diff --git a/hosts/nas/modules/pyload.nix b/hosts/nas/modules/pyload.nix
index dd1e65c..e7d13a8 100644
--- a/hosts/nas/modules/pyload.nix
+++ b/hosts/nas/modules/pyload.nix
@@ -36,6 +36,14 @@ in
     path = "/var/lib/pyload/filebot-license.psm";
   };
 
+  # Extraction passwords for pyload (one password per line)
+  sops.secrets.pyload-extraction-passwords = {
+    mode = "0440";
+    owner = "pyload";
+    group = "pyload";
+    path = "/var/lib/pyload/extraction-passwords.txt";
+  };
+
   # PyLoad user with jellyfin group membership for multimedia access
   users.users.pyload = {
     isSystemUser = true;
@@ -76,6 +84,7 @@ in
       PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
       PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
       PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
+      PYLOAD__EXTRACTARCHIVE__PASSWORDFILE = "/var/lib/pyload/extraction-passwords.txt";
 
       # Enable ExternalScripts plugin for hooks
       PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
@@ -90,6 +99,7 @@ in
         "/etc/hosts"
         "/etc/ssl"
         "/etc/static/ssl"
+        "/run/secrets"  # SOPS secrets access for FileBot license
       ];
       # Bind mount multimedia directory as writable for FileBot hook scripts
       BindPaths = [ "/var/lib/multimedia" ];
diff --git a/hosts/nas/secrets.yaml b/hosts/nas/secrets.yaml
index 3d36fe8..d92bd7b 100644
--- a/hosts/nas/secrets.yaml
+++ b/hosts/nas/secrets.yaml
@@ -1,43 +1,46 @@
-filebot-license: ENC[AES256_GCM,data:7fmczgcLOp/tkdoMVGfwESam9NwhZrNJXNcnebMKfilEKc81V4fdzS3/hxlueun2At6047UAdDi+6jAO3FvTmzmpmOFnrQxhojUKX2kj9SMSuDlskqxNt04O8wpGy69T8uOeV3ZUcRASzmfzQmuVU+zPKoIV2nq34mhXeIl17V22ZvoTDtFLs2w3IzxtKMZqLtDH4GZ4dkRcQBFcGY96T9R4CLcBqyZeBYb15ZaVLN9dHpQfExtpsBMVB3NikdWgUK9IAbjff1Xtkn+RT9gpQggCyQUl6UbtGqienbCq8ATORe1f89s+q6x/KneC5bdVZKQ4IqZrzDcuQ5aEJUEslc3aVITI3THEBWLOhYANy/4mMyw7R2KRIiHLrXAiiuxi3JumBvev27S6ilKdNo2By8OsbAB/Oj2YvDc5EBTePLCU0OloHIMSxWv5VkLQ2rM94bYtqXN269Lv6w4zmpOF0QblrvtoXnhhf4BQyf9owRDuNMrbp3Iu9Xnj87GoQVnulpwsMSifFxIibd94sRxS/N/5JTTih3Twj/Y8ZpmvoR8t9vCJ14vwBbMXheBpIYzxTk1phZKK1jLfi49DpWudop6iKNOCZdMeXxVRyAfTpOZSGqmdmsqOEDZESCnOAcNYlTxXmLmTdeqJfvTzsnWUi6kbbMYzaSaUlG7UB+RYnt97mcT5NtmbwCRDuFEOdqKGiR/vi7natH8VXe6nlY7xZxei0kkKAhIwyXV+mj/xurbQP3SuyYZriO2luCfuazxmVR0FpBqv+UZ6LwldmQ5e+O7hveYd+o1IjqjT67pVgLyFo1XY95Phq4/vFNvcZKhP7dqKlddkO5RCqjxHCmLowPSUfO2G4k7NV9/UioudATZnWGBpMfSp0pSuD9GXrPg=,iv:5BP77BRudjLiIKI5973BWbQlftupAdfd/aqFeN7DYLM=,tag:q2CAzGZ8lXPS41Uf2NjJTg==,type:str]
+pyload-extraction-passwords: ENC[AES256_GCM,data:RaZEuiqBiA==,iv:Z12YFu1OJFHO8jSwN6CDnFJ1kpHOqlEekOkXj/+4AHk=,tag:w0oMFEIMU6OWt7eQ2L1VzA==,type:str]
+cyberghost-auth: ENC[AES256_GCM,data:xy8Hfz/+zz23MOoUXCUBOV9yIIeMrg==,iv:Rh+lLawEXcyKF1IUZjI8ktjoX8gIiboBXdT9plSYon8=,tag:pspUUmgFO5Erpv8bDmSY3Q==,type:str]
+cyberghost-ca: ENC[AES256_GCM,data:zDSLJB42dMuhs3KNT8Ckkm9BRN4wwASmzKRv/Gvpeq5AdX311uckNxdkA2FgWfjpuX43I8FyQdEUwjb83zLNX23iZ/lexarrcqBXGBqiU1dQSzCbepNdO/BIOHRREaVAx4SWwRMpA5kLylB8+JYkFNVyFtTbsu3qN5f2iBLeI48OB3nxk5ZMn4Ix4205RrFN0eP+192hU14nVWIFctvgqPJsBBmT/erxJusffycI0yf4qm6CHiYTqqIX3QWiLV1Nk/9u/4jSUSJS2Voj7ZYne//KDv8pdT+HKcq1pwGy/6CMhlIaeNs1iVlNJzT+ws3eDBi6QVyd0/5XGDbOA8V9qJC2obsP2rM9urMh1YDpdADpM4Jx1Z84BEp3a2YgIKauSHzd4QzigR73c3uW5IxHnpszzm0Hyf1YwwTXVd1idZDRK2f6/wubNfX+SOIk9QJSw3/HJ0JkXwfR6vGET2MDJGB21Hl80QbNOvMdPhHLIX+6fGSXjtzUdv3KEAhKMWSxAZ5QkHFhbi4sqp7zLCxupdY3jOUn1GJL6GM4mTixkpH5O0CzFHtkD/C/fS/OYv8ImCTE6VX5gmqB7dor89KGoVY+tqHUeg+4KBuUcNFTAmban/iwqbRHMKjQs+ifFRy5bOj5HcGJci6j2ye7urqup3pwP+CGSXAySfq2b65FrOQmmRJVfAwARJVfnokGghu3PH60RH+Un70XNCMPfjcirtOqYFObY2msviP/gEShAhuTmpg679DDKsbtIocRfjiU5kpnu2vmGZ6P2xcsdjd9mwOPSx11GFc73K80tYIOzSi5982Uc/3sKtAMTPUdC4xARF984cMs6gyjJYGB1atB8WfuhdITO3HX2VuSd8JklvRtGbeRs6ky8uVUcDFYErwQAXxBbTAt2ZZ7IU4Gfn94qcOcn3UwDTJ4nVJ5hLMFWjYtYkFs4kD2zshSVVFPIq5EzuUgD9iDN8WURVUbhHiUdUifPFgrWgNUE3zSLWXrAnEPa7d4Fg0QB/yz6oN+ugGgRaHqxOtaeewirhCV2m/JDqJmmLKyBY2k4NwyAfiz6RPuslGxLOGDvzZDNbPVOH53rlSVgwt77tMwxe9EBsjzNSKCWdolzSiXIjGNi92q/x77rkaEElNfBKXoK6f9i5Q7B98hWNwGltmdgfXSDwSZCKvpSPKrwITTQymBuET4jWdROvfZLRAZ1g10PVQp9Rx4s3TP95vvY1Tfy4G6IytWux8r/feCfqKu7eV65NloFf2nfqknNivBadsQwALchQvUsK3XkUPQy4Gc6OA4QReqxV2aqCmihTsN7SPR0ls4dHp2rxwslaFRrG6kR0SQdm1H2rb//VWsTNrc5OeFgqKjwv2asvSMdxlC/9g/lq03FHC6b2cffCptVRGVegZQNfSq9eHEyGK0AeqAeelNdHjUlSSvtZZ6oTZ7WkEYwhshNt80Leg6eqyTlVSZ59Ds4/9bbytc/e30BA07hTlkIPq/ewimFCW00kMiXLfltPKulfPoqOWVwKq7PnCsHr8xesY574/uHky47o6r3K0+LUblsZVynxYPVxl0edq5LNwLX1YJjcaJYEzDifKE9uLwrEI6FGveL7qPvxG2LkCkY3yMcU+bMOsyfhlGhm3AfIHwLFLDWNCFZwhdXSLB2O9JkR64/BUzKdnZc8AZsVgsxrn6q4ox59RLEyO7Tu+aROe6dgjJTXta0XaSpv1VMQLaD1h77AHSfSH7p2w8jJyW6y25iSSN0bey/2okyAbWHEXAmGBBydgh706rGFMrAZzPO25Stwn34gEUFAVawPGgHiKbhlmYXF4EW9MIKi5wr0sc3r2Vj8wG53pZgzmcI1U43T/x9kd3QhPEdc4bCH9L3JP7rLOZx8Unt1oZAXb/b8qnJDL3jPlfkQxObOWrEUWbOyd0/MaTFb6N3cqm6n+Cebh2jItc7e75HXM4js9rB7iAnFiRdlv5svlFQ+kyo6jsaZGa/3pf/4WJYg8+twvabvib64njCbRDwBtqV1qZHbCnxnaeaxp0jFuyVlWEQ3Q81O2p+N1Yy1c/Cweekm5goNbJ9GaLX6llCO0P/chJcYRhyzdEXuCmXONN678pX8rSC5rl8Tgtmswa9xwQFtWXHuDU/H94oL1SLagf569gnH1wbvxlEntzaFwauksOAuxy/Y/whVEpAZ4zCt209pWpYsKC57mx8hRvfUWM8GYL/opbLA7XRIBA5iIUOLM+GKW7iVZkrXH01mDT6O+C/+u+p9ooBhS4ZODTJOXFExVWkVTig88Lry+z9E0v0RVtiHiVISgWJV8IUb9DP12ilenQIfKIvCNWygCUmyB/Df5OGIkwU+0cd+unAsdKRhjCGD9FSBQ9a6yYf4fPl521PrDM3OXkRx6Ux91pi+2PZ2QCeG8Pu7JC0p3ELJQ30nrDYWI8T/BtO9diXtlkVIjaKR8HoD2K9jgtIxJXVqE/rZXhdbq/zG8iat3jcTj1NW3s1XnqQzSA8PaJDCe9xeK5012LOP4tbSFvxdlXgDPpGAKfJzjJxq1xQDoDPHE4TEGRLESRapg2hRNYx9P42PJxlbcPWR1RTVP91hKzUX9RZr4HtxqnQyUBVE/PGuVkXhDMR7LeoxhPB7xDziud4EhobaGIlb3XsIUyY4eoCpxNwOKuVCdqrKv8njuIeYOJeUAMv/j0ons/fmVEi4DLbjStvOIdv69hEz+0lSTyBDcLhpFk8cKjrGTAPTfCo87YgVA3MFFXCjZiryRxfNTDIyrF6PPJkjzmsGEdAcL5LDhwyhiR7R3FWQtu5MYcxSSEBahS8876Jj/jXUo0bH1cYnAcMIrcvWMejLXkERp/VCix9IE89Ow9qFKoOudkLz0N1328pzxnpSYa2LMDLFjcT5gDvUCISSrQkp41WsXGR5OCMCoRclfgSw6ei19Hua7JlFr2m8nCore7lb1fMtTR9Gm00wYHDSzjIfvn3/RyFgprYNM7zelbCllnXBefC+VuKhbPHSzzjnHRCoPqRzKkeYA=,iv:nP9+2JJQ4evWvphDDIXB+UJpPx/hNSIyiH3a3bdVr1c=,tag:5sNAAZzs4UzaSxiMYCWxIg==,type:str]
+filebot-license: ENC[AES256_GCM,data:o5bMKZBt9RehmYGkhYwwhPLm/skOkFocxR+7FyKneJV50a88zqnMW+i3Zyazn8olZUc513L96stq9+5d4DlIhNPdud8Uk99+9X+LF3veQQguO6DC05BU4DDOOTjUninAl2a/rO1+yFZYIp800JV8npkfJ5XddZ3yow6VaYv9Yg/+2Di/a8zUcLAPAAQwy6SDZyeg4EeyDuOlJqayIhAGnRa8Tn4gXpyYOsqPgQ5UPHbH23dVYXlP6vlB+mou8jzPDK8HJKWYGssrVUvkH947mKcKd3gzcOiHK09Ah3m5yQUo4orRRAlXGf5kcr5IvEAMXHYrHavQq6sYAc6FFmF50/c1yc1h8qbCwzLrbAUXHpG2SnyCO7T4RdpL+vfmDGaeyzswlGDJaLfXG/wfl7R7iOUuVGn469NFV4zkD7RqrubsKKvFyCoXO+FbK0u293jNXFilyYCoppjxdVjVuPJIBw+orZj04wNUJR57ypl3ecCJ7bdlEZ48clKdbqoEBO+2M9YMussrR9fjxZOJ8MMdafeUAQHGqNQhd1SnqJ8Bs5EwkSwCACGGwlEmUy+RPU1+8jb2RoJjgdgM45WQPTfZHCrKN4kNcMuMmnq0pI8wbW1dXMHbCZ54bLu1/rq0OnCZGfp949+RU31hlup1Dbn2qk76IhgD6+UnK+mb4tkwEmI+5paG7iVKdfPOSOAqUTjwNs5IV5OiUqYDlLfOWAp7zstHQ25OTOKgAVUj0o6hr5r3xVQqzAyXkR4UeNn0/Agg8wor1L6x1cXi2kDgcqxMNXQiCqWmA+B5Bt5JhrNtgglO3kcHfZXhRTQ0UDKDkP3gbst4Bxs4es4YlPltHadJyqTFppwWMa0toiw2UilnCVud7B5YNUpWI8iMuHKec4U=,iv:3u6odO2heua9XnWLvSL9XgAVLwp7kauGftFuMjHIlVc=,tag:HT7cK0CYKdMJeC4PyzRVIQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWUI4YUsvODJtdTN4NDNn
-            QkFDVmFSV2Q1Q04rcWtiazZEMzFCYzRJMEJrCjM5RE41TjE0eURrNi9iQnBTR1Fy
-            SENYYmloSjI1c25pck5CSTJZTDhCeTQKLS0tIEs0SnFSNUdsdzZWS0loTEdBN1RD
-            ZnhBREtlR3o4VTVMZ1RtY1lVbG40YkUK2isPCoJSTQ6CUbHftSDoUZC8MMTqr512
-            lCoeGQqnArTO8CWDJxIxRczooTo4mW7vDqD7idWdPgOdWZI8hWPE5Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WFRKRkhiL1VheHZIRkxD
+            cEYxa3pFa2l6MnhZSm0vYVJHZ2plYjl6eVRnCmlMYmM2NENiWHhTdk9lOUxiZmZa
+            K2VSQ1NWNjRMVFl4UUx1cG1PT0pXY00KLS0tIEdCbmM5VEdrR0NhcWlHY2JsTkZ1
+            dWIySndzbHJBZ1ByNzBFSEJrbmNEZm8Kp7jAKQPRljvYyyuwsQkGxNKUT04qDqaW
+            JXuqMgT+8UDkreJaifUo/hC+EstNzgPSBpwf/vI560hKFPF3ITJpvg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdnJIeWh1RkhvLzF2QUlm
-            ZmNHaFpzL0M3eUdCdk1GL1g2MTdtdTdjVmdjCmVRTWJsajhKT0E5STN2SEUzWHFa
-            ak1NelloQnNiY3FaUm9oVGg5eit2eTAKLS0tIEoxcURjUkJsRENtblZpKy9QT0gx
-            ME5kM1EwYUFNMVFkT3VWZmpGSzRoWFUKzGNK5FzRWiY+E1Je6l0veoN5Z3K2TFMY
-            pm9+FGuYs+wxSrhLwajITj+NuH0+zK81mrYsugH+6OTNb7cDbLgh/g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSWpoWTg4Uy9qMVNtd3Rn
+            WUhhYjEvVVpVbENDbHZVWEVZRm5Qd3FsSGlFCjBLS3pmQ0t2aUhqdmhpL3lGYXNO
+            bWF2TmN3cmJubmRCeGhjZWhBV1BETDQKLS0tIFFKVm01SEJvb2tZUWZkODhXbzFO
+            L0N2a1dYTnVUNDB0VVNyeDdEcjdaVkUKr+4k1r96lSenlqPj8CUi3qUJJTMljnij
+            KimYx8vXgxnfH6p8SjRR3rUXqqvG6ZrULK4BJ6Ht+BvV34SS44R9Eg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWCs0a3EvZC9sWmI5S2tU
-            aFpRMVlrZG1zL1ZJSklJMkNQY1RLMW53YUhZCjNpQ1pHUE0yVUxleVovcVRLMFNh
-            amVFTnJteW8xRjlFY29HWkJrcVJiQzgKLS0tIFJrWWloc2ZWdGdPNlNQM2szTkZI
-            Zk42dFgrcUJOa3UwSDB3MnpMcVRLdmsKOKbF18HnowVhiEHO2B+BZqpM8Oc8vbDh
-            hczIpcezwMvv96L2/seX86Hv5mEAQvwN2CVA+sknnDL1XNA/2Ng9cw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlcHJZc0paOEVYYmx6NVJL
+            cGg0MjlOKzJKUGM1RktYK05xdkZDbExnTUgwCmhHYk5vcjJ6MFJ1T0xUNUhNdHMv
+            Y2huRkpKcVhIOUhDTnhHczFUSVV2c2cKLS0tIEJUaWx4cHBGV0pqaEozc3owYktr
+            ZU1lOXgrOWZkYnVQOHlCTjBETG9tT3cKA10Z5s2hsHsdrdGyyF1kFTIco3ZmSXqm
+            bhsiB+DicH9fVVWB7SS++Gjo5vMa7cgOcwsFYNJNVQ0qSoeuatJK5g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L1pVc2lRYVVnMU1uR1hn
-            aldPODkvTVFzNDRuWWFTTU5jU0dyOHFMNkZBCnQ0ZGxUcGR5d0FqK2pOenJzSEN4
-            ak12VXhQSnZlbSs1V3BxZnBIQ0xKV1EKLS0tIEkrc00wTzJzVjVDd0o4WHNQVDV6
-            WGlpR1kvdXFnMkxOQVVuL3pIckdLRGcK+xoZE63l+9mlR5ufN9kEtgKEHdIUcGbI
-            CpNhd8RE23tPKaVa0XbQA3bMqc1J9jST3vSWWewexwdLvfjrooSFZw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVWFXYVVEZ1MyYldSOFhW
+            M0loWkIwRnFCQnpHb2NKVGJJamtJbkdUV0hVCkJDckJMNDFlYlRZejlobnkyZVgx
+            ZkQ3eC85S1BHS0VTWVRsU0hLOE9OVGMKLS0tIGtSbkNZeElnOG12MEhaUnZMZENv
+            RFVhREI2bDFRbnZGNjRySHg0dG95UEkK6MYvX0i3vRl4TxJlIg9fWEClrtSxIBkA
+            7AARUq/dPp0xWAIJd59TxKwN8SeznIZ7srKLoraBXS0/gWuKIq2a0Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T18:05:54Z"
-    mac: ENC[AES256_GCM,data:rmGDt0ZvZ8S//X1sqzkM9GdsoLBTB9dUprWdVN5M9F4/Zpq6Mpyk04VdGxYz421Gi+AsvhAkBaKi+XJjiEjRf9dYON/N18bWeRe3mJMLVOOoxGz+PQOeAuCyphZEKsCkae79WtbRZqONkU+kSqT5ED6iLjhOpLn1h6Cuw4wV1Xc=,iv:XWjRyxlGP4a14eUaJvZpizy2UiCSIi/PIUyaZg6GCJY=,tag:ZNp/U1O3wkcb8o5s1USrsw==,type:str]
+    lastmodified: "2025-11-30T18:27:13Z"
+    mac: ENC[AES256_GCM,data:bJKmwMevIxhQEf+2+letxBEU6rLKTky3riOixvfNIw2nTQFlypqfa5D+kCYfJ8v18sIJ86CyPF/WNrNZsPSZeahSR/G4xVLNwKj7847cKm9XDdW1Hm2K7HSdwhZF/zzL+CaBzdjHQVPV+hEUiH9DXkDbySvsmX/LUL06qT0gjwE=,iv:2LmAst6MZObFVZzzwNUShIiledqfGASh1hFpSWDKGmQ=,tag:b7t+Uvw/fb0FIGbExw/R/Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0