diff --git a/modules/nixos/minecraft-katsink.nix b/modules/nixos/minecraft-katsink.nix
index ac8eadd5..28fdca8d 100644
--- a/modules/nixos/minecraft-katsink.nix
+++ b/modules/nixos/minecraft-katsink.nix
@@ -89,6 +89,12 @@ in {
       requires = ["minecraft-katsink-server.socket"];
       after = ["network.target" "minecraft-katsink-server.socket"];
 
+      restartTriggers = [
+        cfg.dataDir
+        cfg.jvmOpts
+        cfg.argsFiles
+      ];
+
       serviceConfig = {
         ExecStart = [execStart];
         ExecStop = "${getExe execStop} $MAINPID";
diff --git a/nixos/access/gensokyo.nix b/nixos/access/gensokyo.nix
index eb5362e0..591427ea 100644
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }: let
-  inherit (lib.modules) mkMerge mkAfter;
+  inherit (lib.modules) mkMerge mkAfter mkDefault;
   inherit (lib.strings) escapeRegex;
   inherit (gensokyo-zone.lib) domain;
+  inherit (config.services) nginx;
+  minecraftBackups = "${config.kyuuto.dataDir}/minecraft/simplebackups";
 in {
   services.nginx.virtualHosts.gensokyoZone = {
     serverName = domain;
@@ -23,6 +25,20 @@ in {
           }
         ];
       };
+      "/minecraft/backups" = {
+        root = pkgs.linkFarm "genso-minecraft-backups" [
+          {
+            name = "minecraft/backups";
+            path = minecraftBackups;
+          }
+        ];
+        extraConfig = ''
+          gzip off;
+          autoindex on;
+          auth_basic "private";
+          auth_basic_user_file ${config.sops.secrets.access-web-htpasswd.path};
+        '';
+      };
       "/.well-known/webfinger" = let
         # https://www.rfc-editor.org/rfc/rfc7033#section-3.1
         oidc = {
@@ -57,4 +73,11 @@ in {
       };
     };
   };
+  systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [
+    minecraftBackups
+  ];
+  sops.secrets.access-web-htpasswd = {
+    sopsFile = mkDefault ../secrets/access.yaml;
+    owner = nginx.user;
+  };
 }
diff --git a/nixos/kyuuto/mount.nix b/nixos/kyuuto/mount.nix
index c196721b..aba7fe65 100644
--- a/nixos/kyuuto/mount.nix
+++ b/nixos/kyuuto/mount.nix
@@ -9,6 +9,10 @@
   inherit (lib.attrsets) listToAttrs nameValuePair;
   inherit (config.services.steam) accountSwitch beatsaber;
   cfg = config.kyuuto;
+  mapId = id:
+    if config.proxmoxLXC.privileged or true
+    then 100000 + id
+    else id;
 in {
   options.kyuuto = with lib.types; {
     setup = mkEnableOption "directory and permission setup";
@@ -32,6 +36,10 @@ in {
       type = path;
       default = cfg.libraryDir + "/games";
     };
+    dataDir = mkOption {
+      type = path;
+      default = "/mnt/kyuuto-data";
+    };
     gameLibraries = mkOption {
       type = listOf str;
       default = ["PC"];
@@ -98,6 +106,10 @@ in {
           ${cfg.libraryDir + "/movies"} = leaf;
           ${cfg.libraryDir + "/software"} = leaf;
           ${cfg.libraryDir + "/books"} = leaf;
+          ${cfg.dataDir + "/minecraft/simplebackups"} = leaf // {
+            owner = toString (mapId 913); # minecraft-bedrock uid
+            group = "admin";
+          };
           ${cfg.gameLibraryDir} = shared;
         }
         (listToAttrs (
@@ -123,10 +135,6 @@ in {
     };
 
     users = let
-      mapId = id:
-        if config.proxmoxLXC.privileged or true
-        then 100000 + id
-        else id;
       mkDummyUsers = {
         name,
         group ? name,
diff --git a/nixos/minecraft/katsink.nix b/nixos/minecraft/katsink.nix
index cc8d7d67..009679ea 100644
--- a/nixos/minecraft/katsink.nix
+++ b/nixos/minecraft/katsink.nix
@@ -25,13 +25,13 @@ in {
         root = config.rootDir + "/minecraft/katsink";
         path = mkDefault cfg.dataDir;
       };
+      # TODO: serviceConfig.ExecStart = mkForce [ "${pkgs.runtimeShell} ${cfg.dataDir}/run.sh" ]; for imperative updates ?
     };
     sockets.minecraft-katsink-server = {
       socketConfig.SocketGroup = "admin";
     };
   };
   networking.firewall = mkIf cfg.enable {
-    interfaces.tailscale0.allowedTCPPorts = [cfg.port];
     interfaces.local.allowedTCPPorts = [cfg.port];
   };
 }
diff --git a/nixos/secrets/access.yaml b/nixos/secrets/access.yaml
index aa6feb1b..32baab97 100644
--- a/nixos/secrets/access.yaml
+++ b/nixos/secrets/access.yaml
@@ -1,4 +1,5 @@
 access-peeps-nft-connieallure: ENC[AES256_GCM,data:K+Mjtc/23sseniuQg9GyklMkvRh2VZFFQHGsw6MWMYgpriX6KI3o0V+0upoxrXzDHtNE/Hp/OHE=,iv:Oo0fIUHkXFeQA6jyyTCInsQYM9x7B9ZbkAyBQSt86Xk=,tag:v87P8BXfvqJcn9qKUM0CQw==,type:str]
+access-web-htpasswd: ENC[AES256_GCM,data:whmIMgMrw8Us8VoUsoE3WmIX3EHWChuTOMgwPFqin4gAwydefBr93J8S2MBj78iweX18jT+F+Zgs0zERYPybMXo8y2orM/fPD6pgafm4nKQHRQARpyB9v2HcJ7q5hK0S/2qFB83wZ52OKlwWWRXJuJP+NPcJBQSmr19tAu99JA==,iv:eP48z2rYqVK1juefM2H34ft9YmXEFMqD0SwlpTRpdAY=,tag:bln/5tvgj5LiBoO0XRSFuQ==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -114,8 +115,8 @@ sops:
             ZUIxR09QTEM1RVN4MkI3NjkrUVg0am8KV6Q6RqJj9GGDG0gcpS2crPP07W6B8qOB
             dwjE9Efx+NaA4xKtt/cd2S/YUiMwj97qgOLYIseHAuxnbVIm6PNB7g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T16:50:29Z"
-    mac: ENC[AES256_GCM,data:humfCS9LaB0pcAObLZH+8huTED1/eW6ZtR7PVZ33JPrTJhc9ttorbsfsVPGjsd52I0RT4cNNk9iRDGSqNvgCP+BdvOyILDRA0kxKvF3XLX76Iw0v5jWlPBUts0Hi5ch9Mzn5abN/w3E/5D7z1OMQN11kroJtVpnQMdPDza/qK4g=,iv:UNHN2BYkC0AShqtB7gRLIBYqYwASqVbYhA2RC1dSWYE=,tag:Qo/1LczVrlTHFvWkCG3GIw==,type:str]
+    lastmodified: "2024-09-19T23:41:25Z"
+    mac: ENC[AES256_GCM,data:ZZyOf4N1qJ61XsxMp/oL8K+6fU3edDz6oFdFZP80Ej0KazdY54fH93Xq5QXjzOZAQif9PSizmSRqIibVHaBC2OfZRMf8RfWky8V5dEauiGHuncyPQyyirFARWOWtzPfbA6AhCcd+mEWzsppuR6K3X7NPMraKna1DXAJ97I5zkPk=,iv:+m9NAXKD8sLeLxA8pcSCpHUDs4HYgjiCGQYLRvrrAx4=,tag:AqBcJgRWV9tfhgrPnNnD1A==,type:str]
     pgp:
         - created_at: "2024-09-17T02:19:48Z"
           enc: |-
@@ -153,4 +154,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 65BD3044771CB6FB
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
diff --git a/systems/hakurei/lxc.json b/systems/hakurei/lxc.json
index 282f3ef5..65cf70ba 100644
--- a/systems/hakurei/lxc.json
+++ b/systems/hakurei/lxc.json
@@ -2,6 +2,7 @@
 	"lxc": {
 		"lxc.mount.entry": [
 			"/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir",
+			"/mnt/kyuuto-data/minecraft mnt/kyuuto-data/minecraft none bind,optional,create=dir",
 			"/dev/net/tun dev/net/tun none bind,optional,create=file"
 		],
 		"lxc.idmap": [
diff --git a/systems/minecraft/default.nix b/systems/minecraft/default.nix
index 8bc87cbe..dfed7948 100644
--- a/systems/minecraft/default.nix
+++ b/systems/minecraft/default.nix
@@ -4,17 +4,9 @@ _: {
   ];
   arch = "x86_64";
   type = "NixOS";
-  ci.allowFailure = true;
-  access.online.enable = false;
   modules = [
     ./nixos.nix
   ];
-  network.networks = {
-    tail = {
-      address4 = "100.73.157.122";
-      address6 = "fd7a:115c:a1e0::1f01:9d7a";
-    };
-  };
   exports = {
     services = {
       tailscale.enable = true;
diff --git a/systems/minecraft/proxmox.nix b/systems/minecraft/proxmox.nix
index 441c206d..f3dae85f 100644
--- a/systems/minecraft/proxmox.nix
+++ b/systems/minecraft/proxmox.nix
@@ -14,4 +14,10 @@ _: {
       };
     };
   };
+  network.networks = {
+    tail = {
+      address4 = "100.73.157.122";
+      address6 = "fd7a:115c:a1e0::1f01:9d7a";
+    };
+  };
 }
diff --git a/systems/reimu/lxc.json b/systems/reimu/lxc.json
index d967e169..c7b7ca40 100644
--- a/systems/reimu/lxc.json
+++ b/systems/reimu/lxc.json
@@ -2,6 +2,7 @@
 	"lxc": {
 		"lxc.mount.entry": [
 			"/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir",
+			"/mnt/kyuuto-data/minecraft mnt/kyuuto-data/minecraft none bind,optional,create=dir",
 			"/dev/net/tun dev/net/tun none bind,optional,create=file"
 		],
 		"lxc.cgroup2.devices.allow": [