diff --git a/nix/systemd.nix b/nix/systemd.nix
index 60e1a58..fcc17fb 100644
--- a/nix/systemd.nix
+++ b/nix/systemd.nix
@@ -4,6 +4,20 @@
   ...
 }: let
   swayTgt = "sway-session.target";
+  paths = {
+    inaccessible = [
+      "-/lost+found"
+      "/dev/shm"
+      "-%h/.ssh"
+      "-%h/.gnupg"
+      "-%h/Documents"
+      # "-%h/Downloads"
+      "-%h/Pictures"
+      "-%h/Videos"
+      "-%h/Sync"
+      "-%h/sync"
+    ];
+  };
 in {
   systemd.user.services = {
     kanshi = {
@@ -125,9 +139,63 @@ in {
       Install = {WantedBy = ["default.target"];};
     };
 
-    ff_nn = {
+    ff_nn = let
+      flavour = "firefox-nightly";
+    in {
       Unit = {
-        Description = "sh*tbrowser";
+        Description = "sh*tbrowser (${flavour})";
+        PartOf = swayTgt;
+        After = [swayTgt];
+      };
+
+      Service = {
+        # Type = "simple";
+        Environment = [
+          "MOZ_ENABLE_WAYLAND=1"
+          "MOZ_DBUS_REMOTE=1"
+          "MOZ_USE_XINPUT2=1"
+          "QT_QPA_PLATFORM=wayland"
+          "XDG_SESSION_TYPE=wayland"
+          "SDL_VIDEODRIVER=wayland"
+          "NO_AT_BRIDGE=1"
+        ];
+        ExecStart = "-%h/Downloads/${flavour}/firefox-bin -desktop";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        StartLimitBurst = 3;
+        StartLimitInterval = "60s";
+        TimeoutStopFailureMode = "abort";
+        KeyringMode = "private";
+        RestrictNamespaces = true;
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ProtectHome = "tmpfs";
+        InaccessiblePaths = paths.inaccessible;
+        BindPaths = [
+          "-%h/Downloads/${flavour}"
+          "-%h/Downloads/toClear"
+          "-%h/.mozilla/firefox"
+          "-%h/.cache/mozilla/firefox"
+          "-%h/.local"
+          "-%h/.fonts"
+          "-%h/.config"
+        ];
+        NoNewPrivileges = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateTmp = "yes";
+        LockPersonality = true;
+        SystemCallFilter = "~@reboot @obsolete";
+        SystemCallArchitectures = "native";
+      };
+
+      # Install = {WantedBy = [swayTgt];};
+    };
+    voidff = let
+      execPath = "Downloads/lrg/void/firefox";
+    in {
+      Unit = {
+        Description = "voidfox";
         PartOf = swayTgt;
         After = swayTgt;
       };
@@ -143,30 +211,37 @@ in {
           "SDL_VIDEODRIVER=wayland"
           "NO_AT_BRIDGE=1"
         ];
-        ExecStart = "-%h/Downloads/firefox-nightly/firefox-bin -desktop";
+        ExecStart = "-%h/${execPath}/firefox-bin -desktop";
         Restart = "on-failure";
         RestartSec = "5s";
         StartLimitBurst = 3;
         StartLimitInterval = "60s";
         TimeoutStopFailureMode = "abort";
-        # RestrictNamespaces=true;
+        RestrictNamespaces = true;
         DevicePolicy = "closed";
-        ProtectHome = true;
         ProtectSystem = "strict";
-        ReadWritePaths = [
-          "-%h/Downloads/firefox-nightly"
-          "-%h/Downloads"
+        # ProtectHome = true;
+        ProtectHome = "tmpfs";
+        InaccessiblePaths = paths.inaccessible;
+        BindPaths = [
+          "-%h/${execPath}"
+          "-%h/Downloads/toClear"
+          "-%h/.mozilla/firefox"
+          "-%h/.cache/mozilla/firefox"
+          "-%h/.local"
+          "-%h/.fonts"
+          "-%h/.config"
         ];
         NoNewPrivileges = true;
         ProtectProc = "invisible";
-        # ProcSubset = "pid";
+        ProcSubset = "pid";
         PrivateTmp = "yes";
         LockPersonality = true;
         SystemCallFilter = "~@reboot @obsolete";
         SystemCallArchitectures = "native";
       };
 
-      Install = {WantedBy = [swayTgt];};
+      # Install = {WantedBy = [swayTgt];};
     };
 
     battery = {
@@ -207,7 +282,7 @@ in {
         TimeoutStartSec = 600;
         # TimeoutStopSec=10;
         ExecStartPre = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
-        ExecStart = "/usr/bin/podman-compose -f ${composeF} -p nextcloud up --remove-orphans";
+        ExecStart = "/usr/bin/podman-compose --podman-run-args=\"--replace\" -f ${composeF} -p nextcloud up --remove-orphans";
         ExecStop = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
         Type = "simple";
         Delegate = "no";
@@ -221,6 +296,7 @@ in {
           "-/lost+found"
           "/dev/shm"
           "-%h/.ssh"
+          "-%h/.gnupg"
         ];
         KeyringMode = "private";
         SystemCallFilter = "~memfd_create @reboot";
@@ -238,11 +314,11 @@ in {
         After = "network.target";
       };
       Service = {
-        ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a a_mirre";
+        ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a w";
         Restart = "always";
         RestartSec = 300;
         Environment = "RUST_LOG=debug";
-        ReadWritePaths = "/tmp/himalaya-counter-am";
+        # ReadWritePaths = "/tmp/himalaya-counter-w";
         ProtectHome = "true";
         ProtectSystem = "true";
         DevicePolicy = "closed";
@@ -252,6 +328,7 @@ in {
           "-/lost+found"
           "/dev/shm"
           "-%h/.ssh"
+          "-%h/.gnupg"
         ];
         # KeyringMode = "private";
       };
@@ -279,6 +356,7 @@ in {
           "-/lost+found"
           "/dev/shm"
           "-%h/.ssh"
+          "-%h/.gnupg"
         ];
         # KeyringMode = "private";
       };
@@ -300,6 +378,7 @@ in {
           "-/lost+found"
           "/dev/shm"
           "-%h/.ssh"
+          "-%h/.gnupg"
         ];
         KeyringMode = "private";
       };
@@ -318,6 +397,7 @@ in {
           "-/lost+found"
           "/dev/shm"
           "-%h/.ssh"
+          "-%h/.gnupg"
         ];
         KeyringMode = "private";
       };