diff --git a/SwarselSystems.org b/SwarselSystems.org
index 7fb7b3b..3d13955 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -6612,14 +6612,14 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
         extraGroups = [ "video" "render" "users" ];
       };
       nixpkgs.config.packageOverrides = pkgs: {
-        vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+        intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
       };
       hardware.graphics = {
         enable = true;
         extraPackages = with pkgs; [
           intel-media-driver # LIBVA_DRIVER_NAME=iHD
-          vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-          vaapiVdpau
+          intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+          libva-vdpau-driver
           libvdpau-va-gl
         ];
       };
@@ -7460,7 +7460,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
 
       services.${serviceName} = {
         enable = true;
-        package = pkgs.stable.immich;
+        package = pkgs.immich;
         host = "0.0.0.0";
         port = servicePort;
         openFirewall = true;
@@ -8788,230 +8788,278 @@ A stupid (but simple) way to get the =originUrl= is to simply set any URL there
 To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clientID>/.well-known/oauth-authorization-server, e.g. https://<kanidmDomain>/oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm.
 
 #+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix
-  { self, lib, pkgs, config, globals, ... }:
-  let
-    certsSopsFile = self + /secrets/certs/secrets.yaml;
-    inherit (config.swarselsystems) sopsFile;
+{ self, lib, pkgs, config, globals, ... }:
+let
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  inherit (config.swarselsystems) sopsFile;
 
-    servicePort = 8300;
-    serviceUser = "kanidm";
-    serviceGroup = serviceUser;
-    serviceName = "kanidm";
-    serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-    serviceAddress = globals.hosts.winters.ipv4;
+  servicePort = 8300;
+  serviceUser = "kanidm";
+  serviceGroup = serviceUser;
+  serviceName = "kanidm";
+  serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+  serviceAddress = globals.hosts.winters.ipv4;
 
-    oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
-    immichDomain = globals.services.immich.domain;
-    paperlessDomain = globals.services.paperless.domain;
-    forgejoDomain = globals.services.forgejo.domain;
-    grafanaDomain = globals.services.grafana.domain;
-    nextcloudDomain = globals.services.nextcloud.domain;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+  oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
+  immichDomain = globals.services.immich.domain;
+  paperlessDomain = globals.services.paperless.domain;
+  forgejoDomain = globals.services.forgejo.domain;
+  grafanaDomain = globals.services.grafana.domain;
+  nextcloudDomain = globals.services.nextcloud.domain;
 
-      users.users.${serviceUser} = {
-        group = serviceGroup;
-        isSystemUser = true;
+  certBase = "/etc/ssl";
+  certsDir = "${certBase}/certs";
+  privateDir = "${certBase}/private";
+  certPath = "${certsDir}/${serviceName}.crt";
+  keyPath = "${privateDir}/${serviceName}.key";
+in
+{
+  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    users.users.${serviceUser} = {
+      group = serviceGroup;
+      isSystemUser = true;
+    };
+
+    users.groups.${serviceGroup} = { };
+
+    sops = {
+      secrets = {
+        "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ servicePort ];
+
+    globals.services.${serviceName}.domain = serviceDomain;
+
+    system.activationScripts."generateSSLCert-${serviceName}" =
+      let
+        daysValid = 3650;
+        renewBeforeDays = 365;
+      in
+      {
+        text = ''
+          set -eu
+
+          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
+          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
+
+          need_gen=0
+          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
+            need_gen=1
+          else
+            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
+            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
+            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
+            seconds_left=$(( end_epoch - now_epoch ))
+            days_left=$(( seconds_left / 86400 ))
+            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
+              need_gen=1
+            fi
+          fi
+
+          if [ "$need_gen" -eq 1 ]; then
+            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
+              -keyout "${keyPath}" \
+              -out "${certPath}" \
+              -subj "/CN=${serviceDomain}" \
+              -addext "subjectAltName=DNS:${serviceDomain}"
+
+            chmod 0644 "${certPath}"
+            chmod 0600 "${keyPath}"
+            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
+          fi
+        '';
+        deps = [ "etc" ];
       };
 
-      users.groups.${serviceGroup} = { };
-
-      sops = {
-        secrets = {
-          "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+    services = {
+      ${serviceName} = {
+        package = pkgs.kanidmWithSecretProvisioning_1_7;
+        enableServer = true;
+        serverSettings = {
+          domain = serviceDomain;
+          origin = "https://${serviceDomain}";
+          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+          tls_chain = certPath;
+          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+          tls_key = keyPath;
+          bindaddress = "0.0.0.0:${toString servicePort}";
+          trust_x_forward_for = true;
         };
-      };
-
-      networking.firewall.allowedTCPPorts = [ servicePort ];
-
-      globals.services.${serviceName}.domain = serviceDomain;
-
-      services = {
-        ${serviceName} = {
-          package = pkgs.kanidmWithSecretProvisioning_1_7;
-          enableServer = true;
-          serverSettings = {
-            domain = serviceDomain;
-            origin = "https://${serviceDomain}";
-            tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-            tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-            bindaddress = "0.0.0.0:${toString servicePort}";
-            trust_x_forward_for = true;
+        enableClient = true;
+        clientSettings = {
+          uri = config.services.kanidm.serverSettings.origin;
+          verify_ca = true;
+          verify_hostnames = true;
+        };
+        provision = {
+          enable = true;
+          adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
+          idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
+          groups = {
+            "immich.access" = { };
+            "paperless.access" = { };
+            "forgejo.access" = { };
+            "forgejo.admins" = { };
+            "grafana.access" = { };
+            "grafana.editors" = { };
+            "grafana.admins" = { };
+            "grafana.server-admins" = { };
+            "nextcloud.access" = { };
+            "nextcloud.admins" = { };
+            "navidrome.access" = { };
+            "freshrss.access" = { };
+            "firefly.access" = { };
+            "radicale.access" = { };
+            "slink.access" = { };
           };
-          enableClient = true;
-          clientSettings = {
-            uri = config.services.kanidm.serverSettings.origin;
-            verify_ca = true;
-            verify_hostnames = true;
-          };
-          provision = {
-            enable = true;
-            adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
-            idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
-            groups = {
-              "immich.access" = { };
-              "paperless.access" = { };
-              "forgejo.access" = { };
-              "forgejo.admins" = { };
-              "grafana.access" = { };
-              "grafana.editors" = { };
-              "grafana.admins" = { };
-              "grafana.server-admins" = { };
-              "nextcloud.access" = { };
-              "nextcloud.admins" = { };
-              "navidrome.access" = { };
-              "freshrss.access" = { };
-              "firefly.access" = { };
-              "radicale.access" = { };
-              "slink.access" = { };
-            };
 
-            inherit (config.repo.secrets.local) persons;
+          inherit (config.repo.secrets.local) persons;
 
-            systems = {
-              oauth2 = {
-                immich = {
-                  displayName = "Immich";
-                  originUrl = [
-                    "https://${immichDomain}/auth/login"
-                    "https://${immichDomain}/user-settings"
-                    "app.immich:///oauth-callback"
-                    "https://${immichDomain}/api/oauth/mobile-redirect"
-                  ];
-                  originLanding = "https://${immichDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-immich.path;
-                  preferShortUsername = true;
-                  enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
-                  scopeMaps."immich.access" = [
-                    "openid"
-                    "email"
-                    "profile"
-                  ];
+          systems = {
+            oauth2 = {
+              immich = {
+                displayName = "Immich";
+                originUrl = [
+                  "https://${immichDomain}/auth/login"
+                  "https://${immichDomain}/user-settings"
+                  "app.immich:///oauth-callback"
+                  "https://${immichDomain}/api/oauth/mobile-redirect"
+                ];
+                originLanding = "https://${immichDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-immich.path;
+                preferShortUsername = true;
+                enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
+                scopeMaps."immich.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+              };
+              paperless = {
+                displayName = "Paperless";
+                originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/";
+                originLanding = "https://${paperlessDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-paperless.path;
+                preferShortUsername = true;
+                scopeMaps."paperless.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+              };
+              forgejo = {
+                displayName = "Forgejo";
+                originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
+                originLanding = "https://${forgejoDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
+                scopeMaps."forgejo.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+                # XXX: PKCE is currently not supported by gitea/forgejo,
+                # see https://github.com/go-gitea/gitea/issues/21376.
+                allowInsecureClientDisablePkce = true;
+                preferShortUsername = true;
+                claimMaps.groups = {
+                  joinType = "array";
+                  valuesByGroup."forgejo.admins" = [ "admin" ];
                 };
-                paperless = {
-                  displayName = "Paperless";
-                  originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/";
-                  originLanding = "https://${paperlessDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-paperless.path;
-                  preferShortUsername = true;
-                  scopeMaps."paperless.access" = [
-                    "openid"
-                    "email"
-                    "profile"
-                  ];
-                };
-                forgejo = {
-                  displayName = "Forgejo";
-                  originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
-                  originLanding = "https://${forgejoDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
-                  scopeMaps."forgejo.access" = [
-                    "openid"
-                    "email"
-                    "profile"
-                  ];
-                  # XXX: PKCE is currently not supported by gitea/forgejo,
-                  # see https://github.com/go-gitea/gitea/issues/21376.
-                  allowInsecureClientDisablePkce = true;
-                  preferShortUsername = true;
-                  claimMaps.groups = {
-                    joinType = "array";
-                    valuesByGroup."forgejo.admins" = [ "admin" ];
+              };
+              grafana = {
+                displayName = "Grafana";
+                originUrl = "https://${grafanaDomain}/login/generic_oauth";
+                originLanding = "https://${grafanaDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-grafana.path;
+                preferShortUsername = true;
+                scopeMaps."grafana.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+                claimMaps.groups = {
+                  joinType = "array";
+                  valuesByGroup = {
+                    "grafana.editors" = [ "editor" ];
+                    "grafana.admins" = [ "admin" ];
+                    "grafana.server-admins" = [ "server_admin" ];
                   };
                 };
-                grafana = {
-                  displayName = "Grafana";
-                  originUrl = "https://${grafanaDomain}/login/generic_oauth";
-                  originLanding = "https://${grafanaDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-grafana.path;
-                  preferShortUsername = true;
-                  scopeMaps."grafana.access" = [
+              };
+              nextcloud = {
+                displayName = "Nextcloud";
+                originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm";
+                originLanding = "https://${nextcloudDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
+                allowInsecureClientDisablePkce = true;
+                scopeMaps."nextcloud.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+                preferShortUsername = true;
+                claimMaps.groups = {
+                  joinType = "array";
+                  valuesByGroup = {
+                    "nextcloud.admins" = [ "admin" ];
+                  };
+                };
+              };
+              oauth2-proxy = {
+                displayName = "Oauth2-Proxy";
+                originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
+                originLanding = "https://${oauth2ProxyDomain}/";
+                basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
+                scopeMaps = {
+                  "freshrss.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
-                  claimMaps.groups = {
-                    joinType = "array";
-                    valuesByGroup = {
-                      "grafana.editors" = [ "editor" ];
-                      "grafana.admins" = [ "admin" ];
-                      "grafana.server-admins" = [ "server_admin" ];
-                    };
-                  };
-                };
-                nextcloud = {
-                  displayName = "Nextcloud";
-                  originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm";
-                  originLanding = "https://${nextcloudDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
-                  allowInsecureClientDisablePkce = true;
-                  scopeMaps."nextcloud.access" = [
+                  "navidrome.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                  "firefly.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                  "radicale.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                  "slink.access" = [
                     "openid"
                     "email"
                     "profile"
                   ];
-                  preferShortUsername = true;
-                  claimMaps.groups = {
-                    joinType = "array";
-                    valuesByGroup = {
-                      "nextcloud.admins" = [ "admin" ];
-                    };
-                  };
                 };
-                oauth2-proxy = {
-                  displayName = "Oauth2-Proxy";
-                  originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
-                  originLanding = "https://${oauth2ProxyDomain}/";
-                  basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
-                  scopeMaps = {
-                    "freshrss.access" = [
-                      "openid"
-                      "email"
-                      "profile"
-                    ];
-                    "navidrome.access" = [
-                      "openid"
-                      "email"
-                      "profile"
-                    ];
-                    "firefly.access" = [
-                      "openid"
-                      "email"
-                      "profile"
-                    ];
-                    "radicale.access" = [
-                      "openid"
-                      "email"
-                      "profile"
-                    ];
-                    "slink.access" = [
-                      "openid"
-                      "email"
-                      "profile"
-                    ];
-                  };
-                  preferShortUsername = true;
-                  claimMaps.groups = {
-                    joinType = "array";
-                    valuesByGroup = {
-                      "freshrss.access" = [ "ttrss_access" ];
-                      "navidrome.access" = [ "navidrome_access" ];
-                      "firefly.access" = [ "firefly_access" ];
-                      "radicale.access" = [ "radicale_access" ];
-                      "slink.access" = [ "slink_access" ];
-                    };
+                preferShortUsername = true;
+                claimMaps.groups = {
+                  joinType = "array";
+                  valuesByGroup = {
+                    "freshrss.access" = [ "ttrss_access" ];
+                    "navidrome.access" = [ "navidrome_access" ];
+                    "firefly.access" = [ "firefly_access" ];
+                    "radicale.access" = [ "radicale_access" ];
+                    "slink.access" = [ "slink_access" ];
                   };
                 };
               };
@@ -9019,37 +9067,38 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
           };
         };
       };
-
-      systemd.services = {
-        ${serviceName}.serviceConfig.RestartSec = "30";
-      };
-
-      nodes.moonside.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "https://${serviceName}";
-              };
-            };
-            extraConfig = ''
-              proxy_ssl_verify off;
-            '';
-          };
-        };
-      };
     };
-  }
+
+    systemd.services = {
+      ${serviceName}.serviceConfig.RestartSec = "30";
+    };
+
+    nodes.moonside.services.nginx = {
+      upstreams = {
+        ${serviceName} = {
+          servers = {
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${serviceDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "https://${serviceName}";
+            };
+          };
+          extraConfig = ''
+            proxy_ssl_verify off;
+          '';
+        };
+      };
+    };
+  };
+}
 #+end_src
 
 **** oauth2-proxy
diff --git a/index.html b/index.html
index a985883..6583879 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-11-02 So 12:29 -->
+<!-- 2025-11-03 Mo 17:12 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configurationo</title>
@@ -209,8 +209,8 @@
 <li><a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">1.4. Hosts</a></li>
 <li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
 <li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
-<li><a href="#org24c7b51">1.7. Manual steps when setting up a new machine</a></li>
-<li><a href="#org88f8510">1.8. Current issues</a></li>
+<li><a href="#orgdb1e0b6">1.7. Manual steps when setting up a new machine</a></li>
+<li><a href="#org0e21495">1.8. Current issues</a></li>
 </ul>
 </li>
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@@ -271,7 +271,7 @@
 </li>
 <li><a href="#h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d">3.1.2.4. machpizza (MacBook Pro)</a></li>
 <li><a href="#h:729af373-37e7-4379-9a3d-b09792219415">3.1.2.5. Magicant (Phone)</a></li>
-<li><a href="#org5f762ec">3.1.2.6. Treehouse (DGX Spark)</a></li>
+<li><a href="#org265df55">3.1.2.6. Treehouse (DGX Spark)</a></li>
 </ul>
 </li>
 <li><a href="#h:4dc59747-9598-4029-aa7d-92bf186d6c06">3.1.3. Virtual hosts</a>
@@ -445,15 +445,15 @@
 <li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.8. Hibernation</a></li>
 <li><a href="#h:86fb3236-9e18-43f0-8a08-3a2acd61cc98">3.2.5.9. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
-<li><a href="#org4d4148d">3.2.5.11. microvm-host</a></li>
-<li><a href="#orgdbde54b">3.2.5.12. microvm-guest</a></li>
+<li><a href="#orgf83553a">3.2.5.11. microvm-host</a></li>
+<li><a href="#orged413e5">3.2.5.12. microvm-guest</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#h:08ded95b-9c43-475d-a0b2-fc088a512287">3.3. Home-manager</a>
 <ul>
-<li><a href="#org664aad5">3.3.1. Steps to setup/upgrade home-manager only</a></li>
+<li><a href="#org836d017">3.3.1. Steps to setup/upgrade home-manager only</a></li>
 <li><a href="#h:f0a6b5e0-2157-4522-b5e1-3f0abd91c05e">3.3.2. <span class="todo TODO">TODO</span> Common</a>
 <ul>
 <li><a href="#h:16fd2e85-fdd4-440a-81f0-65b9b098a43a">3.3.2.1. Imports</a></li>
@@ -475,7 +475,7 @@
 <li><a href="#h:4486b02f-4fb8-432b-bfa2-2e786206341d">3.3.2.12. Sourcing environment variables</a></li>
 <li><a href="#h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde">3.3.2.13. General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity</a></li>
 <li><a href="#h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748">3.3.2.14. nix-index</a></li>
-<li><a href="#orga79078b">3.3.2.15. nix-your-shell</a></li>
+<li><a href="#org891c387">3.3.2.15. nix-your-shell</a></li>
 <li><a href="#h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae">3.3.2.16. password-store</a></li>
 <li><a href="#h:1ab84307-b3fb-4c32-9def-4b89a53a8547">3.3.2.17. direnv</a></li>
 <li><a href="#h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6">3.3.2.18. eza</a></li>
@@ -498,12 +498,12 @@
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.3.2.31.3. Mako</a></li>
 <li><a href="#h:388e71be-f00a-4d45-ade1-218ce942057d">3.3.2.31.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.3.2.31.5. yubikey-touch-detector</a></li>
-<li><a href="#org167b13d">3.3.2.31.6. blueman-applet</a></li>
-<li><a href="#org7176458">3.3.2.31.7. network-manager-applet</a></li>
-<li><a href="#org5685c5c">3.3.2.31.8. obsidian service for tray</a></li>
-<li><a href="#org3698e4d">3.3.2.31.9. anki service for tray</a></li>
-<li><a href="#org01fbaf4">3.3.2.31.10. element service for tray</a></li>
-<li><a href="#orga07e14b">3.3.2.31.11. vesktop service for tray</a></li>
+<li><a href="#org546b1c9">3.3.2.31.6. blueman-applet</a></li>
+<li><a href="#orgba33f75">3.3.2.31.7. network-manager-applet</a></li>
+<li><a href="#org0fb7a1d">3.3.2.31.8. obsidian service for tray</a></li>
+<li><a href="#org42ea2da">3.3.2.31.9. anki service for tray</a></li>
+<li><a href="#org215cea7">3.3.2.31.10. element service for tray</a></li>
+<li><a href="#org08dbb21">3.3.2.31.11. vesktop service for tray</a></li>
 </ul>
 </li>
 <li><a href="#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20">3.3.2.32. Sway</a></li>
@@ -512,17 +512,17 @@
 <li><a href="#h:7d384e3b-1be7-4644-b304-ada4af0b692b">3.3.2.35. gpg-agent</a></li>
 <li><a href="#h:74e236be-a977-4d38-b8c5-0b9feef8af91">3.3.2.36. gammastep</a></li>
 <li><a href="#h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708">3.3.2.37. Spicetify</a></li>
-<li><a href="#org3c49d3d">3.3.2.38. Obsidian</a></li>
-<li><a href="#org8416663">3.3.2.39. Anki</a></li>
-<li><a href="#org76002b7">3.3.2.40. Element-desktop</a></li>
-<li><a href="#orgc999246">3.3.2.41. Hexchat</a></li>
-<li><a href="#org479bb22">3.3.2.42. obs-studio</a></li>
-<li><a href="#org21f2297">3.3.2.43. spotify-player</a></li>
-<li><a href="#org12a1fb4">3.3.2.44. vesktop</a></li>
-<li><a href="#org5886189">3.3.2.45. batsignal</a></li>
-<li><a href="#orgeb5759e">3.3.2.46. autotiling</a></li>
-<li><a href="#orgc400b7d">3.3.2.47. swayidle</a></li>
-<li><a href="#org00e576d">3.3.2.48. swaylock</a></li>
+<li><a href="#org9d7e9f9">3.3.2.38. Obsidian</a></li>
+<li><a href="#org99dcb02">3.3.2.39. Anki</a></li>
+<li><a href="#org2cea79e">3.3.2.40. Element-desktop</a></li>
+<li><a href="#org0433212">3.3.2.41. Hexchat</a></li>
+<li><a href="#orgd461d44">3.3.2.42. obs-studio</a></li>
+<li><a href="#org612fc22">3.3.2.43. spotify-player</a></li>
+<li><a href="#orgdea36b4">3.3.2.44. vesktop</a></li>
+<li><a href="#org2d5500c">3.3.2.45. batsignal</a></li>
+<li><a href="#orgb306512">3.3.2.46. autotiling</a></li>
+<li><a href="#org18f8945">3.3.2.47. swayidle</a></li>
+<li><a href="#org8cf5711">3.3.2.48. swaylock</a></li>
 </ul>
 </li>
 <li><a href="#h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb">3.3.3. Server</a>
@@ -587,8 +587,8 @@
 <li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.5.31. swarsel-build</a></li>
 <li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.5.32. swarsel-instantiate</a></li>
 <li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.5.33. sshrm</a></li>
-<li><a href="#orgf54c20e">3.5.34. endme</a></li>
-<li><a href="#org03b4d66">3.5.35. git-replace</a></li>
+<li><a href="#org78d05ab">3.5.34. endme</a></li>
+<li><a href="#orgfd9792b">3.5.35. git-replace</a></li>
 </ul>
 </li>
 <li><a href="#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc">3.6. Profiles</a>
@@ -597,7 +597,7 @@
 <ul>
 <li><a href="#h:32d654de-8db2-403a-9a27-4c46d7b9172d">3.6.1.1. Personal</a></li>
 <li><a href="#h:b926f0c8-7968-4079-924c-a5d0ae4d3a45">3.6.1.2. Minimal</a></li>
-<li><a href="#org196f490">3.6.1.3. Optionals</a></li>
+<li><a href="#orga4bff18">3.6.1.3. Optionals</a></li>
 <li><a href="#h:b79fbb59-9cf2-48eb-b469-2589223dda95">3.6.1.4. Chaostheatre</a></li>
 <li><a href="#h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d">3.6.1.5. Work</a></li>
 <li><a href="#h:87a83b10-3c2f-407c-89aa-922ad77748a4">3.6.1.6. Uni</a></li>
@@ -608,7 +608,7 @@
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.6.2. home-manager</a>
 <ul>
 <li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.1. Personal</a></li>
-<li><a href="#org7852052">3.6.2.2. DGX Spark</a></li>
+<li><a href="#org19e1871">3.6.2.2. DGX Spark</a></li>
 <li><a href="#h:0554a271-f8ec-4885-b46f-2a02dfd967bd">3.6.2.3. Optionals</a></li>
 <li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.4. Minimal</a></li>
 <li><a href="#h:36a0209f-2c17-4808-a1d0-a9e1920c307a">3.6.2.5. Chaostheatre</a></li>
@@ -779,7 +779,7 @@
 <ul>
 <li><a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">4.4.39.1. mu4e</a></li>
 <li><a href="#h:43209eeb-5d46-472e-b7c2-58a3fb465199">4.4.39.2. mu4e-alert</a></li>
-<li><a href="#org29e6a55">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
+<li><a href="#org7d94f05">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
 </ul>
 </li>
 <li><a href="#h:c760f04e-622f-4b3e-8916-53ca8cce6edc">4.4.40. Calendar</a></li>
@@ -794,8 +794,8 @@
 </li>
 <li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a>
 <ul>
-<li><a href="#org2aed48c">5.1. General steps when setting up a new machine</a></li>
-<li><a href="#org1380fac">5.2. Current patches and fixes</a></li>
+<li><a href="#org6c3bc34">5.1. General steps when setting up a new machine</a></li>
+<li><a href="#org7eff7db">5.2. Current patches and fixes</a></li>
 </ul>
 </li>
 <li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">6. Appendix B: Supplementary Files</a>
@@ -847,7 +847,7 @@
 </div>
 </div>
 <p>
-<b>This file has 97685 words spanning 25221 lines and was last revised on 2025-11-02 12:29:26 +0100.</b>
+<b>This file has 97891 words spanning 25270 lines and was last revised on 2025-11-03 17:12:01 +0100.</b>
 </p>
 
 <p>
@@ -916,7 +916,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-02 12:29:26 +0100)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-03 17:12:01 +0100)
 </p></li>
 </ul>
 
@@ -1219,8 +1219,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 </div>
 </div>
 </div>
-<div id="outline-container-org24c7b51" class="outline-3">
-<h3 id="org24c7b51"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
+<div id="outline-container-orgdb1e0b6" class="outline-3">
+<h3 id="orgdb1e0b6"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-1-7">
 <div class="org-src-container">
 <pre class="src src-markdown">These steps are required when setting up a normal NixOS host:
@@ -1263,8 +1263,8 @@ If the new machine is home-manager only, perform these steps:
 </div>
 </div>
 </div>
-<div id="outline-container-org88f8510" class="outline-3">
-<h3 id="org88f8510"><span class="section-number-3">1.8.</span> Current issues</h3>
+<div id="outline-container-org0e21495" class="outline-3">
+<h3 id="org0e21495"><span class="section-number-3">1.8.</span> Current issues</h3>
 <div class="outline-text-3" id="text-1-8">
 <div class="org-src-container">
 <pre class="src src-markdown">Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
@@ -3779,8 +3779,8 @@ My phone. I use only a minimal config for remote debugging here.
 </div>
 </div>
 </div>
-<div id="outline-container-org5f762ec" class="outline-5">
-<h5 id="org5f762ec"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
+<div id="outline-container-org265df55" class="outline-5">
+<h5 id="org265df55"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
 <div class="outline-text-5" id="text-3-1-2-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, outputs, ... }:
@@ -7937,14 +7937,14 @@ in
       extraGroups = [ "video" "render" "users" ];
     };
     nixpkgs.config.packageOverrides = pkgs: {
-      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+      intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
     };
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        vaapiVdpau
+        intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        libva-vdpau-driver
         libvdpau-va-gl
       ];
     };
@@ -8785,7 +8785,7 @@ in
 
     services.${serviceName} = {
       enable = true;
-      package = pkgs.stable.immich;
+      package = pkgs.immich;
       host = "0.0.0.0";
       port = servicePort;
       openFirewall = true;
@@ -10157,6 +10157,12 @@ let
   forgejoDomain = globals.services.forgejo.domain;
   grafanaDomain = globals.services.grafana.domain;
   nextcloudDomain = globals.services.nextcloud.domain;
+
+  certBase = "/etc/ssl";
+  certsDir = "${certBase}/certs";
+  privateDir = "${certBase}/private";
+  certPath = "${certsDir}/${serviceName}.crt";
+  keyPath = "${privateDir}/${serviceName}.key";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10189,6 +10195,47 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
+    system.activationScripts."generateSSLCert-${serviceName}" =
+      let
+        daysValid = 3650;
+        renewBeforeDays = 365;
+      in
+      {
+        text = ''
+          set -eu
+
+          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
+          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
+
+          need_gen=0
+          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
+            need_gen=1
+          else
+            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
+            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
+            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
+            seconds_left=$(( end_epoch - now_epoch ))
+            days_left=$(( seconds_left / 86400 ))
+            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
+              need_gen=1
+            fi
+          fi
+
+          if [ "$need_gen" -eq 1 ]; then
+            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
+              -keyout "${keyPath}" \
+              -out "${certPath}" \
+              -subj "/CN=${serviceDomain}" \
+              -addext "subjectAltName=DNS:${serviceDomain}"
+
+            chmod 0644 "${certPath}"
+            chmod 0600 "${keyPath}"
+            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
+          fi
+        '';
+        deps = [ "etc" ];
+      };
+
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -10196,8 +10243,10 @@ in
         serverSettings = {
           domain = serviceDomain;
           origin = "https://${serviceDomain}";
-          tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+          tls_chain = certPath;
+          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+          tls_key = keyPath;
           bindaddress = "0.0.0.0:${toString servicePort}";
           trust_x_forward_for = true;
         };
@@ -12251,8 +12300,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4d4148d" class="outline-5">
-<h5 id="org4d4148d"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
+<div id="outline-container-orgf83553a" class="outline-5">
+<h5 id="orgf83553a"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
 <div class="outline-text-5" id="text-3-2-5-11">
 <p>
 Some standard options that should be set for every microvm host.
@@ -12278,8 +12327,8 @@ Some standard options that should be set for every microvm host.
 </div>
 </div>
 </div>
-<div id="outline-container-orgdbde54b" class="outline-5">
-<h5 id="orgdbde54b"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
+<div id="outline-container-orged413e5" class="outline-5">
+<h5 id="orged413e5"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
 <div class="outline-text-5" id="text-3-2-5-12">
 <p>
 Some standard options that should be set vor every microvm guest. We set the default
@@ -12376,8 +12425,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org664aad5" class="outline-4">
-<h4 id="org664aad5"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
+<div id="outline-container-org836d017" class="outline-4">
+<h4 id="org836d017"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
 <div class="outline-text-4" id="text-3-3-1">
 <p>
 Steps to get a home-manager only setup up and running:
@@ -13405,8 +13454,8 @@ nix-index provides a way to find out which packages are provided by which deriva
 </div>
 </div>
 </div>
-<div id="outline-container-orga79078b" class="outline-5">
-<h5 id="orga79078b"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
+<div id="outline-container-org891c387" class="outline-5">
+<h5 id="org891c387"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
 <div class="outline-text-5" id="text-3-3-2-15">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15131,8 +15180,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org167b13d" class="outline-6">
-<h6 id="org167b13d"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
+<div id="outline-container-org546b1c9" class="outline-6">
+<h6 id="org546b1c9"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
 <div class="outline-text-6" id="text-3-3-2-31-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15146,8 +15195,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org7176458" class="outline-6">
-<h6 id="org7176458"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
+<div id="outline-container-orgba33f75" class="outline-6">
+<h6 id="orgba33f75"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
 <div class="outline-text-6" id="text-3-3-2-31-7">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15162,8 +15211,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org5685c5c" class="outline-6">
-<h6 id="org5685c5c"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
+<div id="outline-container-org0fb7a1d" class="outline-6">
+<h6 id="org0fb7a1d"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-8">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15197,8 +15246,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org3698e4d" class="outline-6">
-<h6 id="org3698e4d"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
+<div id="outline-container-org42ea2da" class="outline-6">
+<h6 id="org42ea2da"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-9">
 <p>
 Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented <code>ExecStart</code> does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
@@ -15245,8 +15294,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-org01fbaf4" class="outline-6">
-<h6 id="org01fbaf4"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
+<div id="outline-container-org215cea7" class="outline-6">
+<h6 id="org215cea7"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-10">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -15280,8 +15329,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-orga07e14b" class="outline-6">
-<h6 id="orga07e14b"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
+<div id="outline-container-org08dbb21" class="outline-6">
+<h6 id="org08dbb21"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
 <div class="outline-text-6" id="text-3-3-2-31-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16212,8 +16261,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3c49d3d" class="outline-5">
-<h5 id="org3c49d3d"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
+<div id="outline-container-org9d7e9f9" class="outline-5">
+<h5 id="org9d7e9f9"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
 <div class="outline-text-5" id="text-3-3-2-38">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, nixosConfig ? config, ... }:
@@ -16373,8 +16422,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8416663" class="outline-5">
-<h5 id="org8416663"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
+<div id="outline-container-org99dcb02" class="outline-5">
+<h5 id="org99dcb02"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
 <div class="outline-text-5" id="text-3-3-2-39">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
@@ -16447,8 +16496,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org76002b7" class="outline-5">
-<h5 id="org76002b7"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
+<div id="outline-container-org2cea79e" class="outline-5">
+<h5 id="org2cea79e"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
 <div class="outline-text-5" id="text-3-3-2-40">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16484,8 +16533,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc999246" class="outline-5">
-<h5 id="orgc999246"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
+<div id="outline-container-org0433212" class="outline-5">
+<h5 id="org0433212"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
 <div class="outline-text-5" id="text-3-3-2-41">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, nixosConfig ? config, ... }:
@@ -16509,8 +16558,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org479bb22" class="outline-5">
-<h5 id="org479bb22"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
+<div id="outline-container-orgd461d44" class="outline-5">
+<h5 id="orgd461d44"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
 <div class="outline-text-5" id="text-3-3-2-42">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16530,8 +16579,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org21f2297" class="outline-5">
-<h5 id="org21f2297"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
+<div id="outline-container-org612fc22" class="outline-5">
+<h5 id="org612fc22"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
 <div class="outline-text-5" id="text-3-3-2-43">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16551,8 +16600,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org12a1fb4" class="outline-5">
-<h5 id="org12a1fb4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
+<div id="outline-container-orgdea36b4" class="outline-5">
+<h5 id="orgdea36b4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
 <div class="outline-text-5" id="text-3-3-2-44">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@@ -16639,8 +16688,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org5886189" class="outline-5">
-<h5 id="org5886189"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
+<div id="outline-container-org2d5500c" class="outline-5">
+<h5 id="org2d5500c"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
 <div class="outline-text-5" id="text-3-3-2-45">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16672,8 +16721,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgeb5759e" class="outline-5">
-<h5 id="orgeb5759e"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
+<div id="outline-container-orgb306512" class="outline-5">
+<h5 id="orgb306512"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
 <div class="outline-text-5" id="text-3-3-2-46">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16694,8 +16743,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc400b7d" class="outline-5">
-<h5 id="orgc400b7d"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
+<div id="outline-container-org18f8945" class="outline-5">
+<h5 id="org18f8945"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
 <div class="outline-text-5" id="text-3-3-2-47">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16736,8 +16785,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org00e576d" class="outline-5">
-<h5 id="org00e576d"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
+<div id="outline-container-org8cf5711" class="outline-5">
+<h5 id="org8cf5711"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
 <div class="outline-text-5" id="text-3-3-2-48">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -19959,8 +20008,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgf54c20e" class="outline-4">
-<h4 id="orgf54c20e"><span class="section-number-4">3.5.34.</span> endme</h4>
+<div id="outline-container-org78d05ab" class="outline-4">
+<h4 id="org78d05ab"><span class="section-number-4">3.5.34.</span> endme</h4>
 <div class="outline-text-4" id="text-3-5-34">
 <p>
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -19981,8 +20030,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-org03b4d66" class="outline-4">
-<h4 id="org03b4d66"><span class="section-number-4">3.5.35.</span> git-replace</h4>
+<div id="outline-container-orgfd9792b" class="outline-4">
+<h4 id="orgfd9792b"><span class="section-number-4">3.5.35.</span> git-replace</h4>
 <div class="outline-text-4" id="text-3-5-35">
 <p>
 This script allows for quick git replace of a string.
@@ -20198,8 +20247,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org196f490" class="outline-5">
-<h5 id="org196f490"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
+<div id="outline-container-orga4bff18" class="outline-5">
+<h5 id="orga4bff18"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
 <div class="outline-text-5" id="text-3-6-1-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -20495,8 +20544,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org7852052" class="outline-5">
-<h5 id="org7852052"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
+<div id="outline-container-org19e1871" class="outline-5">
+<h5 id="org19e1871"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
 <div class="outline-text-5" id="text-3-6-2-2">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -24206,8 +24255,8 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 </div>
 </div>
 </div>
-<div id="outline-container-org29e6a55" class="outline-5">
-<h5 id="org29e6a55"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
+<div id="outline-container-org7d94f05" class="outline-5">
+<h5 id="org7d94f05"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
 <div class="outline-text-5" id="text-4-4-39-3">
 <p>
 Used to automatically sign messages sent from my work email address using S/MIME certificate.
@@ -24491,8 +24540,8 @@ Also see `prot-window-delete-popup-frame'." command)
 This sections is no longer used really. An introduction can be found in <a href="#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5">Structure of this file</a> under the historical note. The little noweb-ref blocks that I still use are found in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a> and <a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">Services</a>.
 </p>
 </div>
-<div id="outline-container-org2aed48c" class="outline-3">
-<h3 id="org2aed48c"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
+<div id="outline-container-org6c3bc34" class="outline-3">
+<h3 id="org6c3bc34"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-5-1">
 <p>
 These general steps are needed when setting up a new machine and do not fit into another block well:
@@ -24505,8 +24554,8 @@ These general steps are needed when setting up a new machine and do not fit into
 </div>
 </div>
 </div>
-<div id="outline-container-org1380fac" class="outline-3">
-<h3 id="org1380fac"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
+<div id="outline-container-org7eff7db" class="outline-3">
+<h3 id="org7eff7db"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
 <div class="outline-text-3" id="text-5-2">
 <p>
 These are current deviations from the standard settings that I take while some things are broken upstream
@@ -27466,7 +27515,7 @@ similarly, there exists an version that starts from the right.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-11-02 So 12:29</p>
+<p class="date">Created: 2025-11-03 Mo 17:12</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix
index 934ad29..e3bc4a0 100644
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@@ -19,7 +19,7 @@ in
 
     services.${serviceName} = {
       enable = true;
-      package = pkgs.stable.immich;
+      package = pkgs.immich;
       host = "0.0.0.0";
       port = servicePort;
       openFirewall = true;
diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix
index 1b80a0e..420bbb6 100644
--- a/modules/nixos/server/jellyfin.nix
+++ b/modules/nixos/server/jellyfin.nix
@@ -13,14 +13,14 @@ in
       extraGroups = [ "video" "render" "users" ];
     };
     nixpkgs.config.packageOverrides = pkgs: {
-      vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+      intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
     };
     hardware.graphics = {
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        vaapiVdpau
+        intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        libva-vdpau-driver
         libvdpau-va-gl
       ];
     };
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index 701aa28..61495b6 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -16,6 +16,12 @@ let
   forgejoDomain = globals.services.forgejo.domain;
   grafanaDomain = globals.services.grafana.domain;
   nextcloudDomain = globals.services.nextcloud.domain;
+
+  certBase = "/etc/ssl";
+  certsDir = "${certBase}/certs";
+  privateDir = "${certBase}/private";
+  certPath = "${certsDir}/${serviceName}.crt";
+  keyPath = "${privateDir}/${serviceName}.key";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -48,6 +54,47 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
+    system.activationScripts."generateSSLCert-${serviceName}" =
+      let
+        daysValid = 3650;
+        renewBeforeDays = 365;
+      in
+      {
+        text = ''
+          set -eu
+
+          ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
+          ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
+
+          need_gen=0
+          if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
+            need_gen=1
+          else
+            enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
+            end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
+            now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
+            seconds_left=$(( end_epoch - now_epoch ))
+            days_left=$(( seconds_left / 86400 ))
+            if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
+              need_gen=1
+            fi
+          fi
+
+          if [ "$need_gen" -eq 1 ]; then
+            ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
+              -keyout "${keyPath}" \
+              -out "${certPath}" \
+              -subj "/CN=${serviceDomain}" \
+              -addext "subjectAltName=DNS:${serviceDomain}"
+
+            chmod 0644 "${certPath}"
+            chmod 0600 "${keyPath}"
+            chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
+          fi
+        '';
+        deps = [ "etc" ];
+      };
+
     services = {
       ${serviceName} = {
         package = pkgs.kanidmWithSecretProvisioning_1_7;
@@ -55,8 +102,10 @@ in
         serverSettings = {
           domain = serviceDomain;
           origin = "https://${serviceDomain}";
-          tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+          tls_chain = certPath;
+          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+          tls_key = keyPath;
           bindaddress = "0.0.0.0:${toString servicePort}";
           trust_x_forward_for = true;
         };
diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml
index f2d0e18..f11e9d5 100644
--- a/secrets/general/secrets.yaml
+++ b/secrets/general/secrets.yaml
@@ -20,7 +20,8 @@ u2f-keys: ENC[AES256_GCM,data:4UPXyOYEQR1oybxPLR3JW8ro5gTzq0YQse1lnAP020Nm4JG4El
 #ENC[AES256_GCM,data:NoqAfw==,iv:myxrEPllN9zwXn5iCxL89qX7wSN8C0foFdxvvitq7b0=,tag:Yud5HDjWvEMrw1lMp21hMg==,type:comment]
 croc-password: ENC[AES256_GCM,data:uz7vI2rrPi1uTKEks4IPnWOt/R6ydlp/cQ==,iv:ZE01XcS6nF1sqz04rC1o20l+1DpNSRVjhC40ZmTVCww=,tag:REjnDQBcDkUzLg2ZsiDUvA==,type:str]
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
-github-api-token: ENC[AES256_GCM,data:9AhHkmv4JUjmir77INYflGvjNWW/E17FmfoXs5IUnAlL7B/l8s7UlVob0Az4lOUnm3+R0RWJz0HKMvOdZVZjd3RakdoWqvBHFqOVNF1MNthg2izIiaERsnDXcxj54qJfpD505xFSBWmnTKWVwRZlW5WEsFPuvaVy,iv:wzXT+qsn4VG+R8tGU33EWoaMKs4c/BB5W7f2JvuX2eY=,tag:EEhbktsmWHBwh0iBtfaXlA==,type:str]
+#ENC[AES256_GCM,data:G6Xk3eWNCSbuxzy91Yx/5ZGR2OgJHhJMnRWXwxJ96DW5K+igQjIimNBW90cXqs5iztjC3q4F/YUK2IStnqCgZQi1Gye2g8uHj+1Xa0bt5LKNdjWwwfcONxcKTq37R55sgMbIwdPqi2CBZAw/fdsXfKeDNz3V+7fKzkzX8EckUGj2v27TJoR0/fHjLA==,iv:la0FjH6m9ersNIEqcXmp2kpioL2kubzU2up9wJujDTQ=,tag:GvFW4wzi4PD9HdryfNQrwQ==,type:comment]
+github-api-token: ENC[AES256_GCM,data:jUruDrTBfuqYuNXOxEtFsFkeXW6UqPvFiVNIXHVeTBaDkELSmJnz3u80rdfuVhxmRlFg8/ApiiBCB5X5sd+6Zh0JgH7mbaxVe+lta1m1wiCm1fWRBkDOuEoHt7p4pVbec/LUJOyvhWzcTcWTtW1GT96DFxKHBt8v,iv:WAWIck/gqZD6Oq/2LxS7YCD1F1FfCq+ZK1ls6sPdJQk=,tag:VTfKIICDvAsVN+7Fx4o1XA==,type:str]
 #ENC[AES256_GCM,data:vQF1i7rtfz/MBElKIN9j8N0=,iv:jf2SZpulx85yx2sHcnA3iwkiXJcHq4x1fdBUcSRuiK0=,tag:WpUNpH6/8jDvQA8zRGrdKg==,type:comment]
 emacs-radicale-pw: ENC[AES256_GCM,data:BIORG0geX8s1WOA=,iv:SeoVn8xHlqQGxZzHrm5I5LITMoutRnz3OygswDc96ew=,tag:C3S4a8IEvCjHgAyRrCaaRw==,type:str]
 #ENC[AES256_GCM,data:qsBNKxd3Ng==,iv:1fNMDJt7vgKFSdghYBZsuDoZ1sWvzj1Zu8NmkjX6Zh8=,tag:0D7EsgN8B1z7/y4iZS/PtQ==,type:comment]
@@ -93,8 +94,8 @@ sops:
             SjV6L3crUkdLWTlsNFgyRHBla2FFam8KILYsNbLdCirfoC/Vex8yEYpS2G4O0EQP
             wa1xzPk3Ue0/g67dv5UZFhUn0ZB2XGFC3kEPWpptTj0VL+9Z/r0zKA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-08T23:35:53Z"
-    mac: ENC[AES256_GCM,data:TxbNh/NiACHx3IwOi2esAfPf/jHV9yO86PRGarL3QQDTVB+nh5in+lx06oFh3bO5aJwpG6MWH9ZpPbX+3buyr2BTNrb6vc2YctSzaQU+ap5rvHf4AoKT3rC9rjHaR0WqJIPGV7HYcnFcoznULMrHqMTKMeEhUMqNl7xxAwxfIyk=,iv:9HAgoJN4xgxevM92K9j/5I2UYyIydOe9O+Cy3oL6/mo=,tag:1sRN7mrsRkAfp0LuZ6knBg==,type:str]
+    lastmodified: "2025-11-03T15:12:52Z"
+    mac: ENC[AES256_GCM,data:86AWnB2q5xv/JIyomkJOkZh4r2tj18rmNb02JINokmBv4/eRmej/sQIBeSbCj9cJhtKewECwVk8QKtwTu2sWB/hPjtxb8qnWD7MhNs7qmHOYAeYlAON4w7abcLxt0VFMKa7gd0c28qTHOkaWsLy6gDaIB/5x468FIYqsbfIiL9U=,iv:BDiKNHKTHPazwoM6bVoCf2kb/eNrJS9zy4yj3+PFdlY=,tag:6ZFtZZHvzdWp2EhOV3S7xQ==,type:str]
     pgp:
         - created_at: "2025-07-10T23:51:26Z"
           enc: |-