diff --git a/hosts/nixdesk/profiles/ssh-public-port-2050.nix b/hosts/nixdesk/profiles/ssh-public-port-2050.nix
index 3fa53fc..07ee9c5 100644
--- a/hosts/nixdesk/profiles/ssh-public-port-2050.nix
+++ b/hosts/nixdesk/profiles/ssh-public-port-2050.nix
@@ -1,16 +1,15 @@
 {pkgs, ...}: {
-  # services.openssh.ports = [22 2050];
-  systemd.services.port2050-natpmp = {
-    bindsTo = ["sshd"]; # might not work
-    confinement = {
-      enable = true;
-      mode = "chroot-only";
-    };
-    serviceConfig.ExecStart = ''
+  systemd.services.ssh-port2050-natpmp = {
+    bindsTo = ["sshd.socket"];
+    after = ["sshd.socket"];
+    serviceConfig.Restart = "on-failure";
+    serviceConfig.ExecStart = pkgs.writeScript "ssh-port2050-natpmp" ''
+      #!${pkgs.bash}/bin/bash
+
       while true
       do
         ${pkgs.libnatpmp}/bin/natpmpc -a 2050 22 tcp 60
-        sleep 30
+        ${pkgs.coreutils}/bin/sleep 30
       done
     '';
   };
diff --git a/hosts/rackserv/profiles/wireguard-server.nix b/hosts/rackserv/profiles/wireguard-server.nix
index 0dbc7e7..c5542f8 100644
--- a/hosts/rackserv/profiles/wireguard-server.nix
+++ b/hosts/rackserv/profiles/wireguard-server.nix
@@ -31,7 +31,7 @@ in {
       peers;
   in {
     allowedTCPPorts = getPortsWithProtocol "tcp";
-    allowedUDPPorts = [51820 1234] ++ getPortsWithProtocol "udp";
+    allowedUDPPorts = [51820] ++ getPortsWithProtocol "udp";
     extraCommands = forPortIps ({
       IP,
       port,
@@ -72,7 +72,6 @@ in {
         })
         peers;
     };
-    "50-wg1" = lib.recursiveUpdate config.systemd.network.netdevs."50-wg0" {wireguardConig.ListenPort = 1234;};
   };
 
   systemd.network.networks.wg0 = {
diff --git a/sys/profiles/core/users.nix b/sys/profiles/core/users.nix
index d59512c..0199478 100644
--- a/sys/profiles/core/users.nix
+++ b/sys/profiles/core/users.nix
@@ -16,6 +16,7 @@
       "render"
       "audio"
       "wireshark"
+      "rtkit"
     ];
 
     openssh.authorizedKeys.keys = with vars.sshKeys; [