diff --git a/hosts/elisabeth/fs.nix b/hosts/elisabeth/fs.nix
index 32f386e..24ea2e7 100644
--- a/hosts/elisabeth/fs.nix
+++ b/hosts/elisabeth/fs.nix
@@ -87,10 +87,11 @@
           type = "snap";
           name = "mach-schnipp-schusss";
           filesystems = {
-            "panzer/safe<" = true;
+            "panzer<" = true;
             "rpool/local/state<" = true;
+            "rpool/local/guests<" = true;
             "rpool/safe<" = true;
-            "renaultft/safe<" = true;
+            "renaultft<" = true;
           };
           snapshotting = {
             type = "periodic";
diff --git a/modules/services/immich.nix b/modules/services/immich.nix
index e20d2fd..8b0001f 100644
--- a/modules/services/immich.nix
+++ b/modules/services/immich.nix
@@ -6,7 +6,7 @@
   config,
   ...
 }: let
-  version = "v1.93.3";
+  version = "v1.98.2";
   immichDomain = "immich.${config.secrets.secrets.global.domains.web}";
 
   ipImmichMachineLearning = "10.89.0.10";
@@ -299,7 +299,7 @@ in {
     };
 
   virtualisation.oci-containers.containers."immich_postgres" = {
-    image = "tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee";
+    image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
     environment = {
       POSTGRES_DB = environment.DB_DATABASE_NAME;
       POSTGRES_PASSWORD_FILE = environment.DB_PASSWORD_FILE;
@@ -318,7 +318,7 @@ in {
   };
   systemd.services."podman-immich_postgres" = serviceConfig;
   virtualisation.oci-containers.containers."immich_redis" = {
-    image = "redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc";
+    image = "redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5";
     log-driver = "journald";
     extraOptions = [
       "--network-alias=immich_redis"
diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix
index 439ee24..b6ee6a8 100644
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@@ -73,6 +73,7 @@ in {
         basicSecretFile = config.age.secrets.oauth2-nextcloud.path;
         allowInsecureClientDisablePkce = true;
         scopeMaps."nextcloud.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
       };
 
       groups."immich.access" = {
@@ -88,6 +89,7 @@ in {
         basicSecretFile = config.age.secrets.oauth2-immich.path;
         allowInsecureClientDisablePkce = true;
         scopeMaps."immich.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
       };
 
       groups."forgejo.access" = {