diff --git a/README.md b/README.md
index f48d8f8..8ae0def 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,41 @@ Navigate to a GitLab Group's _Settings_ to enable the integration for the group.
 
 Configure an agent for the group and set `settings.apiBaseUrl` to your instance, to the value of `https://${services.hercules-backend.domain}`.
 
+# Run on separately managed infrastructure services
+
+The `single-machine` NixOS modules create a self-contained deployment.
+This may not be what you want, if you want to manage your own PostgreSQL, S3, or RabbitMQ services, or if the bundled infrastructure config interferes with other services on the host.
+
+In this situation, you may use `nixosModules.application-plus-nginx`, which does still include an nginx configuration.
+
+You will need to provide values for:
+
+<!-- FIXME: this still contains general defs -->
+
+```nix
+{
+  imports = [ hercules-ci-enterprise.nixosModules.application-plus-nginx ];
+  config = {
+    services.hercules-backend.enable = true;
+    services.hercules-backend.postgresConnectionURL = "...";
+    services.hercules-backend.s3.defaultRegion = "...";
+    services.hercules-backend.s3.hostOverride = "http://...";
+    # example, age:
+    services.hercules-backend.secretsFile = config.age.secrets."hercules-ci-keys.json".path;
+
+    services.hercules-web.domain = lib.mkDefault config.services.hercules-backend.domain;
+    services.hercules-web.backend = "http://localhost:${toString config.services.hercules-backend.port}";
+    services.hercules-web.agentSocketDomain = lib.mkDefault config.services.hercules-web.domain;
+    services.hercules-web.bulkSocketDomain = lib.mkDefault config.services.hercules-web.domain;
+    services.hercules-web.marketingBackend = lib.mkDefault null;
+
+    # optionally, to smoothen startup when infrastructure status is known to systemd
+    systemd.services.hercules-initialize.requires = infraServices;
+    systemd.services.hercules-migrate.requires = infraServices;
+  };
+}
+```
+
 # How do I update it?
 
 ### Configure the private cache
@@ -151,6 +186,11 @@ Do not enable profiling for a prolonged time period, as the heap profile file wi
 
 # Release Notes
 
+## 2024-02-19
+
+Highlights
+* Add verbosity filter in job evaluation log
+
 ## 2024-01-11
 
 Highlights:
diff --git a/example/configuration-hercules.nix b/example/configuration-hercules.nix
index cb37222..6c1dab3 100644
--- a/example/configuration-hercules.nix
+++ b/example/configuration-hercules.nix
@@ -12,11 +12,14 @@
       s3.buckets.state = "hercules-state"; # name of the bucket for state files
       s3.buckets.logs = "hercules-logs"; # name of the bucket for logs
 
-      # smtp = {
-      #   server = ...;
-      #   port = ...;
-      # };
-      # notificationEmailSender = ...; # e.g. "noreply@hercules-ci.example.com"
+      smtp = {
+        server = "mail.example.com";
+        port = 587;
+      };
+      notificationEmailSender = "notifications@hercules-ci.example.com";
+
+      # If not using e.g. single-machine-age, you can set this manually.
+      secretsFile = "/var/keys/hercules-ci/hercules-ci.json";
     };
 
     # Either a directory containing ssl.crt and ssl.key
diff --git a/flake.lock b/flake.lock
index e39007a..373cf1e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,14 +3,14 @@
     "dist": {
       "flake": false,
       "locked": {
-        "lastModified": 1705007682,
-        "narHash": "sha256-+tgvegN7rW5WAnhKrlAM6i+aE9Tzrkq76G7Lx1JHuH8=",
+        "lastModified": 1708333958,
+        "narHash": "sha256-cUsHmzMEvBsf0Wq4kfkFh18u1tJLRC0TuG2h+7Grbqk=",
         "type": "tarball",
-        "url": "https://hercules-ci-enterprise.cachix.org/serve/6jcx2iijjdn3srvvl4gxrxsv377mlwsx/hercules-ci-enterprise.tar"
+        "url": "https://hercules-ci-enterprise.cachix.org/serve/96iwk990qm6f28wy9kqyxmvwlr1b6vm1/hercules-ci-enterprise.tar"
       },
       "original": {
         "type": "tarball",
-        "url": "https://hercules-ci-enterprise.cachix.org/serve/6jcx2iijjdn3srvvl4gxrxsv377mlwsx/hercules-ci-enterprise.tar"
+        "url": "https://hercules-ci-enterprise.cachix.org/serve/96iwk990qm6f28wy9kqyxmvwlr1b6vm1/hercules-ci-enterprise.tar"
       }
     },
     "flake-parts": {
diff --git a/flake.nix b/flake.nix
index bed07ba..d21669a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,7 +4,7 @@
   inputs = {
     flake-parts.inputs.nixpkgs.follows = "nixpkgs";
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
-    dist.url = "https://hercules-ci-enterprise.cachix.org/serve/6jcx2iijjdn3srvvl4gxrxsv377mlwsx/hercules-ci-enterprise.tar";
+    dist.url = "https://hercules-ci-enterprise.cachix.org/serve/96iwk990qm6f28wy9kqyxmvwlr1b6vm1/hercules-ci-enterprise.tar";
     dist.flake = false;
   };
 
@@ -73,10 +73,20 @@
           };
           nixosModules.single-machine = { pkgs, ... }: {
             imports = [
-              self.nixosModules.packages
+              self.nixosModules.application-plus-nginx
               "${dist}/enterprise/single-machine.nix"
+            ];
+          };
+
+          # No infra services, such as postgresql, rabbitmq, etc.
+          # You will have to configure your own.
+          # This does enable nginx and configure it.
+          nixosModules.application-plus-nginx = {
+            imports = [
+              self.nixosModules.packages
               "${dist}/web/module.nix"
               "${dist}/backend/module.nix"
+              "${dist}/backend/secrets-from-file.nix"
             ];
           };
         };