diff --git a/base/defaults.nix b/base/defaults.nix
index b42a3e6..0a52911 100644
--- a/base/defaults.nix
+++ b/base/defaults.nix
@@ -9,7 +9,6 @@
             settings = {
                 PasswordAuthentication = false;
                 KbdInteractiveAuthentication = false;
-                X11Forwarding = true;
             };
         };
 
diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix
index 258ab2b..ef0fa9c 100644
--- a/hosts/Rupert.nix
+++ b/hosts/Rupert.nix
@@ -17,16 +17,13 @@ in
         # ./open-pgsql.nix
     ];
 
-    nixpkgs.overlays = let
-        libbluray = pkgs.libbluray.override {
-            withAACS = true;
-            withBDplus = true;
-        };
-    in
-    [
+    nixpkgs.overlays = [
         (
             self: super: {
-                vlc = super.vlc.override { inherit libbluray; };
+                libbluray = super.libbluray.override {
+                    withAACS = true;
+                    withBDplus = true;
+                };
             }
         )
     ];
@@ -42,7 +39,7 @@ in
     hardware.graphics = {
         enable = true;
         extraPackages = with pkgs; [
-            intel-vaapi-driver
+            (if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.11") then vaapiIntel else intel-vaapi-driver)
             libvdpau-va-gl
             vaapiVdpau
             # intel-media-driver
@@ -106,9 +103,8 @@ in
     services.openssh = {
         enable = true;
         settings = {
+            # ForwardX11 = true;
             PasswordAuthentication = false;
-            KbdInteractiveAuthentication = false;
-            X11Forwarding = true;
         };
     };
 
@@ -169,7 +165,6 @@ in
     };
     # Don’t start automatically
     systemd.services."beesd@backup-disk".wantedBy = lib.mkForce [];
-    systemd.services."beesd@data".serviceConfig.CPUQuota = "10%";
 
     security.acme = {
         defaults = {
diff --git a/hosts/mpd.nix b/hosts/mpd.nix
index 87deb37..ca9262e 100644
--- a/hosts/mpd.nix
+++ b/hosts/mpd.nix
@@ -38,7 +38,7 @@ in
         '';
     };
 
-    services.pulseaudio = {
+    hardware.pulseaudio = {
         enable = true;
         systemWide = true;
         tcp.enable = true;
diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix
index e68b058..fe1a9cb 100644
--- a/hosts/nextcloud.nix
+++ b/hosts/nextcloud.nix
@@ -6,7 +6,7 @@ in
     services.nextcloud = {
         enable = true;
         https = true;
-        package = pkgs.nextcloud31;
+        package = pkgs.nextcloud30;
         hostName = hostName;
         datadir = "/data/nextcloud";
         settings = {
@@ -16,7 +16,6 @@ in
             ];
             blacklisted_files = [];
             trashbin_retention_obligation = "auto, 14";
-            "simpleSignUpLink.shown" = false;
         };
         config = {
             dbtype = "pgsql";
@@ -49,41 +48,13 @@ in
         after = ["postgresql.service"];
     };
 
-    networking.firewall.allowedTCPPorts = [ 80 443 4431 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     services.nginx = {
         virtualHosts.${hostName} = {
             forceSSL = true;
             enableACME = true;
         };
-        defaultListen = [
-            {
-                addr = "[::]";
-                port = 443;
-                ssl = true;
-            }
-            {
-                addr = "0.0.0.0";
-                port = 443;
-                ssl = true;
-            }
-            {
-                addr = "[::]";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "0.0.0.0";
-                port = 80;
-                ssl = false;
-            }
-            {
-                addr = "[::]";
-                port = 4431;
-                ssl = true;
-                proxyProtocol = true;
-            }
-        ];
     };
 
     users.extraGroups.music = {