diff --git a/base/defaults.nix b/base/defaults.nix
index 0a52911..b42a3e6 100644
--- a/base/defaults.nix
+++ b/base/defaults.nix
@@ -9,6 +9,7 @@
             settings = {
                 PasswordAuthentication = false;
                 KbdInteractiveAuthentication = false;
+                X11Forwarding = true;
             };
         };
 
diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix
index ef0fa9c..258ab2b 100644
--- a/hosts/Rupert.nix
+++ b/hosts/Rupert.nix
@@ -17,13 +17,16 @@ in
         # ./open-pgsql.nix
     ];
 
-    nixpkgs.overlays = [
+    nixpkgs.overlays = let
+        libbluray = pkgs.libbluray.override {
+            withAACS = true;
+            withBDplus = true;
+        };
+    in
+    [
         (
             self: super: {
-                libbluray = super.libbluray.override {
-                    withAACS = true;
-                    withBDplus = true;
-                };
+                vlc = super.vlc.override { inherit libbluray; };
             }
         )
     ];
@@ -39,7 +42,7 @@ in
     hardware.graphics = {
         enable = true;
         extraPackages = with pkgs; [
-            (if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.11") then vaapiIntel else intel-vaapi-driver)
+            intel-vaapi-driver
             libvdpau-va-gl
             vaapiVdpau
             # intel-media-driver
@@ -103,8 +106,9 @@ in
     services.openssh = {
         enable = true;
         settings = {
-            # ForwardX11 = true;
             PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+            X11Forwarding = true;
         };
     };
 
@@ -165,6 +169,7 @@ in
     };
     # Don’t start automatically
     systemd.services."beesd@backup-disk".wantedBy = lib.mkForce [];
+    systemd.services."beesd@data".serviceConfig.CPUQuota = "10%";
 
     security.acme = {
         defaults = {
diff --git a/hosts/mpd.nix b/hosts/mpd.nix
index ca9262e..87deb37 100644
--- a/hosts/mpd.nix
+++ b/hosts/mpd.nix
@@ -38,7 +38,7 @@ in
         '';
     };
 
-    hardware.pulseaudio = {
+    services.pulseaudio = {
         enable = true;
         systemWide = true;
         tcp.enable = true;
diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix
index fe1a9cb..e68b058 100644
--- a/hosts/nextcloud.nix
+++ b/hosts/nextcloud.nix
@@ -6,7 +6,7 @@ in
     services.nextcloud = {
         enable = true;
         https = true;
-        package = pkgs.nextcloud30;
+        package = pkgs.nextcloud31;
         hostName = hostName;
         datadir = "/data/nextcloud";
         settings = {
@@ -16,6 +16,7 @@ in
             ];
             blacklisted_files = [];
             trashbin_retention_obligation = "auto, 14";
+            "simpleSignUpLink.shown" = false;
         };
         config = {
             dbtype = "pgsql";
@@ -48,13 +49,41 @@ in
         after = ["postgresql.service"];
     };
 
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 4431 ];
 
     services.nginx = {
         virtualHosts.${hostName} = {
             forceSSL = true;
             enableACME = true;
         };
+        defaultListen = [
+            {
+                addr = "[::]";
+                port = 443;
+                ssl = true;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 443;
+                ssl = true;
+            }
+            {
+                addr = "[::]";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "[::]";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+        ];
     };
 
     users.extraGroups.music = {