified": 1725001927,
+        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "12bf09802d77264e441f48e25459c10c93eada2e",
+        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
         "type": "github"
       },
       "original": {
@@ -1184,11 +1184,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1722185531,
-        "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
+        "lastModified": 1725103162,
+        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
+        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
         "type": "github"
       },
       "original": {
@@ -1200,11 +1200,11 @@
     },
     "vpsadminos": {
       "locked": {
-        "lastModified": 1722101851,
-        "narHash": "sha256-fM5Z8Qhk9/AbGYJ4VrJilGlFK9btBEF+ROtbYYJZJ1I=",
+        "lastModified": 1725379879,
+        "narHash": "sha256-RXSlp6OS9BNCio8kKajk4yEpntNc2AyozQeDSQa6f3w=",
         "owner": "vpsfreecz",
         "repo": "vpsadminos",
-        "rev": "2c8ff8462a6f4aefb7bd2663d6ddbedd9d161f2c",
+        "rev": "605f2f6c56cb79eb66b2b7d3bec050342d7f43b7",
         "type": "github"
       },
       "original": {
diff --git a/pki/fabian.pub b/pki/fabian.ssh
similarity index 100%
rename from pki/fabian.pub
rename to pki/fabian.ssh
diff --git a/pki/fabian_primary.gpg b/pki/fabian_primary.gpg
new file mode 100644
index 0000000..a84bcab
--- /dev/null
+++ b/pki/fabian_primary.gpg
@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
+pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
+PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
+CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
+clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
+D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
+EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
+wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
+GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
+jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
++ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
+tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
+K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
+7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
+QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
+zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
+T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
+ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
+ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
+CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
+Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
+=PAxr
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/pki/fabian_yubikey.gpg b/pki/fabian_yubikey.gpg
new file mode 100644
index 0000000..15555b9
--- /dev/null
+++ b/pki/fabian_yubikey.gpg
@@ -0,0 +1,19 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
+CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
+PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
+HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
+RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
++sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
+05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
+B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
+7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
+CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
+GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
+ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
+H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
+8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
+=wpc0
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/sys/default.nix b/sys/default.nix
index 37f91ea..14867c4 100644
--- a/sys/default.nix
+++ b/sys/default.nix
@@ -62,7 +62,7 @@ with lib; {
       group = "fabian";
       shell = pkgs.zsh;
       extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"];
-      openssh.authorizedKeys.keyFiles = [../pki/fabian.pub];
+      openssh.authorizedKeys.keyFiles = [../pki/fabian.ssh];
     };
     groups.fabian.gid = 1000;
   };
diff --git a/sys/srv/net.nix b/sys/srv/net.nix
index 9d22700..30a92be 100644
--- a/sys/srv/net.nix
+++ b/sys/srv/net.nix
@@ -32,7 +32,19 @@ with lib; {
         "posixlycorrect.com" = {
           forceSSL = true;
           enableACME = true;
-          root = "${pkgs.local.homepage}";
+          locations = {
+            "/".root = "${pkgs.local.homepage}";
+
+            "~ ^/pki(?:/(.*))?$" = { # https://serverfault.com/a/476368
+              alias = "${../../pki}/$1";
+              extraConfig = ''
+                autoindex on;
+                autoindex_exact_size on;
+                autoindex_localtime on;
+                autoindex_format html;
+              '';
+            };
+          };
         };
       };
     };
diff --git a/sys/srv/paperless.nix b/sys/srv/paperless.nix
index 8a2a137..d9fcaa5 100644
--- a/sys/srv/paperless.nix
+++ b/sys/srv/paperless.nix
@@ -30,6 +30,9 @@ with lib; {
         PAPERLESS_URL = "docs.posixlycorrect.com";
         PAPERLESS_OCR_LANGUAGE = "eng+spa";
         PAPERLESS_APP_TITLE = "posixlycorrect";
+        PAPERLESS_OCR_USER_ARGS = {
+          "invalidate_digital_signatures" = true;
+          };
       };
     };
   };