diff --git a/machines/gerd.nix b/machines/gerd.nix
index f2ea44e..d62607a 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -25,13 +25,6 @@
     ./gerd/services/matrix-synapse.nix
   ];
 
-  # TODO: place this a better place
-  zramSwap = {
-    enable = true;
-    memoryPercent = 75;
-    algorithm = "lz4";
-  };
-
   networking.hostName = "gerd";
   networking.hostId = "e1166ac9";
 
@@ -64,6 +57,14 @@
     };
   };
 
+  # setup zramswap (we are very ram limited)
+  zramSwap = {
+    enable = true;
+    memoryPercent = 75;
+    algorithm = "lz4";
+  };
+
+
   # TMP FIX FOR https://github.com/nix-community/impermanence/issues/229
   boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
   systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
diff --git a/machines/gerd/services/authelia/authelia-nginx.nix b/machines/gerd/services/authelia/authelia-nginx.nix
index 96d08f2..b58399a 100644
--- a/machines/gerd/services/authelia/authelia-nginx.nix
+++ b/machines/gerd/services/authelia/authelia-nginx.nix
@@ -76,12 +76,8 @@ let
     error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
   '';
 in {
-  # TODO: fix this
-  mine.shared.lib.authelia.autheliaLocation = autheliaLocation;
-
-  mine.shared.lib.authelia.mkProtectedWebsite = { vhostConfig, endpoint ? "/" }: lib.recursiveUpdate vhostConfig {
-    extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostConfig) + "\n" + "include ${autheliaLocation};";
-    locations."${endpoint}" = config.mine.shared.lib.authelia.mkProtectedLocation (lib.attrByPath [ "locations" endpoint ] {} vhostConfig);
+  mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
+    extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
   };
 
   mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
diff --git a/machines/gerd/services/member-website/default.nix b/machines/gerd/services/member-website/default.nix
index c92daac..738da25 100644
--- a/machines/gerd/services/member-website/default.nix
+++ b/machines/gerd/services/member-website/default.nix
@@ -18,9 +18,7 @@ in {
   };
 
   services.nginx.virtualHosts."${config.mine.shared.settings.domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
-    endpoint = urlpath;
-    vhostConfig.locations."${urlpath}" = {
-      # extraConfig = "rewrite ^${urlpath}(.*)$ /$1 break;";
+    locations."${urlpath}" = config.mine.shared.lib.authelia.mkProtectedLocation {
       proxyPass = "http://localhost:${builtins.toString port}";
     };
   };
diff --git a/machines/gerd/services/wger/default.nix b/machines/gerd/services/wger/default.nix
index 535cd9e..afe2ffa 100644
--- a/machines/gerd/services/wger/default.nix
+++ b/machines/gerd/services/wger/default.nix
@@ -8,15 +8,8 @@ let
 
   wgerpkgs = pkgs.callPackage ./wgerpkg/default.nix {};
 
-# # Application settings
-# WGER_SETTINGS['EMAIL_FROM'] = 'wger Workout Manager <wger@example.com>'
-# WGER_SETTINGS["ALLOW_REGISTRATION"] = True
-# WGER_SETTINGS["ALLOW_GUEST_USERS"] = True
-# WGER_SETTINGS["ALLOW_UPLOAD_VIDEOS"] = False
-# WGER_SETTINGS["MIN_ACCOUNT_AGE_TO_TRUST"] = 21  # in days
-# WGER_SETTINGS["EXERCISE_CACHE_TTL"] = 3600  # in seconds
   wger_settings = {
-    EMAIL_FROM = "wger Workout Manager <wger@example.com>";
+    EMAIL_FROM = "wger Workout Manager <wger@${config.mine.shared.settings.domain}>";
     ALLOW_REGISTRATION = true;
     ALLOW_GUEST_USERS = true;
     ALLOW_UPLOAD_VIDEOS = false;
@@ -25,14 +18,8 @@ let
   };
 
   django_settings = rec {
-    DEBUG = true;
+    DEBUG = false;
     DATABASES.default = {
-        # ENGINE = "django.db.backends.sqlite3";
-        # NAME = "${statedir}/database.sqlite";
-        # USER = "";
-        # PASSWORD = "";
-        # HOST = "";
-        # PORT = "";
         ENGINE = "django.db.backends.postgresql";
         NAME = "wger";
         USER = "wger";
@@ -41,31 +28,36 @@ let
         PORT = "";
     };
 
-    ADMINS = [["Your Name" "test@test.dk"]];
+    ADMINS = [["admin" "admin@${config.mine.shared.settings.domain}"]];
     MANAGERS = ADMINS;
 
-    TIME_ZONE = "Europe/Berlin";
+    TIME_ZONE = "Europe/Copenhagen";
 
-    SECRET_KEY = "2w!yl6ausb-$05#mjnec)g_h#nc9pzzw0c(kvaskocvyyg1oqc";
-
-    SITE_URL = "http://localhost:8100";
+    SECRET_KEY = "$SECRET_KEY";
 
+    SITE_URL = "https://${svc_domain}";
     MEDIA_ROOT = "${statedir}/media";
     MEDIA_URL = "/media/";
 
-    EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend";
-
-# DEFAULT_FROM_EMAIL = WGER_SETTINGS['EMAIL_FROM']
 
+    # EMAIL
+    EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend";
+    EMAIL_HOST = config.mine.shared.settings.mail.domain_smtp;
+    EMAIL_PORT = config.mine.shared.settings.mail.ports.submissions;
+    EMAIL_USE_SSL = true;
+    EMAIL_HOST_USER = "wger";
+    EMAIL_HOST_PASSWORD = "$EMAIL_HOST_PASSWORD";
+    EMAIL_FROM_ADDRESS = wger_settings.EMAIL_FROM;
     EMAIL_PAGE_DOMAIN = SITE_URL;
 
+    # setup allowed hosts
     CSRF_TRUSTED_ORIGINS = [ "https://${svc_domain}" ];
     ALLOWED_HOSTS = [ svc_domain ];
 
+    # disable recaptcha
     RECAPTCHA_PUBLIC_KEY = "";
     RECAPTCHA_PRIVATE_KEY = "";
     USE_RECAPTCHA = false;
-
   };
 
   wger_settings_file = pkgs.writeText "settings.json" (builtins.toJSON wger_settings);
@@ -73,50 +65,73 @@ let
   settingsFile = pkgs.writeText "settings.py" ''
     from wger.settings_global import *
     import json
+    import os
     
     with open("${django_settings_file}") as f:
-        globals().update(json.load(f))
+        for k, v in json.load(f).items():
+            if isinstance(v, str) and v.startswith("$"):
+                v = os.environ[v[1:]]
+
+            globals()[k] = v
     
     with open("${wger_settings_file}") as f:
-        WGER_SETTINGS.update(json.load(f))
+        for k, v in json.load(f).items():
+            if isinstance(v, str) and v.startswith("$"):
+                v = os.environ[v[1:]]
+
+            WGER_SETTINGS[k] = v
   '';
 in {
 
+  # main service
   systemd.services.wger = {
     description = "wger fitness";
     wantedBy = [ "multi-user.target" ];
     after = [ "networking.target" ];
-    script = ''
-      # general wger things
-      ${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
-      # ${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
-      # ${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
 
-      # manage things
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-ingredient-images || true
-      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
-      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
+    script = ''
+      # initial setup
+      ${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
+      ${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
 
       # run server
       ${wgerpkgs}/bin/wger start -s ${settingsFile}
     '';
 
     serviceConfig = {
+      EnvironmentFile = config.age.secrets.wger-env.path;
+
       User = "wger";
       Group = "wger";
-      
     };
   };
-  users.users."${wger_user}"= {
-    uid = 738;
-    isSystemUser = true;
-    group = wger_user;
-    
+
+  # periodic keep up-to-date
+  systemd.timers."wger-housekeeping" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = "daily";
+  };
+  
+  systemd.services."wger-housekeeping" = {
+    after = [ "wger.service" ];
+    requires = [ "wger.service" ];
+    script = ''
+      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
+      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
+      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
+      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
+      ${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
+      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
+    '';
+
+    serviceConfig = {
+      EnvironmentFile = config.age.secrets.wger-env.path;
+
+      # Type = "oneshot";
+      User = "wger";
+      Group = "wger";
+    };
   };
-  users.groups."${wger_user}".gid = 738;
 
   services.postgresql = {
     ensureDatabases = [ wger_user ];
@@ -127,13 +142,18 @@ in {
   };
 
 
-  services.nginx.virtualHosts."${svc_domain}" = {
+  # setup users
+  users.users."${wger_user}"= {
+    uid = 738;
+    isSystemUser = true;
+    group = wger_user;
+  };
+  users.groups."${wger_user}".gid = 738;
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
     forceSSL = true;
     enableACME = true;
-
-    extraConfig = ''
-      include ${config.mine.shared.lib.authelia.autheliaLocation};
-    '';
     
     locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
       proxyPass = "http://localhost:${builtins.toString port}";
@@ -146,4 +166,19 @@ in {
     locations."/media".proxyPass = "http://localhost:${builtins.toString port}";
     locations."/api".proxyPass = "http://localhost:${builtins.toString port}";
   };
+
+  # metadata
+  mine.shared.meta.wger = {
+    name = "Wger";
+    description = "We host Wger, which is a FLOSS fitness/workout/nutrition and weight tracker, with FLOSS apps, read more [here](https://wger.de/).";
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = wgerpkgs;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
 }
diff --git a/machines/gerd/services/wger/wgerpkg/default.nix b/machines/gerd/services/wger/wgerpkg/default.nix
index 8a9b38b..0148e84 100644
--- a/machines/gerd/services/wger/wgerpkg/default.nix
+++ b/machines/gerd/services/wger/wgerpkg/default.nix
@@ -9,7 +9,7 @@ let
   frontend = callPackage ./frontend.nix {};
 in python3.pkgs.buildPythonApplication rec {
   pname = "wger";
-  version = "unstable";
+  version = "unstable-2024-12-01";
   pyproject = true;
 
   src = fetchFromGitHub {
diff --git a/secrets/default.nix b/secrets/default.nix
index 458e408..5ee11a2 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -38,6 +38,9 @@
 
     # matrix-synapse
     matrix-synapse-config-authelia-secret.file = ./matrix-synapse/config-authelia-secret.age;
+
+    # wger
+    wger-env.file = ./wger/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 499f8de..4a5c194 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -48,4 +48,7 @@ in
 
   # matrix-synapse
   "matrix-synapse/config-authelia-secret.age".publicKeys = defaultAccess;
+
+  # wger
+  "wger/env.age".publicKeys = defaultAccess;
 }
diff --git a/secrets/wger/env.age b/secrets/wger/env.age
new file mode 100644
index 0000000..c848bf6
--- /dev/null
+++ b/secrets/wger/env.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg KGoB/V0cCAZsfVmoLDmA5Xs2HOHqjg54TYqixYQduEw
+sqDb6QnEbwEncAbxKLRLkjCQIwMLBTNMVcejFOwhZWM
+-> X25519 o64XZRaiK7ZEquTMmXTyhpdArawiuXC+5W5seFrJclY
+qTLXrNGMTPAXs5EzMuCiQ07Ho2LT1KTku2f1AlCHPlk
+-> ssh-ed25519 n8n9DQ a8ESfbksuY++k52UJwTKJtb4/aiYzQqUgyYqfug5oyA
+bZygFOW6YSg83CmZRpsNDux+UgOxCfja1eQ/R4NyLXM
+-> ssh-ed25519 BTp6UA yFBZAlGtHV98t6UA8QbELjOW/Pu6KYVPjbXFvijl9m0
++eobFp5YNBsr2+10Huimwypn3S4/lc7zoX5Ldko9mhA
+--- g7w825LgydJlmyZiqnIL0ofUsTn+e47rFmSG8ft6Qqg
+!lï•:^çÄÙƒ}R&X‚º^_ã213·-éŒË£0ÅnBþ–DK€­æ&Ù©Dþ:¾^½ÒUwÃÌóŸ8(£‡ä X‡¾QZsÖªŒâ^(CÂ!ÍìÊ$ ™Üöý×(‹wÎ8t“ô¾Ñ!Úç²±ÐÌˆït;¥ÃNgÚÛ§ˆŽ[²f+Ù‚Q°
\ No newline at end of file