diff --git a/home-manager/nixvim/lsp.nix b/home-manager/nixvim/lsp.nix
index f86d994..6614310 100644
--- a/home-manager/nixvim/lsp.nix
+++ b/home-manager/nixvim/lsp.nix
@@ -23,7 +23,7 @@
         };
       };
       html.enable = true;
-      dartls.enable = true;
+      dartls.enable = true; # handled by flutter-tools
       ts_ls.enable = true;
       pylsp.enable = true;
       lua_ls.enable = true;
diff --git a/modules/services/kavita.nix b/modules/services/kavita.nix
index 6cd15d5..3859f58 100644
--- a/modules/services/kavita.nix
+++ b/modules/services/kavita.nix
@@ -31,7 +31,7 @@ in {
       githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
     in
     lib.mkIf cfg.enable {
-      networking.firewall.allowedTCPPorts = [ 5000 ];
+      # not needed with nginx networking.firewall.allowedTCPPorts = [ 5000 ];
       systemd.tmpfiles.rules = [
         (if githubRunnerEnabled then
           "d ${baseDir} 0750 kavita github-actions-runner -"
diff --git a/modules/services/samba.nix b/modules/services/samba.nix
index 26fe396..1d84beb 100644
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -1,36 +1,42 @@
 {
-  #services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
-  #networking.firewall.allowedTCPPorts = [
-  #5357 # wsdd
-  #];
-  #networking.firewall.allowedUDPPorts = [
-  #3702 # wsdd
-  #];
-  services.samba.openFirewall = true;
+  #services.samba-wsdd = {
+  #  enable = true;
+  #  openFirewall = true;
+  #};
+
+  users.users.franz = {
+    isNormalUser = true;
+    home = "/home/franz";
+    hashedPassword = "$y$j9T$opts2crrOHbRzHsFzOh/S1$LU3zmC4tKOw43THlOSw6qDXPse.l1ZvcxolN3EP7/ED";
+  };
+
+  # add user to samba with smbpasswd -a
   services.samba = {
     enable = true;
-    securityType = "user";
+    openFirewall = true;
     invalidUsers = [
       "root"
     ];
-    extraConfig = ''
-      	    disable netbios = yes
-      	    smb ports = 445
-                  workgroup = WORKGROUP
-                  server string = smbnix
-                  security = user 
-                  #use sendfile = yes
-                  #max protocol = smb2
-                  # note: localhost is the ipv6 localhost ::1
-                  hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
-                  hosts deny = 0.0.0.0/0
-                  guest account = nobody
-                  map to guest = bad user
-    '';
-    shares = {
-      homes = {
-        browseable = "no";
-        writable = "yes";
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.0. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      "franz" = {
+        "path" = "/hdd/shares/franz";
+        "valid users" = "franz";
+        "public" = "no";
+        "writable" = "yes";
+        "printable" = "no";
       };
     };
   };
diff --git a/pkgs/ente-frontend/default.nix b/pkgs/ente-frontend/default.nix
index b103044..5ff7ada 100644
--- a/pkgs/ente-frontend/default.nix
+++ b/pkgs/ente-frontend/default.nix
@@ -7,7 +7,7 @@ buildNpmPackage rec {
   src = "${(fetchGit {
     url = "git@github.com:oberprofis/ente.git";
     ref = "master";
-    rev = "f82b14a08080865be3c31144787ffaf8509a018a";
+    rev = "cb63e1e20fd9fde401fa9d3f09b36c572b17ff34";
   })}/website/tracker-site";
   npmDepsHash = "sha256-fYTRhIU+8pdIm3wC5wJRcDUhgN3d+mmvfmVzuu0pjLQ=";
 
diff --git a/systems/amd-server-vm/configuration.nix b/systems/amd-server-vm/configuration.nix
index 32dfaf3..23abc5d 100644
--- a/systems/amd-server-vm/configuration.nix
+++ b/systems/amd-server-vm/configuration.nix
@@ -10,6 +10,7 @@
     ../../modules/misc/motd.nix
     ../../modules/misc/kernel.nix
     ../../modules/services/duckdns.nix
+    ../../modules/services/samba.nix
     ../../modules/services/ddclient-cloudflare.nix
     ./disk-config.nix
     ./mail.nix
@@ -108,6 +109,23 @@
 
   # 8888 = scheibenmeister skip button
   networking.firewall.allowedTCPPorts = [ 25565 25566 8888 ];
+  networking.nftables.tables.ip_drop = {
+    family = "inet";
+    content = ''
+      set blocked-ip4 {
+        typeof ip saddr
+        flags interval
+        auto-merge
+        elements = { 45.144.212.240 }
+      }
+      chain input {
+        # -100 priority to run before the default filter input chain (0)
+        type filter hook input priority -100; policy accept;
+
+        ip saddr @blocked-ip4 log prefix "nftables drop: " level info counter drop
+      }
+    '';
+  };
   networking.hostName = "server-vm"; # Define your hostname.
 
   #services.murmur = {
@@ -135,6 +153,12 @@
     options = [ "defaults" "nofail" "noatime" ];
   };
 
+  fileSystems."/hdd" = {
+    device = "/dev/disk/by-uuid/99954059-3801-4abb-a536-0e7802a3e6b4";
+    fsType = "ext4";
+    options = [ "defaults" "nofail" "noatime" ];
+  };
+
 
   # Configure console keymap
   console.keyMap = "us";
diff --git a/systems/amd-server/configuration.nix b/systems/amd-server/configuration.nix
index 692cc07..9b21c3a 100644
--- a/systems/amd-server/configuration.nix
+++ b/systems/amd-server/configuration.nix
@@ -73,6 +73,7 @@
     };
 
     firewall.allowedTCPPorts = [ 25565 25566 ]; # localsend
+
   };
 
   security.pki.certificates = [
diff --git a/systems/pc/configuration.nix b/systems/pc/configuration.nix
index 4a76bf7..3a8d451 100644
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -207,7 +207,7 @@
   services.printing.enable = false;
   services.printing.drivers = [ pkgs.brlaser ];
   services.avahi = {
-    enable = true;
+    enable = false;
     nssmdns4 = true;
     openFirewall = true;
   };