diff --git a/hosts/hetzner-vm/modules/piped/backend.nix b/hosts/hetzner-vm/modules/piped/backend.nix
index 1de0c3b..11b2163 100644
--- a/hosts/hetzner-vm/modules/piped/backend.nix
+++ b/hosts/hetzner-vm/modules/piped/backend.nix
@@ -4,20 +4,42 @@ let
   cfg = config.services.piped;
 
   backend_config = {
-    PORT = cfg.backend_port;
+    PORT = cfg.backendPort;
     HTTP_WORKERS = 2;
-    PROXY_PART = "https://${cfg.proxy_domain}"; # TODO: fix
-    API_URL = "https://${cfg.backend_domain}";
-    FRONTEND_URL = "https://${cfg.frontend_domain}";
-    DISABLE_REGISTRATION = false;
-    COMPROMISED_PASSWORD_CHECK = false;
-    FEED_RETENTION = 30;
+    PROXY_PART = "https://${cfg.proxyDomain}";
+    API_URL = "https://${cfg.backendDomain}";
+    FRONTEND_URL = "https://${cfg.frontendDomain}";
+    DISABLE_REGISTRATION = cfg.disableRegistrations;
+    COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
+    FEED_RETENTION = cfg.feedRetentionDays;
+    SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
+    SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
+    DISABLE_RYD = cfg.disableRYD;
+    DISABLE_LBRY = cfg.disableLBRYStreams;
+    RYD_PROXY_URL = cfg.rydAPIURL;
+    SENTRY_DSN = cfg.sentryDSN;
     "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
     "hibernate.connection.driver_class" = "org.postgresql.Driver";
     "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
     "hibernate.connection.username" = "piped";
     "hibernate.connection.password" = "password";
-  };
+  } // (if cfg.enableCaptcha then {
+    CAPTCHA_API_URL = cfg.captchaAPIURL;
+    # This is substituted in the PreStart of piped-backend.service
+    CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
+      "CAPTCHA_API_KEY_FILE"
+    else
+      cfg.captchaAPIKey;
+  } else
+    { }) // (if cfg.enableFederation then {
+      MATRIX_SERVER = cfg.matrixServerAddr;
+      # also substituted
+      MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
+        "MATRIX_TOKEN_FILE"
+      else
+        cfg.matrixToken;
+    } else
+      { });
 
   cfgToString = v: if builtins.isBool v then boolToString v else toString v;
   backend_config_file = pkgs.writeText "config.properties"
@@ -34,6 +56,14 @@ in {
         WorkingDirectory = "/run/piped-backend";
         ExecStartPre = "${pkgs.writeShellScript "piped-backend-init" ''
           cp ${backend_config_file} /run/piped-backend/config.properties
+          ${if (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") then ''
+            sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" /run/piped-backend/config.properties 
+          '' else
+            ""}
+          ${if (cfg.enableFederation && cfg.matrixTokenFile != "") then ''
+            sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" /run/piped-backend/config.properties
+          '' else
+            ""}
         ''}";
         ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
       };
@@ -59,11 +89,11 @@ in {
       ensureDatabases = [ "piped" ];
     };
 
-    services.nginx.virtualHosts."${cfg.backend_domain}" = {
+    services.nginx.virtualHosts."${cfg.backendDomain}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.backend_port}";
+        proxyPass = "http://127.0.0.1:${toString cfg.backendPort}";
       };
     };
   };
diff --git a/hosts/hetzner-vm/modules/piped/default.nix b/hosts/hetzner-vm/modules/piped/default.nix
index cfae90a..768c5de 100644
--- a/hosts/hetzner-vm/modules/piped/default.nix
+++ b/hosts/hetzner-vm/modules/piped/default.nix
@@ -5,11 +5,131 @@ in {
   options.services.piped = {
     enable = mkEnableOption "piped";
 
-    frontend_domain = mkOption { type = types.str; };
-    backend_domain = mkOption { type = types.str; };
-    proxy_domain = mkOption { type = types.str; };
+    frontendDomain = mkOption { type = types.str; };
+    backendDomain = mkOption { type = types.str; };
+    proxyDomain = mkOption { type = types.str; };
+    #rydProxyDomain = mkOption { type = types.str; };
 
-    backend_port = mkOption {
+    feedRetentionDays = mkOption {
+      type = types.number;
+      default = 30;
+      description = "Days feed is stored for";
+    };
+
+    subscriptionRetentionDays = mkOption {
+      type = types.number;
+      default = 30;
+      description = "Days subscriptions are stored for unauthenticated users";
+    };
+
+    sponsorblockServers = mkOption {
+      type = types.listOf types.str;
+      default =
+        [ "https://sponsor.ajay.app" "https://sponsorblock.kavin.rocks" ];
+      description = "Days subscriptions are stored for unauthenticated users";
+    };
+
+    disableRegistrations = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Disable user registrations";
+    };
+
+    disableLBRYStreams = mkOption {
+      type = types.bool;
+      default = false;
+      description =
+        "Disable showing streams provided by LBRY Youtube Partnership";
+    };
+
+    enableCompromisedPasswordCheck = mkOption {
+      type = types.bool;
+      default = true;
+      description =
+        "Use the haveibeenpwned API to check if user password have been compromised";
+    };
+
+    enableCaptcha = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable captcha for registrations";
+    };
+
+    sentryDSN = mkOption {
+      type = types.str;
+      default = "";
+      description = "Public DSN for sentry error reporting";
+    };
+
+    captchaAPIURL = mkOption {
+      type = types.str;
+      default = "";
+      description = "API URL for Captcha";
+    };
+
+    # TODO: Key & KeyFile should be only one or the other used
+
+    captchaAPIKey = mkOption {
+      type = types.str;
+      default = "";
+      description = "API Key for Captcha";
+    };
+
+    captchaAPIKeyFile = mkOption {
+      type = types.str;
+      default = "";
+      description = "API Key File for Captcha";
+    };
+
+    # TODO: run this, requires a go app and Tor server for proxy
+    #enableRYDServer = mkOption {
+    #  type = types.bool;
+    #  default = true;
+    #  description = "Run a RYD Proxy Server to use";
+    #};
+
+    disableRYD = mkOption {
+      type = types.bool;
+      #default = if cfg.enableRYDServer then false else true;
+      default = false;
+      description = "Disables querying a Return YouTube Dislike server";
+    };
+
+    rydAPIURL = mkOption {
+      type = types.str;
+      #default = if cfg.enableRYDServer then cfg.rydProxyDomain else "https://ryd-proxy.kavin.rocks";
+      default = "https://ryd-proxy.kavin.rocks";
+      description = "API URL for a Return YouTube Dislike server";
+    };
+
+    # for Piped's Federation Shenanigan
+    # https://github.com/TeamPiped/piped-federation#how-to-join
+    enableFederation = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable federation of something";
+    };
+
+    matrixServerAddr = mkOption {
+      type = types.str;
+      default = "";
+      description = "Matrix server address for federation";
+    };
+
+    # TODO: make so only one of these options can be used
+    matrixToken = mkOption {
+      type = types.str;
+      default = "";
+      description = "Matrix access token";
+    };
+
+    matrixTokenFile = mkOption {
+      type = types.str;
+      default = "";
+      description = "Matrix access token file";
+    };
+
+    backendPort = mkOption {
       type = types.number;
       default = 3001;
     };
diff --git a/hosts/hetzner-vm/modules/piped/frontend.nix b/hosts/hetzner-vm/modules/piped/frontend.nix
index 549d06a..b18e283 100644
--- a/hosts/hetzner-vm/modules/piped/frontend.nix
+++ b/hosts/hetzner-vm/modules/piped/frontend.nix
@@ -3,11 +3,11 @@ with lib;
 let
   cfg = config.services.piped;
   frontend-package =
-    (pkgs.piped-frontend.override { backendDomain = cfg.backend_domain; });
+    (pkgs.piped-frontend.override { backendDomain = cfg.backendDomain; });
 
 in {
   config = (lib.mkIf cfg.enable) {
-    services.nginx.virtualHosts."${cfg.frontend_domain}" = {
+    services.nginx.virtualHosts."${cfg.frontendDomain}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = { root = "${frontend-package}/share/piped-frontend"; };
diff --git a/hosts/hetzner-vm/modules/piped/proxy.nix b/hosts/hetzner-vm/modules/piped/proxy.nix
index 19fb5cc..fba2c8c 100644
--- a/hosts/hetzner-vm/modules/piped/proxy.nix
+++ b/hosts/hetzner-vm/modules/piped/proxy.nix
@@ -38,7 +38,7 @@ in {
     };
   };
 
-  services.nginx.virtualHosts."${cfg.proxy_domain}" = {
+  services.nginx.virtualHosts."${cfg.proxyDomain}" = {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
diff --git a/hosts/hetzner-vm/profiles/misskey.nix b/hosts/hetzner-vm/profiles/misskey.nix
index 6ed5a97..078bb49 100644
--- a/hosts/hetzner-vm/profiles/misskey.nix
+++ b/hosts/hetzner-vm/profiles/misskey.nix
@@ -100,7 +100,6 @@ in {
     wants = [ "postgresql.service" "redis-misskey.service" ];
     path = with pkgs; [ bash git ] ++ misskeyPackages;
     environment.NODE_ENV = "production";
-    reloadTriggers = [ misskeyPackage misskeyConfigFile ];
     serviceConfig = {
       User = "misskey";
       WorkingDirectory = "/home/misskey/misskey";
diff --git a/hosts/hetzner-vm/profiles/piped.nix b/hosts/hetzner-vm/profiles/piped.nix
index 9332bf8..130e38e 100644
--- a/hosts/hetzner-vm/profiles/piped.nix
+++ b/hosts/hetzner-vm/profiles/piped.nix
@@ -3,9 +3,9 @@ let ports = (import ../ports.nix { });
 in {
   services.piped = {
     enable = true;
-    frontend_domain = "piped.owo.monster";
-    backend_domain = "backend.piped.owo.monster";
-    proxy_domain = "proxy.piped.owo.monster";
-    backend_port = ports.piped-backend;
+    frontendDomain = "piped.owo.monster";
+    backendDomain = "backend.piped.owo.monster";
+    proxyDomain = "proxy.piped.owo.monster";
+    backendPort = ports.piped-backend;
   };
 }