diff --git a/.sops.yaml b/.sops.yaml
index 0fd042a..96b61cd 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -113,3 +113,8 @@ creation_rules:
       - age:
           - *yt
           - *cy
+  - path_regex: secrets/services/zipline.yaml
+    key_groups:
+      - age:
+          - *chunk
+          - *cy
diff --git a/flake.lock b/flake.lock
index b36b229..5f4fb3a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "anki": {
+      "locked": {
+        "lastModified": 1739471491,
+        "narHash": "sha256-ZCKWgsNqKWkVOAQFaFSmK3EN/uDdamNOcSItzvooWYs=",
+        "owner": "cything",
+        "repo": "nixpkgs",
+        "rev": "1562f5286858b3c1e5ea7e60f4bf6b3578519248",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cything",
+        "repo": "nixpkgs",
+        "rev": "1562f5286858b3c1e5ea7e60f4bf6b3578519248",
+        "type": "github"
+      }
+    },
     "attic": {
       "inputs": {
         "crane": "crane",
@@ -1265,6 +1281,7 @@
     },
     "root": {
       "inputs": {
+        "anki": "anki",
         "conduwuit": "conduwuit",
         "crane": "crane_2",
         "disko": "disko",
diff --git a/flake.nix b/flake.nix
index 9ef5b79..b9d76bf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -100,6 +100,9 @@
     flake-utils.url = "github:numtide/flake-utils";
     crane.url = "github:ipetkov/crane";
     flake-compat.url = "github:edolstra/flake-compat";
+
+    # unmerged PRs
+    anki.url = "github:cything/nixpkgs/1562f5286858b3c1e5ea7e60f4bf6b3578519248";
   };
 
   nixConfig = {
diff --git a/home/codium.nix b/home/codium.nix
index accda10..b35231a 100644
--- a/home/codium.nix
+++ b/home/codium.nix
@@ -7,16 +7,19 @@
     enableExtensionUpdateCheck = false;
     mutableExtensionsDir = false;
     extensions =
-      (with pkgs.open-vsx; [
-        vscodevim.vim
-        jnoortheen.nix-ide
-        editorconfig.editorconfig
-        github.github-vscode-theme
-        rust-lang.rust-analyzer
-      ])
-      ++ (with pkgs.vscode-marketplace; [
-        github.codespaces
-      ]);
+      # if unfree
+      # (with pkgs.vscode-marketplace; [
+      (
+        with pkgs.open-vsx;
+        [
+          vscodevim.vim
+          jnoortheen.nix-ide
+          editorconfig.editorconfig
+          github.github-vscode-theme
+          rust-lang.rust-analyzer
+          shd101wyy.markdown-preview-enhanced
+        ]
+      );
     userSettings = {
       "workbench.colorTheme" = "GitHub Dark Default";
       "files.autoSave" = "afterDelay";
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 9577771..aeb7906 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -72,6 +72,9 @@
     "tailscale/auth" = {
       sopsFile = ../../secrets/services/tailscale.yaml;
     };
+    "zipline/env" = {
+      sopsFile = ../../secrets/services/zipline.yaml;
+    };
   };
 
   boot = {
@@ -207,4 +210,5 @@
   environment.enableAllTerminfo = true;
 
   my.roundcube.enable = true;
+  my.zipline.enable = true;
 }
diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix
index a6f39dd..e6c8af1 100644
--- a/hosts/chunk/garage.nix
+++ b/hosts/chunk/garage.nix
@@ -8,7 +8,7 @@
       s3_api = {
         s3_region = "earth";
         api_bind_addr = "[::]:3900";
-        root_domain = ".s3.cy7.sh";
+        root_domain = "s3.cy7.sh";
       };
       s3_web = {
         bind_addr = "[::]:3902";
diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix
index 37b8763..cd3a38e 100644
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@@ -402,4 +402,9 @@
     enable = true;
     enableQt5Integration = true;
   };
+
+  programs.appimage = {
+    enable = true;
+    binfmt = true;
+  };
 }
diff --git a/modules/default.nix b/modules/default.nix
index 810c2f4..96ea519 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,5 +4,6 @@
     ./backup.nix
     ./caddy.nix
     ./roundcube.nix
+    ./zipline.nix
   ];
 }
diff --git a/modules/zipline.nix b/modules/zipline.nix
new file mode 100644
index 0000000..b66cad6
--- /dev/null
+++ b/modules/zipline.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.zipline;
+in
+{
+  options.my.zipline = {
+    enable = lib.mkEnableOption "zipline";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.zipline = {
+      enable = true;
+      settings = {
+        CORE_PORT = 3001;
+        DATASOURCE_TYPE = "s3";
+        DATASOURCE_S3_ENDPOINT = "e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
+        DATASOURCE_S3_BUCKET = "zipline";
+        DATASOURCE_S3_REGION = "auto";
+        DATASOURCE_S3_USE_SSL = "true";
+        DATASOURCE_S3_FORCE_S3_PATH = "false";
+        FEATURES_THUMBNAILS = "true";
+        EXIF_REMOVE_GPS = "true";
+        CHUNKS_CHUNKS_SIZE = "50mb";
+        CHUNKS_MAX_SIZE = "95mb";
+        FEATURES_OAUTH_REGISTRATION = "true";
+      };
+      environmentFiles = [ config.sops.secrets."zipline/env".path ];
+    };
+
+    services.caddy.virtualHosts."host.cy7.sh".extraConfig = ''
+      import common
+      reverse_proxy 127.0.0.1:3001
+    '';
+  };
+}
diff --git a/overlay/default.nix b/overlay/default.nix
index 219f1ad..5695d30 100644
--- a/overlay/default.nix
+++ b/overlay/default.nix
@@ -20,6 +20,7 @@ importedOverlays
       lldb = pkgFrom stable "lldb";
       calibre = pkgFrom stable "calibre";
       nil = inputs.nil.packages.${prev.system}.nil;
+      anki = pkgFrom inputs.anki "anki-bin";
     }
   )
 ]
diff --git a/secrets/services/zipline.yaml b/secrets/services/zipline.yaml
new file mode 100644
index 0000000..b82f9a3
--- /dev/null
+++ b/secrets/services/zipline.yaml
@@ -0,0 +1,31 @@
+zipline:
+    env: ENC[AES256_GCM,data:lsR/+bET/C7ssik0xv5IBITT+KEnoyqNjSZ9jvkkb7lmNAQzow6dCm1nprfimiJC0EF2LyiEPm0wchdtrLTNEtUkJWkworEJXeWGrGGbHgZW0/HC1BSERqlLmZTPyLWkhsl3rObvuhRoTKlUN5EMwtK8x06aOX6PcxLdwVjps7UxkBXej712IcKPvHVSJIQMvVHP2lqSppJc+sEMt4u3Vnf1ZYGsQS3bWnI7w40sOdGR8LGBadfmWwIj0/3XTaG7S7Lhi4AOFGZtpdyOmxxIH3Vd5qesfiqPHm0nTmu/JxPftYm+F/hDnbJHrbg7cNVlJahDFtQp8QdlVvdMU3ccNptpRXGWIwFOz3JtuzDo7pxkYRqO2dKqYbKhOknrMW0PYuB48XEKj3e4Q+T8tUhFTsOHfqT0J8ati26dQaUO5wvw22o=,iv:QeR8fU9bRVO5OuqjbEeiC1vihbLxrNgnR0k0K/mRmSw=,tag:6x2XELOlJ9JWeOuVBBHNpg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUDFDSnFEM1NZK0lSMnUx
+            YkI3MWlpY1VjYXdaKzBCOFc5NWp5NXdBbkdVCmI0Z2tuSXBOSFN2NXJTUWxKQXNu
+            SGhhTTYzUDFSOFFXdU5aVHlmYnJNa1UKLS0tIGlrUTErQkVRdFBYYWxUcklHaUVY
+            UkQ3eVlDR2lMOEZGNXRjU3J3RXpwZkUKNJL/dvPsGu0AJiXryR8uSM0jE//cQi0b
+            AeYUjXLRcouUq5zWL6AsKDOUAo9t//AAFZqv3DGUboR8UzdymYRYMw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Wk9ZYkExU3k0ZWpOZEhF
+            TkswRGxTd1hpcGJaa1pmcUJFQnZMcGV6L0ZFCnp3K05YdU56WUl1TktVSFNQWWZH
+            bG5COXVuSjFCUWpEYXQweVFPaDAzcTQKLS0tIFgralQ1TWUzajVOM3RyS3RDcnRx
+            WHZSeVJIaGRldmhmcWZvT3YzL3hPbFEKVUtCU1l/RhFOlwdjE0ejW/Ym+cMVNxIW
+            AdvVcWoilMGTsDJIIlLu7fPbhmGotPvqGjxMC2yEpEgJUt/rsz2vPA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-14T03:37:09Z"
+    mac: ENC[AES256_GCM,data:KViPAUWWpE5UTZOp55f3QeXhHkXBvyl9Np/Tlj5bY7t3qt1U370OLq1yL87WWbvRWa/K/ZYN2gjN16dgfp5o834VniSJM6dnw+vC76QNaXjCfE2HKozRx6NlHFMflzzV8TXvqzJvuPa43E8DRaBctY2a7aIbJ4DJki1dfmrrO3Y=,iv:vPeMWOWQNZX3t4BoYzpuI74tZJ3rCXwbxmqcRAW5ZXY=,tag:i4ZjIXg0JOj2U2jMwurChw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4