diff --git a/config/services/homeassistant.nix b/config/services/homeassistant.nix
index aa000bf..66a994e 100644
--- a/config/services/homeassistant.nix
+++ b/config/services/homeassistant.nix
@@ -2,7 +2,6 @@
   config,
   nodes,
   lib,
-  pkgs,
   ...
 }:
 {
@@ -83,15 +82,15 @@
     owner = "hass";
   };
   systemd.services.home-assistant = {
+    # Update influxdb token
+    # We don't use -i because it would require chown with is a @privileged syscall
+    # INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
+    #   ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)'
     preStart = lib.mkBefore ''
       if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
         rm ${config.services.home-assistant.configDir}/secrets.yaml
       fi
 
-      # Update influxdb token
-      # We don't use -i because it would require chown with is a @privileged syscall
-      # INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
-      #   ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)'
         cat ${
           config.age.secrets."home-assistant-secrets.yaml".path
         } > ${config.services.home-assistant.configDir}/secrets.yaml
diff --git a/config/services/samba.nix b/config/services/samba.nix
index 36e8423..294d8ff 100644
--- a/config/services/samba.nix
+++ b/config/services/samba.nix
@@ -119,7 +119,8 @@ in
             # clients hardcode the host and share names.
             "disable netbios" = "yes";
             # Allow access to local network
-            "hosts allow" = "10.99.10. localhost";
+            # Also allow printer access
+            "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.devices.cidrv4} localhost";
 
             "guest account" = "nobody";
             "map to guest" = "bad user";
@@ -176,8 +177,6 @@ in
             group = "printer";
           }
           {
-            # Also allow printer access
-            "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.home.cidrv4} localhost";
           }
         )
         (mkShare {
diff --git a/config/support/secureboot.nix b/config/support/secureboot.nix
index 612f5de..a8f367f 100644
--- a/config/support/secureboot.nix
+++ b/config/support/secureboot.nix
@@ -16,8 +16,8 @@ lib.optionalAttrs (!minimal) {
     text = ''
       rm -r /var/lib/sbctl || true
       mkdir -p /var/lib/sbctl
-      chmod 700 /var/lib/sbctl
       ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true
+      chmod 700 /var/lib/sbctl
     '';
     deps = [ "agenix" ];
   };
diff --git a/hosts/elisabeth/secrets/homeassistant/host.pub b/hosts/elisabeth/secrets/homeassistant/host.pub
new file mode 100644
index 0000000..69e2f81
--- /dev/null
+++ b/hosts/elisabeth/secrets/homeassistant/host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs0YXOrMxHFly+lpB0NtZWuuz1JwRKU2ZCOe4Xhz1T5
diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix
index c3387ad..d0358d8 100644
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@@ -29,6 +29,9 @@ in
       printer.ipv4Addresses = [
         (lib.net.cidr.host 32 globals.net.vlans.devices.cidrv4)
       ];
+      smb.ipv4Addresses = [
+        (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4)
+      ];
       adguard.ipv4Addresses = [
         (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
       ];
@@ -170,7 +173,7 @@ in
           "printer"
         ];
         to = [ "smb" ];
-        allowedUDPPorts = [ 445 ];
+        allowedTCPPorts = [ 445 ];
       };
       ssh = {
         from = [