diff --git a/base.nix b/base.nix
index 320d659..887ecd7 100644
--- a/base.nix
+++ b/base.nix
@@ -54,7 +54,13 @@
   nixpkgs.config.allowUnfreePredicate = pkg: true;
   nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
 
+  # apply microcode to fix functional and security issues
   hardware.enableRedistributableFirmware = true;
+  hardware.cpu.amd.updateMicrocode = pkgs.stdenv.isx86_64;
+  hardware.cpu.intel.updateMicrocode = pkgs.stdenv.isx86_64;
+  
+  # enable kernel same-page merging for improved vm test performance
+  hardware.ksm.enable = true;
 
   boot.initrd.systemd.enable = true; # systemd manages initfs boot, systemd-analyse can see what happened
   # https://discourse.nixos.org/t/what-to-do-with-a-full-boot-partition/2049
@@ -67,6 +73,7 @@
   #networking.nftables.enable = true; # wirewall backend, instead of iptables, breaks docker which uses iptables
   #networking.firewall.allowPing = false;
   #networking.networkmanager.wifi.backend = "iwd"; # default is wpa_supplicant, iwd doesn't support eduroam
+  networking.firewall.logRefusedConnections = false; # too spammy, rotates dmesg too quickly
 
   #system.switch.enable = false;
   #system.switch.enableNg = true; # rewritten in rust
@@ -85,8 +92,8 @@
     /* "pipe-operator" # not supported on lix 2.91 */
   ];
   #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
-  nix.settings.allowed-users = [ "root" "pbsds" "@wheel" ]; # default is [ "*" ]
-  nix.settings.trusted-users = [ "root" "pbsds" "@wheel" ];
+  nix.settings.allowed-users = [ "root" "@wheel" ]; # default is [ "*" ]
+  nix.settings.trusted-users = [ "root" "@wheel" ];
   nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff
   nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
   nix.settings.max-silent-time = 3600;
@@ -99,6 +106,8 @@
   nix.settings.min-free =  3 * 1024 * 1024 * 1024; # starts cg
   nix.settings.max-free = 20 * 1024 * 1024 * 1024; # condition to end gc triggered by min-free
 
+  security.sudo.execWheelOnly = true;
+
   services.thermald.enable = lib.all (x: x) [
     (config.nixpkgs.system == "x86_64-linux")
     (!config.boot.isContainer or false)
diff --git a/hosts/nixos/bjarte/configuration.nix b/hosts/nixos/bjarte/configuration.nix
index 84e35f3..4405fcb 100644
--- a/hosts/nixos/bjarte/configuration.nix
+++ b/hosts/nixos/bjarte/configuration.nix
@@ -52,6 +52,10 @@
     ../../../profiles/known-hosts.nix
   ];
 
+  environment.systemPackages = with pkgs; [
+    krita
+  ];
+
   time.timeZone = null; # allows imperative configuring
 
   networking.firewall.allowedTCPPorts = [ 57621 ]; # spotify local discovery
diff --git a/hosts/nixos/bolle/configuration.nix b/hosts/nixos/bolle/configuration.nix
index 64ad810..e7d3621 100644
--- a/hosts/nixos/bolle/configuration.nix
+++ b/hosts/nixos/bolle/configuration.nix
@@ -29,6 +29,9 @@
   # Networking
   networking.networkmanager.enable = true;
 
+  # use memory more efficiently at the cost of some compute
+  zramSwap.enable = true;
+
   # TODO: remove? Move?
   programs.dconf.enable = true;
 }
diff --git a/hosts/nixos/garp/configuration.nix b/hosts/nixos/garp/configuration.nix
index bf7c387..ad0f678 100644
--- a/hosts/nixos/garp/configuration.nix
+++ b/hosts/nixos/garp/configuration.nix
@@ -43,6 +43,9 @@
   # Networking
   networking.networkmanager.enable = true;
 
+  # use memory more efficiently at the cost of some compute
+  zramSwap.enable = true;
+
   # TODO: remove? Move?
   programs.dconf.enable = true;
 }
diff --git a/hosts/nixos/sopp/configuration.nix b/hosts/nixos/sopp/configuration.nix
index 9a62d9f..a61ed63 100644
--- a/hosts/nixos/sopp/configuration.nix
+++ b/hosts/nixos/sopp/configuration.nix
@@ -68,6 +68,10 @@
     #../../../profiles/domeneshop-dyndns.nix # handled by noximilien
   ];
 
+  environment.systemPackages = with pkgs; [
+    krita
+  ];
+
   networking.firewall.allowedTCPPorts = [ 57621 ]; # spotify local discovery
 
   hardware.bluetooth.enable = true;
diff --git a/profiles/sshd.nix b/profiles/sshd.nix
index f20c791..a7be93b 100644
--- a/profiles/sshd.nix
+++ b/profiles/sshd.nix
@@ -2,5 +2,6 @@
   services.openssh.enable = true;
   services.openssh.settings.X11Forwarding = true;
   services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.KbdInteractiveAuthentication = false;
   services.fail2ban.enable = true;
 }
diff --git a/users/pbsds/home/profiles/desktop/default.nix b/users/pbsds/home/profiles/desktop/default.nix
index ac930c9..3fa7cd7 100644
--- a/users/pbsds/home/profiles/desktop/default.nix
+++ b/users/pbsds/home/profiles/desktop/default.nix
@@ -29,7 +29,7 @@
 
     discord
     element-desktop
-    signal-desktop
+    unstable.signal-desktop
     #element-desktop-wayland
     #nheko
     #fluffychat
@@ -47,6 +47,8 @@
 
     (pkgs.zxtune or unstable.zxtune or null)
 
+    vlc
+
     f3d
     firefox
     zotero
diff --git a/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix b/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix
index 8a89ac7..6c0e15e 100644
--- a/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix
+++ b/users/pbsds/home/profiles/desktop/gnome/dconf-gnome-theme.nix
@@ -61,6 +61,8 @@ with lib.hm.gvariant;
 
     "org/gnome/desktop/privacy" = {
       disable-microphone = false;
+      old-files-age = mkUint32 30;
+      recent-files-max-age = -1;
     };
 
   };
diff --git a/users/pbsds/home/profiles/desktop/mime.nix b/users/pbsds/home/profiles/desktop/mime.nix
index 9291e6f..9060b9f 100644
--- a/users/pbsds/home/profiles/desktop/mime.nix
+++ b/users/pbsds/home/profiles/desktop/mime.nix
@@ -101,9 +101,8 @@ let
 
   # Applications
   app-map = {
-    /* image = ["org.gnome.eog.desktop"]; */
-    image = ["org.gnome.Loupe.desktop"];
-    audio = ["mpv.desktop"];
+    image = ["org.gnome.Loupe.desktop" "org.gnome.eog.desktop"];
+    audio = ["mpv.desktop" "vlc.desktop" "ZXTune.desktop"];
     video = ["mpv.desktop"];
     fonts = ["org.gnome.font-viewer.desktop"];
     docs = ["org.gnome.Papers.desktop" "org.gnome.Evince.desktop"];
diff --git a/users/pbsds/home/profiles/gtk.nix b/users/pbsds/home/profiles/gtk.nix
index d0f78c8..1d0e2af 100644
--- a/users/pbsds/home/profiles/gtk.nix
+++ b/users/pbsds/home/profiles/gtk.nix
@@ -7,4 +7,8 @@
   gtk.theme.package = pkgs.colloid-gtk-theme;
   gtk.iconTheme.name = "Flat-Remix-Blue-Dark";
   gtk.iconTheme.package = pkgs.flat-remix-icon-theme;
+
+  # the themes are stored here, the files gets replaced by gnome-tweaks
+  xdg.configFile."gtk-3.0/settings.ini".force = true;
+  xdg.configFile."gtk-4.0/settings.ini".force = true;
 }