diff --git a/flake.lock b/flake.lock
index 53ddd1a..5297295 100644
--- a/flake.lock
+++ b/flake.lock
@@ -188,11 +188,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1765897479,
-        "narHash": "sha256-0F5UW4sb3wKd9TwDoEvEGEb+eFov92jOERRpDN7n6bM=",
+        "lastModified": 1765919359,
+        "narHash": "sha256-gUvmyGPzRf7skvhuwl6ose5SwvkdBtzgt7z9uYmGY/c=",
         "ref": "refs/heads/master",
-        "rev": "0b68766f3340049baa1e01418b92905cad8888a1",
-        "revCount": 161,
+        "rev": "0cefdfc056fbfe8d6ab706c89675193fa5b59f77",
+        "revCount": 162,
         "type": "git",
         "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
       },
diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix
index 8046cec..a12c96d 100644
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@@ -41,6 +41,7 @@
 
       # Quadlets
       "modules/quadlets"
+      "modules/quadlets/booklore"
 
       # Hosted services
       "modules/services/mealie"
diff --git a/lib/default.nix b/lib/default.nix
index 12a385e..7f9da7b 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,18 +1,24 @@
 # FIXME(lib.custom): Add some stuff from hmajid2301/dotfiles/lib/module/default.nix, as simplifies option declaration
-{lib, ...}: {
+{ lib, ... }:
+{
   # use path relative to the root of the project
   relativeToRoot = lib.path.append ../.;
-  scanPaths = path:
+  scanPaths =
+    path:
     builtins.map (f: (path + "/${f}")) (
       builtins.attrNames (
         lib.attrsets.filterAttrs (
           path: _type:
-            (_type == "directory") # include directories
-            || (
-              (path != "default.nix") # ignore default.nix
-              && (lib.strings.hasSuffix ".nix" path) # include .nix files
-            )
+          (_type == "directory") # include directories
+          || (
+            (path != "default.nix") # ignore default.nix
+            && (lib.strings.hasSuffix ".nix" path) # include .nix files
+          )
         ) (builtins.readDir path)
       )
     );
+  autoport =
+    service-name:
+    (builtins.fromTOML "v=0x${(builtins.substring 0 4 (builtins.hashString "md5" service-name))}").v
+    + 1023;
 }
diff --git a/modules/quadlets/booklore/default.nix b/modules/quadlets/booklore/default.nix
index b3552f9..ddd40fa 100644
--- a/modules/quadlets/booklore/default.nix
+++ b/modules/quadlets/booklore/default.nix
@@ -1,40 +1,88 @@
-{ config, ... }:
 {
-  services.caddy.virtualHosts."booklore.wanderingcrow.net".extraConfig = ''
-    reverse_proxy http://10.88.0.4:6060
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  port = builtins.toString (lib.custom.autoport "booklore");
+  volumePath = "/overseer/services";
+  sopsFolder = inputs.nix-secrets + "/sops";
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${volumePath}/booklore"
+    "d ${volumePath}/booklore/books"
+    "d ${volumePath}/booklore/bookdrop"
+    "d ${volumePath}/booklore/data"
+    "d ${volumePath}/booklore/database"
+  ];
+
+  sops.secrets = {
+    "booklore/db/root_pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "booklore/db/pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+  };
+
+  sops.templates."booklore-env".content = ''
+    MYSQL_ROOT_PASSWORD = ${config.sops.placeholder."booklore/db/root_pass"}
+    MYSQL_PASSWORD = ${config.sops.placeholder."booklore/db/pass"}
+    DATABASE_PASSWORD = ${config.sops.placeholder."booklore/db/pass"}
   '';
+
+  services.caddy.virtualHosts."booklore.wanderingcrow.net".extraConfig = ''
+    reverse_proxy localhost:${port}
+  '';
+
   virtualisation.quadlet = {
     containers = {
       booklore-web.containerConfig = {
         image = "ghcr.io/booklore-app/booklore:v1.14.1";
-        environments = {
-          USER_ID = "0";
-          GROUP_ID = "0";
-          TZ = "America/New_York";
-          DATABASE_URL = "jdbc:mariadb://booklore-db:3306/booklore";
-          DB_USER = "booklore";
-          DB_PASSWORD = "changeme";
-          BOOKLORE_PORT = "6060";
-        };
-        publishPorts = [
-          ""
-        ];
         pod = config.virtualisation.quadlet.pods.booklore.ref;
+        environments = {
+          DATABASE_URL = "jdbc:mariadb://localhost:3306/booklore";
+          DATABASE_USERNAME = "booklore";
+          BOOKLORE_PORT = "6060";
+          # FIXME: convert to secrets
+          DATABASE_PASSWORD = "changeme";
+        };
+        environmentFiles = [
+          config.sops.templates."booklore-env".path
+        ];
+        volumes = [
+          "${volumePath}/booklore/books:/books"
+          "${volumePath}/booklore/bookdrop:/bookdrop"
+          "${volumePath}/booklore/data:/app/data"
+        ];
       };
       booklore-db.containerConfig = {
-        image = "lscr.io/linuxserver/mariadb:11.4.5";
+        image = "lscr.io/linuxserver/mariadb:11.4.8";
+        pod = config.virtualisation.quadlet.pods.booklore.ref;
         environments = {
-          PUID = "1000";
-          PGID = "1000";
-          TZ = "America/New_York";
-          MYSQL_ROOT_PASSWORD = "changeme";
-          MYSQL_DATABASE = "booklore";
+          TZ = "Etc/UTC";
+          PUID = "0";
+          PGID = "0";
           MYSQL_USER = "booklore";
+          MYSQL_DATABASE = "booklore";
+          # FIXME: convert to secrets
+          MYSQL_ROOT_PASSWORD = "changeme";
           MYSQL_PASSWORD = "changeme";
         };
-        pod = config.virtualisation.quadlet.pods.booklore.ref;
+        environmentFiles = [
+          config.sops.templates."booklore-env".path
+        ];
+        volumes = [
+          "${volumePath}/booklore/database:/config"
+        ];
       };
     };
-    pods.booklore = { };
+    pods.booklore = {
+      podConfig.publishPorts = [
+        "${port}:6060"
+      ];
+    };
   };
 }