diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix
index 594bd4d..6acc669 100644
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@@ -1,13 +1,16 @@
-let
-  webdav = 4200;
-  http = 4300;
-in {
-  webdav_main = webdav + 0;
-  webdav_music_ro = webdav + 1;
-  webdav_uploads = webdav + 2;
-  webdav_notes = webdav + 3;
+{
+  webdav = let
+    base = 4200;
+  in {
+    public = base + 0;
+    uploads = base + 1;
+  };
 
-  http_music = http + 0;
-  http_public = http + 1;
-  http_uploads_public = http + 2;
+  http = let
+    base = 4300;
+  in {
+    music = http + 0;
+    public = http + 1;
+    uploads_public = http + 2;
+  };
 }
diff --git a/hosts/hetzner-arm/containers/storage/data/rclone_config.template b/hosts/hetzner-arm/containers/storage/data/rclone_config.template
deleted file mode 100644
index 7d85e92..0000000
--- a/hosts/hetzner-arm/containers/storage/data/rclone_config.template
+++ /dev/null
@@ -1,15 +0,0 @@
-[Storage]
-type = combine
-upstreams = "Music=B2:Chaos-Music" "Public=B2:Chaos-Public" "Notes=Notes:" "Uploads=B2:Chaos-Uploads"
-
-[B2]
-type = b2
-account = B2_ACCOUNT
-key = B2_KEY
-hard_delete = true
-
-[Notes]
-type = crypt
-remote = B2:Chaos-Notes
-password = STORAGE_NOTES_CRYPT_PASSWORD
-password2 = STORAGE_NOTES_CRYPT_SALT
\ No newline at end of file
diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
index ed29661..8242be0 100644
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@@ -15,26 +15,14 @@ in {
         user = "storage";
       }
       // remote) [
-      #{
-      #  id = "main";
-      #  remote = "Storage:";
-      #  type = "webdav";
-      #  extraArgs = [
-      #    "--addr=0.0.0.0:${toString ports.webdav_main}"
-      #    "--htpasswd=${secrets.webdav_main_htpasswd.path}"
-      #    "--baseurl=/Main/"
-      #    "--cache-dir=/caches/main_webdav_serve"
-      #    "--vfs-cache-mode=full"
-      #  ];
-      #}
       {
-        id = "music-ro";
-        remote = "Storage:Music";
+        id = "public";
+        remote = "Public:";
         type = "webdav";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.webdav_music_ro}"
-          "--read-only"
-          "--baseurl=/MusicRO/"
+          "--addr=0.0.0.0:${toString ports.webdav.public}"
+          "--htpasswd=${secrets.webdav_public_htpasswd.path}"
+          "--baseurl=/Public/"
         ];
       }
       {
@@ -42,27 +30,17 @@ in {
         remote = "Storage:Uploads";
         type = "webdav";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.webdav_uploads}"
+          "--addr=0.0.0.0:${toString ports.webdav.uploads}"
           "--htpasswd=${secrets.webdav_uploads_htpasswd.path}"
           "--baseurl=/Uploads/"
         ];
       }
       {
-        id = "notes";
-        remote = "Notes:";
-        type = "webdav";
-        extraArgs = [
-          "--addr=0.0.0.0:${toString ports.webdav_notes}"
-          "--htpasswd=${secrets.webdav_notes_htpasswd.path}"
-          "--baseurl=/Notes/"
-        ];
-      }
-      {
-        id = "music-ro";
+        id = "music";
         remote = "Storage:Music";
         type = "http";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.http_music}"
+          "--addr=0.0.0.0:${toString ports.http.music}"
           "--baseurl=/Music/"
           "--read-only"
         ];
@@ -72,17 +50,17 @@ in {
         remote = "Storage:Public";
         type = "http";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.http_public}"
+          "--addr=0.0.0.0:${toString ports.http.public}"
           "--baseurl=/Public/"
           "--read-only"
         ];
       }
       {
-        id = "uploads-public";
+        id = "uploads_public";
         remote = "Storage:Uploads/Public";
         type = "http";
         extraArgs = [
-          "--addr=0.0.0.0:${toString ports.http_uploads_public}"
+          "--addr=0.0.0.0:${toString ports.http.uploads_public}"
           "--baseurl=/Uploads/"
           "--read-only"
         ];
diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix
index 1b0cae7..cb7d873 100644
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@@ -8,54 +8,15 @@
     };
 
     requiredVaultPaths = [
-      "api-keys/data/backblaze/Backblaze"
-
-      #"api-keys/data/storage/webdav/Main"
       "api-keys/data/storage/webdav/Public"
       "api-keys/data/storage/webdav/Uploads"
-      "api-keys/data/storage/webdav/Notes"
-
-      "private-public-keys/data/rclone/Chaos-Notes-Crypt"
     ];
 
     packages = with pkgs; [
-      # for music & mail passwd files
       apacheHttpd
-      # for rclone obscure config file
-      rclone
     ];
 
     extraFunctions = ''
-      replace_slash_for_sed() {
-        sed "s#/#\\\/#"
-      }
-
-      simple_get_obscure() {
-        rclone obscure "$(simple_get "$@")"
-      }
-
-      simple_get_replace_b2() {
-        api_account=$(simple_get "$1" .keyID | replace_slash_for_sed)
-        api_key=$(simple_get "$1" .applicationKey | replace_slash_for_sed)
-
-        replace_account=''${2}_ACCOUNT
-        replace_key=''${2}_KEY
-
-        sed -i "s/$replace_account/$api_account/" "$3"
-        sed -i "s/$replace_key/$api_key/" "$3"
-      }
-
-      simple_get_replace_crypt() {
-        password=$(simple_get_obscure "$1" .password)
-        salt=$(simple_get_obscure "$1" .salt)
-
-        replace_password=''${2}_PASSWORD
-        replace_salt=''${2}_SALT
-
-        sed -i "s/$replace_password/$password/" "$3"
-        sed -i "s/$replace_salt/$salt/" "$3"
-      }
-
       simple_get_htpasswd() {
         if [ -f "$2" ]; then
           rm "$2"
@@ -76,21 +37,7 @@
         manual = true;
       };
 
-      #webdav_main_htpasswd = {
-      #  user = "storage";
-      #  group = "storage";
-      #  fetchScript = ''
-      #    simple_get_htpasswd "/api-keys/storage/webdav/Main" "$secretFile"
-      #  '';
-      #};
-      webdav_uploads_htpasswd = {
-        user = "storage";
-        group = "storage";
-        fetchScript = ''
-          simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile"
-        '';
-      };
-      webdav_notes_htpasswd = {
+      webdav_public_htpasswd = {
         user = "storage";
         group = "storage";
         fetchScript = ''
@@ -98,17 +45,19 @@
         '';
       };
 
-      rclone_config = {
+      webdav_uploads_htpasswd = {
         user = "storage";
         group = "storage";
         fetchScript = ''
-          cp ${./data/rclone_config.template} "$secretFile"
-
-          simple_get_replace_b2 "/api-keys/backblaze/Backblaze" "B2" "$secretFile"
-
-          simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Notes-Crypt" "STORAGE_NOTES_CRYPT" "$secretFile"
+          simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile"
         '';
       };
+
+      rclone_config = {
+        user = "storage";
+        group = "storage";
+        manual = true;
+      };
     };
   };
 }
diff --git a/hosts/hetzner-arm/containers/storage/storage.nix b/hosts/hetzner-arm/containers/storage/storage.nix
index 39ab60a..3b2acea 100644
--- a/hosts/hetzner-arm/containers/storage/storage.nix
+++ b/hosts/hetzner-arm/containers/storage/storage.nix
@@ -72,7 +72,7 @@ in {
 
       networking.firewall = {
         enable = true;
-        allowedTCPPorts = attrValues ports;
+        allowedTCPPorts = flatten attrValues (attrValues ports);
       };
 
       home-manager.users.root.home.stateVersion = "25.05";
@@ -84,10 +84,8 @@ in {
     forceSSL = true;
     enableACME = true;
     locations = {
-      "/Main/".proxyPass = "http://${containerIP}:${toString ports.webdav_main}";
-      "/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.webdav_music_ro}";
-      "/Uploads/".proxyPass = "http://${containerIP}:${toString ports.webdav_uploads}";
-      "/Notes/".proxyPass = "http://${containerIP}:${toString ports.webdav_notes}";
+      "/Public/".proxyPass = "http://${containerIP}:${toString ports.webdav.public}";
+      "/Uploads/".proxyPass = "http://${containerIP}:${toString ports.webdav.uploads}";
     };
     extraConfig = ''
       client_max_body_size ${clientMaxBodySize};
@@ -98,9 +96,9 @@ in {
     forceSSL = true;
     enableACME = true;
     locations = {
-      "/Music/".proxyPass = "http://${containerIP}:${toString ports.http_music}";
-      "/Public/".proxyPass = "http://${containerIP}:${toString ports.http_public}";
-      "/Uploads/".proxyPass = "http://${containerIP}:${toString ports.http_uploads_public}";
+      "/Music/".proxyPass = "http://${containerIP}:${toString ports.http.music}";
+      "/Public/".proxyPass = "http://${containerIP}:${toString ports.http.public}";
+      "/Uploads/".proxyPass = "http://${containerIP}:${toString ports.http.uploads_public}";
     };
     extraConfig = ''
       client_max_body_size ${clientMaxBodySize};
diff --git a/hosts/hetzner-arm/profiles/photoprism.nix b/hosts/hetzner-arm/profiles/photoprism.nix
index 897cee9..46c0e92 100644
--- a/hosts/hetzner-arm/profiles/photoprism.nix
+++ b/hosts/hetzner-arm/profiles/photoprism.nix
@@ -91,7 +91,7 @@ in {
 
   systemd.services.photoprism.serviceConfig = {
     DynamicUser = mkForce false;
-    ReadWritePaths = [ "/Photos" ];
+    ReadWritePaths = ["/Photos"];
   };
 
   services.nginx.virtualHosts."photoprism.owo.monster" = {
@@ -107,7 +107,7 @@ in {
       };
     };
     extraConfig = ''
-      client_max_body_size ${toString (1024*32)}M;
+      client_max_body_size ${toString (1024 * 32)}M;
     '';
   };