diff --git a/systems/x86_64-linux/sgx/firefly.nix b/systems/x86_64-linux/sgx/firefly.nix
index 44c412f..9eb7000 100644
--- a/systems/x86_64-linux/sgx/firefly.nix
+++ b/systems/x86_64-linux/sgx/firefly.nix
@@ -40,6 +40,10 @@ in
       sopsFile = ../../../.secrets/sgx/firefly.yaml;
       owner = "firefly-iii-data-importer";
     };
+    "firefly/access_token" = {
+      sopsFile = ../../../.secrets/sgx/firefly.yaml;
+      owner = "firefly-iii-data-importer";
+    };
   };
 
   environment.systemPackages = [ pkgs.aqbanking ];
@@ -114,12 +118,13 @@ in
       '';
     };
 
-    # Timer disabled while we work around aqbanking 6.8.2's broken
-    # `-P pinfile` handling. The fetch service authenticates with a wrong
-    # PIN against the bank — three runs locked the access at Sparda. Do
-    # not re-enable until the auth path is replaced (likely python-fints).
+    # Sparda online-banking PIN must contain only [A-Za-z0-9] — special
+    # chars (`:`, `+`, `'`, `?`, `@`, `%`, `*`) get mangled by aqbanking
+    # 6.8.2's pinfile path and the bank locks the access after a few
+    # rejected attempts (3 soft / 9 hard). Same applies if the secret in
+    # sops is rotated.
     timers.firefly-sparda-fetch = {
-      wantedBy = [ ];
+      wantedBy = [ "timers.target" ];
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
@@ -157,12 +162,27 @@ in
         CAN_POST_AUTOIMPORT = "true";
         IMPORT_DIR_ALLOWLIST = inbox;
         AUTO_IMPORT_SECRET_FILE = config.sops.secrets."firefly/auto_import_secret".path;
+        FIREFLY_III_ACCESS_TOKEN_FILE = config.sops.secrets."firefly/access_token".path;
       };
     };
 
     nginx.virtualHosts = {
       ${domain} = vhostBase;
-      ${importDomain} = vhostBase;
+      # Importer's autoupload endpoint blocks until the entire batch
+      # finishes — POSTing 100+ transactions takes minutes. Default 60s
+      # fastcgi timeout makes nginx 504 even though PHP-FPM keeps going.
+      ${importDomain} = vhostBase // {
+        extraConfig = ''
+          fastcgi_read_timeout 600s;
+        '';
+      };
+    };
+
+    # PHP's stock max_execution_time = 30s aborts large bulk imports
+    # mid-stream. Match the nginx fastcgi_read_timeout above.
+    phpfpm.pools.firefly-iii-data-importer.settings = {
+      "php_admin_value[max_execution_time]" = "600";
+      "php_admin_value[memory_limit]" = "512M";
     };
   };