diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0ecddee
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,8 @@
+/.config/
+/.local/
+/.step/
+.gitsecret/keys/random_seed
+!*.secret
+env/AWS
+env/aws.sh
+.bash_history
diff --git a/.gitsecret/keys/pubring.kbx b/.gitsecret/keys/pubring.kbx
new file mode 100644
index 0000000..d9afcb8
Binary files /dev/null and b/.gitsecret/keys/pubring.kbx differ
diff --git a/.gitsecret/keys/pubring.kbx~ b/.gitsecret/keys/pubring.kbx~
new file mode 100644
index 0000000..91703dd
Binary files /dev/null and b/.gitsecret/keys/pubring.kbx~ differ
diff --git a/.gitsecret/keys/trustdb.gpg b/.gitsecret/keys/trustdb.gpg
new file mode 100644
index 0000000..c8365ff
Binary files /dev/null and b/.gitsecret/keys/trustdb.gpg differ
diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
new file mode 100644
index 0000000..0c56925
--- /dev/null
+++ b/.gitsecret/paths/mapping.cfg
@@ -0,0 +1,3 @@
+env/AWS:02b947b25fe0dc38bbfba5fc66ead3d5b9b4f8d9000ccd9e4661a9ef81167ec5
+env/aws.sh:3ecd809bd40066028fe08307be8de28c4ffe4f65b2d4041e9b69f6e00172b688
+.bash_history
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b46bb93
--- /dev/null
+++ b/README.md
@@ -0,0 +1,54 @@
+Official service files for systemd
+==================================
+
+This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
+
+**⚠️ Always review your service file before using it! Change anything that you need to customize.**
+
+## Instructions
+
+See our website for [installation instructions](https://caddyserver.com/docs/install).
+
+
+## Prerequisites
+
+Running Caddy as a systemd service requires the following:
+
+
+Group named `caddy`:
+
+```bash
+$ groupadd --system caddy
+```
+
+User named `caddy` with a writeable home folder:
+
+```bash
+$ useradd --system \
+ --gid caddy \
+ --create-home \
+ --home-dir /var/lib/caddy \
+ --shell /usr/sbin/nologin \
+ --comment "Caddy web server" \
+ caddy
+```
+
+
+## Choosing a service file
+
+- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
+- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
+
+The two files are identical except for the ExecStart and ExecReload commands.
+
+## Important
+
+Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
+
+Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
+
+**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
+
+Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
+
+However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.
diff --git a/bin/arm64/caddy b/bin/arm64/caddy
old mode 100644
new mode 100755
diff --git a/caddy b/caddy
index b5003b5..e577173 120000
--- a/caddy
+++ b/caddy
@@ -1 +1 @@
-/opt/caddy/bin/arm64/caddy
\ No newline at end of file
+/opt/caddy/bin/amd64/caddy
\ No newline at end of file
diff --git a/conf/caddy1.conf b/conf/caddy1.conf
new file mode 100644
index 0000000..62c538c
--- /dev/null
+++ b/conf/caddy1.conf
@@ -0,0 +1,366 @@
+##!/bin/bashit
+# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
+
+# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
+
+# TODO
+# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
+
+
+# COMMON DIRECTIVES (add by using import)
+
+# Wildcard cert add to all
+(wildcard_cert) {
+ tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key {
+ wildcard
+ }
+}
+
+# inject in all pages a
+(baseurl-gateway) {
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+}
+
+# inject in all pages a
+(baseurl-nas) {
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+}
+
+# Only allow lan users access
+(lan-only) {
+ ipfilter / {
+ rule allow
+ ip 10.0.0.0/24
+ }
+}
+
+# Only allow US users access
+(US-only) {
+ ipfilter / {
+ rule allow
+ ip 10.0.0.0/24
+ database /opt/caddy/GeoLite2-Country.mmdb
+ country US
+ }
+}
+
+# Only allow US users access
+(admin-login) {
+ basicauth "sysadmin" ccbigsismyfriend {
+ realm "kebler-admin"
+ /
+}
+}
+
+#send logs to alternative location
+(logs) {
+ log /opt/caddy/logs/log
+# errors /opt/caddy/logs/errors
+}
+
+#send to stdout instead of logs
+(logout) {
+ log stdout
+ errors stdout
+}
+## End Snippets ##############################
+
+
+################ REDIRECT ########################
+
+# Main http/https redirect for anything arriving on port 80/http
+*.kebler.net:80 {
+ import logs
+ redir https://{label1}.kebler.net{uri}
+}
+
+
+# Git Server
+https://git238.kebler.net {
+ import wildcard_cert
+ import US-only
+ proxy / http://nas.kebler.net:3000
+ }
+
+# Home Assistant Server
+https://ha.kebler.net https://ha238.kebler.net {
+ import wildcard_cert
+ import US-only
+# import lan-only
+ import logs
+ proxy / hassio.kebler.net:8123 {
+ websocket
+ transparent
+ }
+ }
+
+# NodeRed Server
+https://nodered.kebler.net {
+ import wildcard_cert
+ import US-only
+# import lan-only
+ proxy / trantor.kebler.net:1880 {
+ websocket
+ transparent
+ }
+ }
+
+# portainer
+https://docker.kebler.net {
+ import wildcard_cert
+ import lan-only
+ proxy / http://nas.kebler.net:9000
+ }
+
+
+##################### TRANTOR ######################
+
+# portainer on trantor
+https://docker-trantor.kebler.net {
+ import wildcard_cert
+ import lan-only
+ proxy / http://trantor.kebler.net:9000
+ }
+
+# discourse for nick and david
+https://geeks.kebler.net {
+ import wildcard_cert
+ proxy / http://trantor.kebler.net:9292 {
+ transparent
+ }
+ }
+
+
+# mqtt broker setup interface
+#https://broker-ui.kebler.net {
+# import wildcard_cert
+# import lan-only
+# proxy / http://nas.kebler.net:18083 {
+# }
+# }
+
+
+https://social.kebler.net {
+ import wildcard_cert
+
+# rewrite {
+# if {path} is /
+# to /proxy{path}
+# }
+
+# rewrite {
+# if {path} not_has /graphql
+# to {path} /proxy{path}
+# }
+
+ proxy / 10.0.0.115:3000 {
+ }
+
+ proxy /graphql 10.0.0.115:4000 {
+ websocket
+ transparent
+ }
+
+}
+
+https://npm.kebler.net {
+ import wildcard_cert
+ proxy / localhost:4873 {
+ websocket
+ transparent
+ }
+ }
+
+##### status.kebler.net ###########
+
+https://status.kebler.net {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ # route to phpfpm's status page here
+ fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
+ env SCRIPT_NAME /phpfpm
+ }
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/status/dist
+ }
+
+
+# Router Status running on router
+https://status.kebler.net/238/gateway {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+ proxy / http://router.kebler.net:19999
+ }
+
+# NAS Status 238
+https://status.kebler.net/238/nas {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ # add base tag to all pages
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+ proxy / http://nas.kebler.net:19999
+ }
+
+# Systemd Cockpit Access
+https://system.kebler.net {
+ import wildcard_cert
+ import US-only
+ # add base tag to all pages
+ # filter rule {
+ # content_type text/html.*
+ # search_pattern
+ # replacement ""
+ # }
+ proxy / http://localhost:9090 {
+ insecure_skip_verify
+ websocket
+ transparent
+ }
+ }
+
+# local redirect to 645
+https://status.kebler.net/645/nas {
+ import wildcard_cert
+ import US-only
+ proxy / http://645.kebler.net/nas/status
+ }
+
+
+################### LOCAL WEBS ############################
+
+https://download.kebler.net {
+ import wildcard_cert
+ log /mnt/data/downloads/private/download-log
+ basicauth "elf" ccbigs {
+ realm "Protected Downloads"
+ /private
+ }
+ basicauth "download" espressobin {
+ /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
+ }
+ root /mnt/data/downloads
+ browse /
+}
+
+https://lights.kebler.net {
+ import wildcard_cert
+ root /mnt/data/webs/lights-frontend
+ proxy /socket.io http://10.0.0.115:3031 {
+ websocket
+ transparent
+ }
+ }
+
+
+
+
+https://wedding.kebler.net {
+ import wildcard_cert
+ root /mnt/data/cloud-user-files/david/files/wedding
+ index wedding.html
+ }
+
+
+https://admin.kebler.net {
+ import wildcard_cert
+ import lan-only
+ root /mnt/data/webs/admin
+ }
+
+https://phpmyadmin.kebler.net {
+ import wildcard_cert
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/phpmyadmin
+ }
+
+https://smnordic.org {
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/smnordic
+ rewrite / {
+ if {path} not_match ^\/wp-admin
+ to {path} {path}/ /index.php?_url={uri}
+ }
+ }
+
+https://nextcloud.kebler.net https://cloud.kebler.net {
+ # import logs
+ import US-only
+ tls d@kebler.net
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/nextcloud
+ # log /var/log/nextcloud_access.log
+ # errors /var/log/nextcloud_errors.log
+
+ # checks for images
+ rewrite {
+ ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
+ r ^/index.php/(.+)$
+ to /{1} /index.php?{1}
+ }
+
+ rewrite {
+ r ^/index.php/.*$
+ to /index.php?{query}
+ }
+
+ # client support (e.g. os x calendar / contacts)
+ redir /.well-known/carddav /remote.php/carddav 301
+ redir /.well-known/caldav /remote.php/caldav 301
+
+ # remove trailing / as it causes errors with php-fpm
+ rewrite {
+ r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
+ to /remote.php/{1}
+ }
+
+ rewrite {
+ r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
+ to /remote.php/{1}/{2}
+ }
+
+ rewrite {
+ r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
+ to /public.php/{1}
+ }
+
+ rewrite {
+ r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
+ to /public.php/{1}/{2}
+ }
+
+ # .htaccess / data / config / ... shouldn't be accessible from outside
+ status 403 {
+ /.htacces
+ /data
+ /config
+ /db_structure
+ /.xml
+ /README
+ }
+
+ header / {
+ Strict-Transport-Security "max-age=31536000;"
+ Referrer-Policy "no-referrer"
+ }
+
+ }
diff --git a/conf/caddy1.conf.bak b/conf/caddy1.conf.bak
new file mode 100644
index 0000000..250104b
--- /dev/null
+++ b/conf/caddy1.conf.bak
@@ -0,0 +1,366 @@
+##!/bin/bashit
+# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
+
+# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
+
+# TODO
+# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
+
+
+# COMMON DIRECTIVES (add by using import)
+
+# Wildcard cert add to all
+(wildcard_cert) {
+ tls /opt/tls-certs/wc.kebler.net.crt /opt/tls-certs/wc.kebler.net.key {
+ wildcard
+ }
+}
+
+# inject in all pages a
+(baseurl-gateway) {
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+}
+
+# inject in all pages a
+(baseurl-nas) {
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+}
+
+# Only allow lan users access
+(lan-only) {
+ ipfilter / {
+ rule allow
+ ip 10.0.0.0/24
+ }
+}
+
+# Only allow US users access
+(US-only) {
+ ipfilter / {
+ rule allow
+ ip 10.0.0.0/24
+ database /opt/caddy/GeoLite2-Country.mmdb
+ country US
+ }
+}
+
+# Only allow US users access
+(admin-login) {
+ basicauth "sysadmin" ccbigsismyfriend {
+ realm "kebler-admin"
+ /
+}
+}
+
+#send logs to alternative location
+(logs) {
+ log /opt/caddy/logs/log
+ errors /opt/caddy/logs/errors
+}
+
+#send to stdout instead of logs
+(logout) {
+ log stdout
+ errors stdout
+}
+## End Snippets ##############################
+
+
+################ REDIRECT ########################
+
+# Main http/https redirect for anything arriving on port 80/http
+*.kebler.net:80 {
+ import logs
+ redir https://{label1}.kebler.net{uri}
+}
+
+
+# Git Server
+https://git238.kebler.net {
+ import wildcard_cert
+ import US-only
+ proxy / http://nas.kebler.net:3000
+ }
+
+# Home Assistant Server
+https://ha.kebler.net https://ha238.kebler.net {
+ import wildcard_cert
+ import US-only
+# import lan-only
+ import logs
+ proxy / hassio.kebler.net:8123 {
+ websocket
+ transparent
+ }
+ }
+
+# NodeRed Server
+https://nodered.kebler.net {
+ import wildcard_cert
+ import US-only
+# import lan-only
+ proxy / trantor.kebler.net:1880 {
+ websocket
+ transparent
+ }
+ }
+
+# portainer
+https://docker.kebler.net {
+ import wildcard_cert
+ import lan-only
+ proxy / http://nas.kebler.net:9000
+ }
+
+
+##################### TRANTOR ######################
+
+# portainer on trantor
+https://docker-trantor.kebler.net {
+ import wildcard_cert
+ import lan-only
+ proxy / http://trantor.kebler.net:9000
+ }
+
+# discourse for nick and david
+https://geeks.kebler.net {
+ import wildcard_cert
+ proxy / http://trantor.kebler.net:9292 {
+ transparent
+ }
+ }
+
+
+# mqtt broker setup interface
+#https://broker-ui.kebler.net {
+# import wildcard_cert
+# import lan-only
+# proxy / http://nas.kebler.net:18083 {
+# }
+# }
+
+
+https://social.kebler.net {
+ import wildcard_cert
+
+# rewrite {
+# if {path} is /
+# to /proxy{path}
+# }
+
+# rewrite {
+# if {path} not_has /graphql
+# to {path} /proxy{path}
+# }
+
+ proxy / 10.0.0.115:3000 {
+ }
+
+ proxy /graphql 10.0.0.115:4000 {
+ websocket
+ transparent
+ }
+
+}
+
+https://npm.kebler.net {
+ import wildcard_cert
+ proxy / localhost:4873 {
+ websocket
+ transparent
+ }
+ }
+
+##### status.kebler.net ###########
+
+https://status.kebler.net {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ # route to phpfpm's status page here
+ fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
+ env SCRIPT_NAME /phpfpm
+ }
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/status/dist
+ }
+
+
+# Router Status running on router
+https://status.kebler.net/238/gateway {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+ proxy / http://router.kebler.net:19999
+ }
+
+# NAS Status 238
+https://status.kebler.net/238/nas {
+ import wildcard_cert
+ import US-only
+ import admin-login
+ # add base tag to all pages
+ filter rule {
+ content_type text/html.*
+ search_pattern
+ replacement ""
+ }
+ proxy / http://nas.kebler.net:19999
+ }
+
+# Systemd Cockpit Access
+https://system.kebler.net {
+ import wildcard_cert
+ import US-only
+ # add base tag to all pages
+ # filter rule {
+ # content_type text/html.*
+ # search_pattern
+ # replacement ""
+ # }
+ proxy / http://localhost:9090 {
+ insecure_skip_verify
+ websocket
+ transparent
+ }
+ }
+
+# local redirect to 645
+https://status.kebler.net/645/nas {
+ import wildcard_cert
+ import US-only
+ proxy / http://645.kebler.net/nas/status
+ }
+
+
+################### LOCAL WEBS ############################
+
+https://download.kebler.net {
+ import wildcard_cert
+ log /mnt/data/downloads/private/download-log
+ basicauth "elf" ccbigs {
+ realm "Protected Downloads"
+ /private
+ }
+ basicauth "download" espressobin {
+ /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
+ }
+ root /mnt/data/downloads
+ browse /
+}
+
+https://lights.kebler.net {
+ import wildcard_cert
+ root /mnt/data/webs/lights-frontend
+ proxy /socket.io http://10.0.0.115:3031 {
+ websocket
+ transparent
+ }
+ }
+
+
+
+
+https://wedding.kebler.net {
+ import wildcard_cert
+ root /mnt/data/cloud-user-files/david/files/wedding
+ index wedding.html
+ }
+
+
+https://admin.kebler.net {
+ import wildcard_cert
+ import lan-only
+ root /mnt/data/webs/admin
+ }
+
+https://phpmyadmin.kebler.net {
+ import wildcard_cert
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/phpmyadmin
+ }
+
+https://smnordic.org {
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/smnordic
+ rewrite / {
+ if {path} not_match ^\/wp-admin
+ to {path} {path}/ /index.php?_url={uri}
+ }
+ }
+
+https://nextcloud.kebler.net https://cloud.kebler.net {
+ # import logs
+ import US-only
+ tls d@kebler.net
+ fastcgi / /var/run/php/php7.2-fpm.sock php
+ root /mnt/data/webs/nextcloud
+ # log /var/log/nextcloud_access.log
+ # errors /var/log/nextcloud_errors.log
+
+ # checks for images
+ rewrite {
+ ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
+ r ^/index.php/(.+)$
+ to /{1} /index.php?{1}
+ }
+
+ rewrite {
+ r ^/index.php/.*$
+ to /index.php?{query}
+ }
+
+ # client support (e.g. os x calendar / contacts)
+ redir /.well-known/carddav /remote.php/carddav 301
+ redir /.well-known/caldav /remote.php/caldav 301
+
+ # remove trailing / as it causes errors with php-fpm
+ rewrite {
+ r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
+ to /remote.php/{1}
+ }
+
+ rewrite {
+ r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
+ to /remote.php/{1}/{2}
+ }
+
+ rewrite {
+ r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
+ to /public.php/{1}
+ }
+
+ rewrite {
+ r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
+ to /public.php/{1}/{2}
+ }
+
+ # .htaccess / data / config / ... shouldn't be accessible from outside
+ status 403 {
+ /.htacces
+ /data
+ /config
+ /db_structure
+ /.xml
+ /README
+ }
+
+ header / {
+ Strict-Transport-Security "max-age=31536000;"
+ Referrer-Policy "no-referrer"
+ }
+
+ }
diff --git a/env/.gitignore b/env/.gitignore
deleted file mode 100644
index 5f614e6..0000000
--- a/env/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-/AWS
-/aws.sh
diff --git a/env/AWS.secret b/env/AWS.secret
new file mode 100644
index 0000000..2dbe2e5
Binary files /dev/null and b/env/AWS.secret differ
diff --git a/env/aws.sh.secret b/env/aws.sh.secret
new file mode 100644
index 0000000..e6e68eb
Binary files /dev/null and b/env/aws.sh.secret differ
diff --git a/systemd/README.md b/systemd/README.md
new file mode 100644
index 0000000..b46bb93
--- /dev/null
+++ b/systemd/README.md
@@ -0,0 +1,54 @@
+Official service files for systemd
+==================================
+
+This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
+
+**⚠️ Always review your service file before using it! Change anything that you need to customize.**
+
+## Instructions
+
+See our website for [installation instructions](https://caddyserver.com/docs/install).
+
+
+## Prerequisites
+
+Running Caddy as a systemd service requires the following:
+
+
+Group named `caddy`:
+
+```bash
+$ groupadd --system caddy
+```
+
+User named `caddy` with a writeable home folder:
+
+```bash
+$ useradd --system \
+ --gid caddy \
+ --create-home \
+ --home-dir /var/lib/caddy \
+ --shell /usr/sbin/nologin \
+ --comment "Caddy web server" \
+ caddy
+```
+
+
+## Choosing a service file
+
+- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
+- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
+
+The two files are identical except for the ExecStart and ExecReload commands.
+
+## Important
+
+Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
+
+Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
+
+**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
+
+Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
+
+However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.
diff --git a/systemd/persist b/systemd/persist
old mode 100644
new mode 100755